Play interactive tour

Edit tour

Analysis Report 9cf2c56e_by_Libranalysis

Overview

General Information

Sample Name:	9cf2c56e_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:	405433
MD5:	9cf2c56ef2d9ed4c679013369c6bf4c0
SHA1:	77a2d90daf8ccff12ba036924d49c0d57cfbc89b
SHA256:	ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

9cf2c56e_by_Libranalysis.exe (PID: 5732 cmdline: 'C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe' MD5: 9CF2C56EF2D9ED4C679013369C6BF4C0)

aeevts.exe (PID: 6096 cmdline: C:\Windows\SysWOW64\aeevts\aeevts.exe MD5: 9CF2C56EF2D9ED4C679013369C6BF4C0)

svchost.exe (PID: 6012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3360 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1288 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5448 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4936 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5980 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2416 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1260 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 2000 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 1048 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 6220 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6528 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["47.148.241.179:80", "24.204.47.87:80", "80.86.91.91:8080", "104.236.28.47:8080", "87.106.136.232:8080", "211.63.71.72:8080", "113.52.123.226:7080", "78.101.70.199:443", "76.86.17.1:80", "222.144.13.169:80", "47.155.214.239:80", "181.143.126.170:80", "169.239.182.217:8080", "181.126.70.117:80", "209.137.209.84:443", "207.177.72.129:8080", "37.139.21.175:8080", "149.202.153.252:8080", "108.6.170.195:80", "37.187.72.193:8080", "190.220.19.82:443", "206.81.10.215:8080", "92.222.216.44:8080", "104.131.44.150:8080", "103.86.49.11:8080", "78.186.5.109:443", "62.75.187.192:8080", "76.104.80.47:80", "176.9.43.37:8080", "31.172.240.91:8080", "66.34.201.20:7080", "125.207.127.86:80", "85.152.174.56:80", "78.189.180.107:80", "23.92.16.164:8080", "178.153.176.124:80", "74.208.45.104:8080", "177.239.160.121:80", "47.156.70.145:80", "217.160.182.191:8080", "223.197.185.60:80", "95.213.236.64:8080", "190.143.39.231:80", "173.73.87.96:80", "46.105.131.87:80", "93.147.141.5:443", "105.27.155.182:80", "209.146.22.34:443", "174.53.195.88:80", "59.20.65.102:80", "205.185.117.108:8080", "200.21.90.5:443", "5.32.55.214:80", "95.128.43.213:8080", "108.191.2.72:80", "105.247.123.133:8080", "178.20.74.212:80", "101.100.137.135:80", "210.6.85.121:80", "50.116.86.205:8080", "70.180.35.211:80", "162.241.92.219:8080", "5.196.74.210:8080", "201.173.217.124:443", "91.242.136.103:80", "45.33.49.124:443", "59.103.164.174:80", "47.6.15.79:80", "201.184.105.242:443", "71.222.233.135:443", "24.105.202.216:443", "76.104.80.47:443", "188.0.135.237:80", "60.231.217.199:8080", "31.31.77.83:443", "190.12.119.180:443", "62.138.26.28:8080", "47.153.183.211:80", "71.126.247.90:80", "189.212.199.126:443", "200.116.145.225:443", "139.130.241.252:443", "90.69.145.210:8080", "75.114.235.105:80", "74.130.83.133:80", "24.164.79.147:8080", "190.114.244.182:443", "180.92.239.110:8080", "108.190.109.107:80", "181.13.24.82:80", "74.108.124.180:80", "209.141.54.221:8080", "110.36.217.66:8080", "174.83.116.77:80", "47.155.214.239:443", "85.105.205.77:8080", "179.13.185.19:80", "139.130.242.43:80", "160.16.215.66:8080", "45.55.65.123:8080", "41.60.200.34:80", "88.249.120.205:80", "98.239.119.52:80", "2.237.76.249:80", "87.106.139.101:8080", "121.88.5.176:443", "120.150.246.241:80", "190.146.205.227:8080", "195.244.215.206:80", "68.114.229.171:80", "46.105.131.69:443", "104.236.246.93:8080", "110.44.113.2:80", "60.250.78.22:443", "70.184.9.39:8080", "209.97.168.52:8080", "47.26.155.17:80", "101.187.197.33:443", "115.65.111.148:443", "98.156.206.153:80", "70.127.155.33:80", "65.184.222.119:80", "152.168.248.128:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp	Win32_Trojan_Emotet	unknown	ReversingLabs	0x1c00:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ... 0x6cf0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp	Win32_Trojan_Emotet	unknown	ReversingLabs	0x1c00:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ... 0x6cf0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp	Win32_Trojan_Emotet	unknown	ReversingLabs	0x253f:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ... 0x762f:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp	Win32_Trojan_Emotet	unknown	ReversingLabs	0x253f:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ... 0x762f:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.aeevts.exe.ad053f.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.aeevts.exe.ad053f.1.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0x1400:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ... 0x64f0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0x1400:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ... 0x64f0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
4.2.aeevts.exe.ad053f.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.aeevts.exe.ad053f.1.raw.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0x2000:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ... 0x70f0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack	Win32_Trojan_Emotet	unknown	ReversingLabs	0x2000:$decrypt_resource_v2: 55 8B EC 83 EC 0C 8B 41 04 8B 11 33 C2 53 56 8D 71 04 89 55 FC 8D 58 01 89 45 F8 83 C6 04 F6 C3 ... 0x70f0:$generate_filename_v2: 55 8B EC 81 EC 08 02 00 00 8D 85 F8 FD FF FF 50 6A 00 6A 00 51 6A 00 B9 FC C9 F7 A6 E8 2F B9 FF ...
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 9cf2c56e_by_Libranalysis.exe

Avira: detected

Found malware configuration

Show sources

Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["47.148.241.179:80", "24.204.47.87:80", "80.86.91.91:8080", "104.236.28.47:8080", "87.106.136.232:8080", "211.63.71.72:8080", "113.52.123.226:7080", "78.101.70.199:443", "76.86.17.1:80", "222.144.13.169:80", "47.155.214.239:80", "181.143.126.170:80", "169.239.182.217:8080", "181.126.70.117:80", "209.137.209.84:443", "207.177.72.129:8080", "37.139.21.175:8080", "149.202.153.252:8080", "108.6.170.195:80", "37.187.72.193:8080", "190.220.19.82:443", "206.81.10.215:8080", "92.222.216.44:8080", "104.131.44.150:8080", "103.86.49.11:8080", "78.186.5.109:443", "62.75.187.192:8080", "76.104.80.47:80", "176.9.43.37:8080", "31.172.240.91:8080", "66.34.201.20:7080", "125.207.127.86:80", "85.152.174.56:80", "78.189.180.107:80", "23.92.16.164:8080", "178.153.176.124:80", "74.208.45.104:8080", "177.239.160.121:80", "47.156.70.145:80", "217.160.182.191:8080", "223.197.185.60:80", "95.213.236.64:8080", "190.143.39.231:80", "173.73.87.96:80", "46.105.131.87:80", "93.147.141.5:443", "105.27.155.182:80", "209.146.22.34:443", "174.53.195.88:80", "59.20.65.102:80", "205.185.117.108:8080", "200.21.90.5:443", "5.32.55.214:80", "95.128.43.213:8080", "108.191.2.72:80", "105.247.123.133:8080", "178.20.74.212:80", "101.100.137.135:80", "210.6.85.121:80", "50.116.86.205:8080", "70.180.35.211:80", "162.241.92.219:8080", "5.196.74.210:8080", "201.173.217.124:443", "91.242.136.103:80", "45.33.49.124:443", "59.103.164.174:80", "47.6.15.79:80", "201.184.105.242:443", "71.222.233.135:443", "24.105.202.216:443", "76.104.80.47:443", "188.0.135.237:80", "60.231.217.199:8080", "31.31.77.83:443", "190.12.119.180:443", "62.138.26.28:8080", "47.153.183.211:80", "71.126.247.90:80", "189.212.199.126:443", "200.116.145.225:443", "139.130.241.252:443", "90.69.145.210:8080", "75.114.235.105:80", "74.130.83.133:80", "24.164.79.147:8080", "190.114.244.182:443", "180.92.239.110:8080", "108.190.109.107:80", "181.13.24.82:80", "74.108.124.180:80", "209.141.54.221:8080", "110.36.217.66:8080", "174.83.116.77:80", "47.155.214.239:443", "85.105.205.77:8080", "179.13.185.19:80", "139.130.242.43:80", "160.16.215.66:8080", "45.55.65.123:8080", "41.60.200.34:80", "88.249.120.205:80", "98.239.119.52:80", "2.237.76.249:80", "87.106.139.101:8080", "121.88.5.176:443", "120.150.246.241:80", "190.146.205.227:8080", "195.244.215.206:80", "68.114.229.171:80", "46.105.131.69:443", "104.236.246.93:8080", "110.44.113.2:80", "60.250.78.22:443", "70.184.9.39:8080", "209.97.168.52:8080", "47.26.155.17:80", "101.187.197.33:443", "115.65.111.148:443", "98.156.206.153:80", "70.127.155.33:80", "65.184.222.119:80", "152.168.248.128:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 9cf2c56e_by_Libranalysis.exe

ReversingLabs: Detection: 76%

Source: 9cf2c56e_by_Libranalysis.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source:	Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb source: 9cf2c56e_by_Libranalysis.exe, aeevts.exe
Source:	Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb@K,CJ source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, aeevts.exe, 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0045436A lstrlen,FindFirstFileA,FindClose,	0_2_0045436A
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0044533D __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,	0_2_0044533D
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0045436A lstrlen,FindFirstFileA,FindClose,	4_2_0045436A
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0044533D __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,	4_2_0044533D

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 211.63.71.72: -> 192.168.2.3:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 47.148.241.179:80
Source: Malware configuration extractor	IPs: 24.204.47.87:80
Source: Malware configuration extractor	IPs: 80.86.91.91:8080
Source: Malware configuration extractor	IPs: 104.236.28.47:8080
Source: Malware configuration extractor	IPs: 87.106.136.232:8080
Source: Malware configuration extractor	IPs: 211.63.71.72:8080
Source: Malware configuration extractor	IPs: 113.52.123.226:7080
Source: Malware configuration extractor	IPs: 78.101.70.199:443
Source: Malware configuration extractor	IPs: 76.86.17.1:80
Source: Malware configuration extractor	IPs: 222.144.13.169:80
Source: Malware configuration extractor	IPs: 47.155.214.239:80
Source: Malware configuration extractor	IPs: 181.143.126.170:80
Source: Malware configuration extractor	IPs: 169.239.182.217:8080
Source: Malware configuration extractor	IPs: 181.126.70.117:80
Source: Malware configuration extractor	IPs: 209.137.209.84:443
Source: Malware configuration extractor	IPs: 207.177.72.129:8080
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 149.202.153.252:8080
Source: Malware configuration extractor	IPs: 108.6.170.195:80
Source: Malware configuration extractor	IPs: 37.187.72.193:8080
Source: Malware configuration extractor	IPs: 190.220.19.82:443
Source: Malware configuration extractor	IPs: 206.81.10.215:8080
Source: Malware configuration extractor	IPs: 92.222.216.44:8080
Source: Malware configuration extractor	IPs: 104.131.44.150:8080
Source: Malware configuration extractor	IPs: 103.86.49.11:8080
Source: Malware configuration extractor	IPs: 78.186.5.109:443
Source: Malware configuration extractor	IPs: 62.75.187.192:8080
Source: Malware configuration extractor	IPs: 76.104.80.47:80
Source: Malware configuration extractor	IPs: 176.9.43.37:8080
Source: Malware configuration extractor	IPs: 31.172.240.91:8080
Source: Malware configuration extractor	IPs: 66.34.201.20:7080
Source: Malware configuration extractor	IPs: 125.207.127.86:80
Source: Malware configuration extractor	IPs: 85.152.174.56:80
Source: Malware configuration extractor	IPs: 78.189.180.107:80
Source: Malware configuration extractor	IPs: 23.92.16.164:8080
Source: Malware configuration extractor	IPs: 178.153.176.124:80
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 177.239.160.121:80
Source: Malware configuration extractor	IPs: 47.156.70.145:80
Source: Malware configuration extractor	IPs: 217.160.182.191:8080
Source: Malware configuration extractor	IPs: 223.197.185.60:80
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 190.143.39.231:80
Source: Malware configuration extractor	IPs: 173.73.87.96:80
Source: Malware configuration extractor	IPs: 46.105.131.87:80
Source: Malware configuration extractor	IPs: 93.147.141.5:443
Source: Malware configuration extractor	IPs: 105.27.155.182:80
Source: Malware configuration extractor	IPs: 209.146.22.34:443
Source: Malware configuration extractor	IPs: 174.53.195.88:80
Source: Malware configuration extractor	IPs: 59.20.65.102:80
Source: Malware configuration extractor	IPs: 205.185.117.108:8080
Source: Malware configuration extractor	IPs: 200.21.90.5:443
Source: Malware configuration extractor	IPs: 5.32.55.214:80
Source: Malware configuration extractor	IPs: 95.128.43.213:8080
Source: Malware configuration extractor	IPs: 108.191.2.72:80
Source: Malware configuration extractor	IPs: 105.247.123.133:8080
Source: Malware configuration extractor	IPs: 178.20.74.212:80
Source: Malware configuration extractor	IPs: 101.100.137.135:80
Source: Malware configuration extractor	IPs: 210.6.85.121:80
Source: Malware configuration extractor	IPs: 50.116.86.205:8080
Source: Malware configuration extractor	IPs: 70.180.35.211:80
Source: Malware configuration extractor	IPs: 162.241.92.219:8080
Source: Malware configuration extractor	IPs: 5.196.74.210:8080
Source: Malware configuration extractor	IPs: 201.173.217.124:443
Source: Malware configuration extractor	IPs: 91.242.136.103:80
Source: Malware configuration extractor	IPs: 45.33.49.124:443
Source: Malware configuration extractor	IPs: 59.103.164.174:80
Source: Malware configuration extractor	IPs: 47.6.15.79:80
Source: Malware configuration extractor	IPs: 201.184.105.242:443
Source: Malware configuration extractor	IPs: 71.222.233.135:443
Source: Malware configuration extractor	IPs: 24.105.202.216:443
Source: Malware configuration extractor	IPs: 76.104.80.47:443
Source: Malware configuration extractor	IPs: 188.0.135.237:80
Source: Malware configuration extractor	IPs: 60.231.217.199:8080
Source: Malware configuration extractor	IPs: 31.31.77.83:443
Source: Malware configuration extractor	IPs: 190.12.119.180:443
Source: Malware configuration extractor	IPs: 62.138.26.28:8080
Source: Malware configuration extractor	IPs: 47.153.183.211:80
Source: Malware configuration extractor	IPs: 71.126.247.90:80
Source: Malware configuration extractor	IPs: 189.212.199.126:443
Source: Malware configuration extractor	IPs: 200.116.145.225:443
Source: Malware configuration extractor	IPs: 139.130.241.252:443
Source: Malware configuration extractor	IPs: 90.69.145.210:8080
Source: Malware configuration extractor	IPs: 75.114.235.105:80
Source: Malware configuration extractor	IPs: 74.130.83.133:80
Source: Malware configuration extractor	IPs: 24.164.79.147:8080
Source: Malware configuration extractor	IPs: 190.114.244.182:443
Source: Malware configuration extractor	IPs: 180.92.239.110:8080
Source: Malware configuration extractor	IPs: 108.190.109.107:80
Source: Malware configuration extractor	IPs: 181.13.24.82:80
Source: Malware configuration extractor	IPs: 74.108.124.180:80
Source: Malware configuration extractor	IPs: 209.141.54.221:8080
Source: Malware configuration extractor	IPs: 110.36.217.66:8080
Source: Malware configuration extractor	IPs: 174.83.116.77:80
Source: Malware configuration extractor	IPs: 47.155.214.239:443
Source: Malware configuration extractor	IPs: 85.105.205.77:8080
Source: Malware configuration extractor	IPs: 179.13.185.19:80
Source: Malware configuration extractor	IPs: 139.130.242.43:80
Source: Malware configuration extractor	IPs: 160.16.215.66:8080
Source: Malware configuration extractor	IPs: 45.55.65.123:8080
Source: Malware configuration extractor	IPs: 41.60.200.34:80
Source: Malware configuration extractor	IPs: 88.249.120.205:80
Source: Malware configuration extractor	IPs: 98.239.119.52:80
Source: Malware configuration extractor	IPs: 2.237.76.249:80
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 121.88.5.176:443
Source: Malware configuration extractor	IPs: 120.150.246.241:80
Source: Malware configuration extractor	IPs: 190.146.205.227:8080
Source: Malware configuration extractor	IPs: 195.244.215.206:80
Source: Malware configuration extractor	IPs: 68.114.229.171:80
Source: Malware configuration extractor	IPs: 46.105.131.69:443
Source: Malware configuration extractor	IPs: 104.236.246.93:8080
Source: Malware configuration extractor	IPs: 110.44.113.2:80
Source: Malware configuration extractor	IPs: 60.250.78.22:443
Source: Malware configuration extractor	IPs: 70.184.9.39:8080
Source: Malware configuration extractor	IPs: 209.97.168.52:8080
Source: Malware configuration extractor	IPs: 47.26.155.17:80
Source: Malware configuration extractor	IPs: 101.187.197.33:443
Source: Malware configuration extractor	IPs: 115.65.111.148:443
Source: Malware configuration extractor	IPs: 98.156.206.153:80
Source: Malware configuration extractor	IPs: 70.127.155.33:80
Source: Malware configuration extractor	IPs: 65.184.222.119:80
Source: Malware configuration extractor	IPs: 152.168.248.128:443

Source: unknown

Network traffic detected: IP country count 28

Source: global traffic	TCP traffic: 192.168.2.3:49729 -> 80.86.91.91:8080
Source: global traffic	TCP traffic: 192.168.2.3:49731 -> 104.236.28.47:8080
Source: global traffic	TCP traffic: 192.168.2.3:49732 -> 87.106.136.232:8080
Source: global traffic	TCP traffic: 192.168.2.3:49733 -> 211.63.71.72:8080
Source: global traffic	TCP traffic: 192.168.2.3:49742 -> 113.52.123.226:7080

Source: Joe Sandbox View

IP Address: 71.126.247.90 71.126.247.90

Source: Joe Sandbox View	ASN Name: VODAFONE-IT-ASNIT VODAFONE-IT-ASNIT
Source: Joe Sandbox View	ASN Name: ASN-TELSTRATelstraCorporationLtdAU ASN-TELSTRATelstraCorporationLtdAU

Source: global traffic	TCP traffic: 192.168.2.3:49720 -> 47.148.241.179:80
Source: global traffic	TCP traffic: 192.168.2.3:49726 -> 24.204.47.87:80
Source: global traffic	TCP traffic: 192.168.2.3:49745 -> 78.101.70.199:443

Source: unknown	TCP traffic detected without corresponding DNS query: 47.148.241.179
Source: unknown	TCP traffic detected without corresponding DNS query: 47.148.241.179
Source: unknown	TCP traffic detected without corresponding DNS query: 47.148.241.179
Source: unknown	TCP traffic detected without corresponding DNS query: 24.204.47.87
Source: unknown	TCP traffic detected without corresponding DNS query: 24.204.47.87
Source: unknown	TCP traffic detected without corresponding DNS query: 24.204.47.87
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 87.106.136.232
Source: unknown	TCP traffic detected without corresponding DNS query: 211.63.71.72
Source: unknown	TCP traffic detected without corresponding DNS query: 211.63.71.72
Source: unknown	TCP traffic detected without corresponding DNS query: 211.63.71.72
Source: unknown	TCP traffic detected without corresponding DNS query: 113.52.123.226
Source: unknown	TCP traffic detected without corresponding DNS query: 113.52.123.226
Source: unknown	TCP traffic detected without corresponding DNS query: 113.52.123.226
Source: unknown	TCP traffic detected without corresponding DNS query: 78.101.70.199
Source: unknown	TCP traffic detected without corresponding DNS query: 78.101.70.199
Source: unknown	TCP traffic detected without corresponding DNS query: 78.101.70.199

Source: aeevts.exe, 00000004.00000002.470575098.0000000000199000.00000004.00000001.sdmp	String found in binary or memory: http://78.101.70.199/JlOLE9Q3Bv6/9lTzvPK2t/FRV4HWXYeBl1GdoIO8O/2aKa/
Source: svchost.exe, 00000007.00000002.475298493.00000235C3C12000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000007.00000002.475298493.00000235C3C12000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.475253020.00000235C3C00000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.474499079.00000235C3A70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000007.00000002.471916171.00000235BE4AE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enum
Source: svchost.exe, 0000000E.00000002.309936623.0000018A54024000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.309989689.0000018A54052000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000E.00000002.309978521.0000018A54042000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000E.00000002.309978521.0000018A54042000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000E.00000003.287944833.0000018A54031000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309936623.0000018A54024000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000E.00000003.309750492.0000018A54040000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000E.00000003.309750492.0000018A54040000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000E.00000003.287944833.0000018A54031000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000E.00000002.309958796.0000018A5403A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000E.00000002.309989689.0000018A54052000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown

Network traffic detected: HTTP traffic on port 49745 -> 443

Source: C:\Windows\SysWOW64\aeevts\aeevts.exe

Code function: 4_2_0040A270 GetClientRect,DNameNode::DNameNode,IsWindowVisible,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,BitBlt,ReleaseDC,GetSysColor,CreateRectRgn,IsWindowVisible,BitBlt,InvalidateRect,

4_2_0040A270

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0043824F GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_0043824F
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_004287DB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_004287DB
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00460A0B ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	0_2_00460A0B
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_004119D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_004119D0
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00411CB0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState	0_2_00411CB0
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0043824F GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_0043824F
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004287DB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	4_2_004287DB
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00460A0B ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	4_2_00460A0B
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004119D0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,	4_2_004119D0
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00411CB0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState	4_2_00411CB0
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00452CFD GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	4_2_00452CFD
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00433411 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,	4_2_00433411
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0045F6EB GetKeyState,GetKeyState,GetKeyState,	4_2_0045F6EB

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs
Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet Author: ReversingLabs

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00460294 NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,	0_2_00460294
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00428BEF NtdllDefWindowProc_A,	0_2_00428BEF
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00425BDB NtdllDefWindowProc_A,CallWindowProcA,	0_2_00425BDB
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00460294 NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,	4_2_00460294
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00428BEF NtdllDefWindowProc_A,	4_2_00428BEF
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00425BDB NtdllDefWindowProc_A,CallWindowProcA,	4_2_00425BDB
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0042B3CC __snprintf_s,__snprintf_s,NtdllDefWindowProc_A,	4_2_0042B3CC
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00407480 _strlen,_strlen,GetSysColor,GetClassInfoA,NtdllDefWindowProc_A,LoadCursorA,	4_2_00407480
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0042B625 _memset,NtdllDefWindowProc_A,	4_2_0042B625

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

File created: C:\Windows\SysWOW64\aeevts\

Jump to behavior

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

File deleted: C:\Windows\SysWOW64\aeevts\aeevts.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_004680CB	0_2_004680CB
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0048813B	0_2_0048813B
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00464300	0_2_00464300
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_004684EB	0_2_004684EB
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00484AEB	0_2_00484AEB
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00470DCA	0_2_00470DCA
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00481104	0_2_00481104
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0048926D	0_2_0048926D
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0047D4B8	0_2_0047D4B8
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0048623B	0_2_0048623B
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0047238D	0_2_0047238D
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004680CB	4_2_004680CB
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0048813B	4_2_0048813B
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00464300	4_2_00464300
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004684EB	4_2_004684EB
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00484AEB	4_2_00484AEB
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00470DCA	4_2_00470DCA
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00481104	4_2_00481104
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0048926D	4_2_0048926D
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0047D4B8	4_2_0047D4B8
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0048623B	4_2_0048623B
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0047238D	4_2_0047238D
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00486428	4_2_00486428
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00476650	4_2_00476650
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00482685	4_2_00482685
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0042A732	4_2_0042A732
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0047A995	4_2_0047A995
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0047AAAB	4_2_0047AAAB
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00482BAE	4_2_00482BAE
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0046F038	4_2_0046F038
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004830F0	4_2_004830F0
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0046F2AC	4_2_0046F2AC
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00467418	4_2_00467418
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0046F5B6	4_2_0046F5B6
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004678EB	4_2_004678EB
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004839C8	4_2_004839C8
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00467CBF	4_2_00467CBF

Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: String function: 00432A34 appears 36 times
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: String function: 00465868 appears 52 times
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: String function: 004737C0 appears 42 times
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: String function: 00436E97 appears 60 times
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: String function: 00465835 appears 270 times
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: String function: 00465A70 appears 91 times
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: String function: 00436E97 appears 38 times
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: String function: 00465835 appears 133 times
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: String function: 00465A70 appears 60 times

Source: 9cf2c56e_by_Libranalysis.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.218431401.0000000002C60000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 9cf2c56e_by_Libranalysis.exe
Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameIt's unfortunate that Democrats whomz- vs 9cf2c56e_by_Libranalysis.exe
Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.218551333.0000000002D60000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 9cf2c56e_by_Libranalysis.exe
Source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.218551333.0000000002D60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 9cf2c56e_by_Libranalysis.exe
Source: 9cf2c56e_by_Libranalysis.exe	Binary or memory string: OriginalFilenameIt's unfortunate that Democrats whomz- vs 9cf2c56e_by_Libranalysis.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: 9cf2c56e_by_Libranalysis.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan
Source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Trojan_Emotet tc_detection_name = Emotet, author = ReversingLabs, tc_detection_factor = , tc_detection_type = Trojan

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/8@0/100

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Code function: 0_2_004204F0 FindResourceA,VirtualAllocExNuma,

0_2_004204F0

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\IA8CD3455
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6244:120:WilError_01
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MA8CD3455

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 9cf2c56e_by_Libranalysis.exe

ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe 'C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe'
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\aeevts\aeevts.exe C:\Windows\SysWOW64\aeevts\aeevts.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Process created: C:\Windows\SysWOW64\aeevts\aeevts.exe C:\Windows\SysWOW64\aeevts\aeevts.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb source: 9cf2c56e_by_Libranalysis.exe, aeevts.exe
Source:	Binary string: c:\Users\User\Desktop\2005\7.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb@K,CJ source: 9cf2c56e_by_Libranalysis.exe, 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, aeevts.exe, 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Code function: 0_2_00485724 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00485724

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0046590D push ecx; ret	0_2_00465920
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00465AB5 push ecx; ret	0_2_00465AC8
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0046590D push ecx; ret	4_2_00465920
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00465AB5 push ecx; ret	4_2_00465AC8

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Executable created and started: C:\Windows\SysWOW64\aeevts\aeevts.exe

Jump to behavior

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

PE file moved: C:\Windows\SysWOW64\aeevts\aeevts.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

File opened: C:\Windows\SysWOW64\aeevts\aeevts.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_004441D1 __EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	0_2_004441D1
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00425251 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00425251
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004441D1 __EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	4_2_004441D1
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00425251 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_00425251
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004226C0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,	4_2_004226C0
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00452DBF IsWindowVisible,IsIconic,	4_2_00452DBF

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 5376

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0045436A lstrlen,FindFirstFileA,FindClose,	0_2_0045436A
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0044533D __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,	0_2_0044533D
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0045436A lstrlen,FindFirstFileA,FindClose,	4_2_0045436A
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0044533D __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,	4_2_0044533D

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Code function: 0_2_00464ED6 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

0_2_00464ED6

Source: svchost.exe, 00000007.00000002.475482424.00000235C3C64000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.239794997.00000220A6060000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.302007455.0000021DAF460000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.473348948.0000013D5B940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.336408447.000001D019340000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.475423789.00000235C3C4E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.471164998.0000023FDCC02000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000005.00000002.239794997.00000220A6060000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.302007455.0000021DAF460000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.473348948.0000013D5B940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.336408447.000001D019340000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.239794997.00000220A6060000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.302007455.0000021DAF460000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.473348948.0000013D5B940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.336408447.000001D019340000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000A.00000002.471272556.0000023FDCC3C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.471232005.0000020490229000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000005.00000002.239794997.00000220A6060000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.302007455.0000021DAF460000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.473348948.0000013D5B940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.336408447.000001D019340000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\aeevts\aeevts.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\aeevts\aeevts.exe

Code function: 4_2_004637C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_004637C4

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

0_2_00485724

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00411960 mov eax, dword ptr fs:[00000030h]		0_2_00411960
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00411960 mov eax, dword ptr fs:[00000030h]		4_2_00411960

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Code function: 0_2_0046564B GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,

0_2_0046564B

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00470940 __decode_pointer,SetUnhandledExceptionFilter,	0_2_00470940
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_0047091E SetUnhandledExceptionFilter,__encode_pointer,	0_2_0047091E
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00475619 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00475619
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00470940 __decode_pointer,SetUnhandledExceptionFilter,	4_2_00470940
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0047091E SetUnhandledExceptionFilter,__encode_pointer,	4_2_0047091E
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00475619 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00475619
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004637C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_004637C4
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_004639FB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_004639FB

Source: aeevts.exe, 00000004.00000002.472010147.0000000000ED0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471273712.000002DB4C860000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: aeevts.exe, 00000004.00000002.472010147.0000000000ED0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471273712.000002DB4C860000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: aeevts.exe, 00000004.00000002.472010147.0000000000ED0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471273712.000002DB4C860000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: aeevts.exe, 00000004.00000002.472010147.0000000000ED0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.471273712.000002DB4C860000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Code function: 0_2_004848E2 cpuid

0_2_004848E2

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	0_2_00480138
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	0_2_004803BC
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	0_2_00480680
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: GetLocaleInfoA,	0_2_00488CDB
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,	0_2_0047572A
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,	0_2_00485918
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,	0_2_00485A53
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	0_2_00485A8E
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00485BCB
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: GetLocaleInfoA,	0_2_00481C9E
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: _LcidFromHexString,GetLocaleInfoA,	0_2_00481D80
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	0_2_00481E16
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00481E88
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00482058
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00482143
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: _strlen,EnumSystemLocalesA,	0_2_0048211A
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	0_2_004821E4
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_004821A8
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_0048E259
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	4_2_00480138
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	4_2_004803BC
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	4_2_00480680
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: GetLocaleInfoA,	4_2_00488CDB
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,	4_2_0047572A
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,	4_2_00485918
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,	4_2_00485A53
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	4_2_00485A8E
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_00485BCB
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: GetLocaleInfoA,	4_2_00481C9E
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: _LcidFromHexString,GetLocaleInfoA,	4_2_00481D80
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	4_2_00481E16
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_00481E88
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_00482058
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_00482143
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: _strlen,EnumSystemLocalesA,	4_2_0048211A
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	4_2_004821E4
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_004821A8
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	4_2_0048E259
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	4_2_00437633
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_0047FAA9

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Code function: 0_2_0047549F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0047549F

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Code function: 0_2_004788A8 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_004788A8

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe

Code function: 0_2_004501B1 __EH_prolog3_GS,_memset,GetVersionExA,_malloc,_memset,

0_2_004501B1

Source: C:\Windows\SysWOW64\aeevts\aeevts.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000010.00000002.471490786.000002581C83D000.00000004.00000001.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.471637433.000002581C902000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.aeevts.exe.ad053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.aeevts.exe.ad053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe	Code function: 0_2_00431760 CreateBindCtx,	0_2_00431760
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_00431760 CreateBindCtx,	4_2_00431760
Source: C:\Windows\SysWOW64\aeevts\aeevts.exe	Code function: 4_2_0043255B __EH_prolog3_GS,lstrlenW,__snprintf_s,CreateBindCtx,	4_2_0043255B

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection2	Masquerading121	Input Capture1	System Time Discovery2	Remote Services	Screen Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery61	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Application Layer Protocol11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information21	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	System Information Discovery46	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	File Deletion1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9cf2c56e_by_Libranalysis.exe	77%	ReversingLabs	Win32.Trojan.Emotet
9cf2c56e_by_Libranalysis.exe	100%	Avira	HEUR/AGEN.1125826

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.9cf2c56e_by_Libranalysis.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1127351	Download File
0.2.9cf2c56e_by_Libranalysis.exe.22d053f.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.aeevts.exe.ad053f.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.aeevts.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1127351	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://78.101.70.199/JlOLE9Q3Bv6/9lTzvPK2t/FRV4HWXYeBl1GdoIO8O/2aKa/	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000003.309750492.0000018A54040000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000E.00000002.309989689.0000018A54052000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000003.309750492.0000018A54040000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/enum	svchost.exe, 00000007.00000002.471916171.00000235BE4AE000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.309936623.0000018A54024000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000E.00000002.309978521.0000018A54042000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000002.309989689.0000018A54052000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000E.00000003.287944833.0000018A54031000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmp	false		high
http://78.101.70.199/JlOLE9Q3Bv6/9lTzvPK2t/FRV4HWXYeBl1GdoIO8O/2aKa/	aeevts.exe, 00000004.00000002.470575098.0000000000199000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000E.00000003.287944833.0000018A54031000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000007.00000002.474499079.00000235C3A70000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000E.00000002.309978521.0000018A54042000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000E.00000002.309958796.0000018A5403A000.00000004.00000001.sdmp	false		high
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000E.00000002.309998266.0000018A5405C000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000E.00000002.309936623.0000018A54024000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000E.00000003.309670275.0000018A54060000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000E.00000002.309964862.0000018A5403D000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000B.00000002.470888059.0000013D5AC3D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000E.00000003.309715871.0000018A54049000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
93.147.141.5	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
120.150.246.241	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
210.6.85.121	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	true
121.88.5.176	unknown	Korea Republic of	10036	CNM-AS-KRDLIVEKR	true
59.103.164.174	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	true
71.222.233.135	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	true
176.9.43.37	unknown	Germany	24940	HETZNER-ASDE	true
60.250.78.22	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	true
188.0.135.237	unknown	Kazakhstan	35104	KTC-ASKZ	true
71.126.247.90	unknown	United States	701	UUNETUS	true
200.116.145.225	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
169.239.182.217	unknown	South Africa	37153	xneeloZA	true
70.180.35.211	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
190.220.19.82	unknown	Argentina	19037	AMXArgentinaSAAR	true
45.33.49.124	unknown	United States	63949	LINODE-APLinodeLLCUS	true
70.184.9.39	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
152.168.248.128	unknown	Argentina	10318	TelecomArgentinaSAAR	true
190.143.39.231	unknown	Colombia	10620	TelmexColombiaSACO	true
74.130.83.133	unknown	United States	10796	TWC-10796-MIDWESTUS	true
47.6.15.79	unknown	United States	20115	CHARTER-20115US	true
173.73.87.96	unknown	United States	701	UUNETUS	true
59.20.65.102	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
205.185.117.108	unknown	United States	53667	PONYNETUS	true
139.130.241.252	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
87.106.139.101	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
78.101.70.199	unknown	Qatar	42298	GCC-MPLS-PEERINGGCCMPLSpeeringQA	true
47.153.183.211	unknown	United States	5650	FRONTIER-FRTRUS	true
91.242.136.103	unknown	Spain	48427	VISOVISION-ASES	true
95.128.43.213	unknown	France	41653	AQUARAYFR	true
46.105.131.69	unknown	France	16276	OVHFR	true
60.231.217.199	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
87.106.136.232	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
104.131.44.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
68.114.229.171	unknown	United States	20115	CHARTER-20115US	true
24.105.202.216	unknown	United States	32953	MHCV-AS1US	true
65.184.222.119	unknown	United States	11426	TWC-11426-CAROLINASUS	true
37.139.21.175	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
217.160.182.191	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
92.222.216.44	unknown	France	16276	OVHFR	true
105.247.123.133	unknown	South Africa	36994	Vodacom-VBZA	true
24.204.47.87	unknown	United States	12019	NETCOMMUS	true
98.239.119.52	unknown	United States	7922	COMCAST-7922US	true
177.239.160.121	unknown	Mexico	28554	CablemasTelecomunicacionesSAdeCVMX	true
95.213.236.64	unknown	Russian Federation	49505	SELECTELRU	true
108.6.170.195	unknown	United States	701	UUNETUS	true
139.130.242.43	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
80.86.91.91	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
211.63.71.72	unknown	Korea Republic of	38661	HCLC-AS-KRpurplestonesKR	true
74.108.124.180	unknown	United States	701	UUNETUS	true
31.172.240.91	unknown	United Kingdom	34920	SIMPLY-ROMFORDGB	true
108.190.109.107	unknown	United States	33363	BHN-33363US	true
180.92.239.110	unknown	Bangladesh	9832	ISN-AS-APISNInternetServiceProviderBD	true
179.13.185.19	unknown	Colombia	27831	ColombiaMovilCO	true
101.187.197.33	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
85.152.174.56	unknown	Spain	12946	TELECABLESpainES	true
174.83.116.77	unknown	United States	20115	CHARTER-20115US	true
98.156.206.153	unknown	United States	11427	TWC-11427-TEXASUS	true
66.34.201.20	unknown	United States	54489	CORESPACE-DALUS	true
223.197.185.60	unknown	Hong Kong	4760	HKTIMS-APHKTLimitedHK	true
181.13.24.82	unknown	Argentina	7303	TelecomArgentinaSAAR	true
149.202.153.252	unknown	France	16276	OVHFR	true
46.105.131.87	unknown	France	16276	OVHFR	true
104.236.28.47	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
47.155.214.239	unknown	United States	5650	FRONTIER-FRTRUS	true
189.212.199.126	unknown	Mexico	6503	AxtelSABdeCVMX	true
195.244.215.206	unknown	Gibraltar	8301	GIBTELECOMNETGI	true
206.81.10.215	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
85.105.205.77	unknown	Turkey	9121	TTNETTR	true
41.60.200.34	unknown	Mauritius	30844	LIQUID-ASGB	true
76.86.17.1	unknown	United States	20001	TWC-20001-PACWESTUS	true
5.32.55.214	unknown	United Arab Emirates	15802	DU-AS1AE	true
201.173.217.124	unknown	Mexico	11888	TelevisionInternacionalSAdeCVMX	true
47.156.70.145	unknown	United States	5650	FRONTIER-FRTRUS	true
47.148.241.179	unknown	United States	5650	FRONTIER-FRTRUS	true
190.146.205.227	unknown	Colombia	10620	TelmexColombiaSACO	true
160.16.215.66	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
45.55.65.123	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
70.127.155.33	unknown	United States	33363	BHN-33363US	true
174.53.195.88	unknown	United States	7922	COMCAST-7922US	true
115.65.111.148	unknown	Japan	9595	XEPHIONNTT-MECorporationJP	true
209.97.168.52	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
47.26.155.17	unknown	United States	20115	CHARTER-20115US	true
5.196.74.210	unknown	France	16276	OVHFR	true
88.249.120.205	unknown	Turkey	9121	TTNETTR	true
181.143.126.170	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
74.208.45.104	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
105.27.155.182	unknown	Mauritius	37100	SEACOM-ASMU	true
162.241.92.219	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
190.12.119.180	unknown	Argentina	11014	CPSAR	true
31.31.77.83	unknown	Czech Republic	197019	WEDOSCZ	true
24.164.79.147	unknown	United States	10796	TWC-10796-MIDWESTUS	true
200.21.90.5	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	true
222.144.13.169	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
181.126.70.117	unknown	Paraguay	23201	TelecelSAPY	true
125.207.127.86	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
75.114.235.105	unknown	United States	33363	BHN-33363US	true
2.237.76.249	unknown	Italy	12874	FASTWEBIT	true
209.137.209.84	unknown	United States	21586	SWKOUS	true
178.153.176.124	unknown	Qatar	42298	GCC-MPLS-PEERINGGCCMPLSpeeringQA	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	405433
Start date:	06.05.2021
Start time:	06:08:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9cf2c56e_by_Libranalysis (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/8@0/100
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 92% Number of executed functions: 20 Number of non-executed functions: 232
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Excluded IPs from analysis (whitelisted): 20.82.210.154, 204.79.197.200, 13.107.21.200, 104.42.151.234, 93.184.220.29, 92.122.145.220, 104.43.193.48, 23.218.208.56, 20.82.209.183, 13.107.4.50, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, Edge-Prod-FRA.env.au.au-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, skypedataprdcolwus16.cloudapp.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:09:18	API Interceptor	2x Sleep call for process: svchost.exe modified
06:10:34	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
120.150.246.241	m5wpHJDhIl.exe	Get hash	malicious	Browse	120.150.246.241/K9czcmT3hzV
59.103.164.174	n5hhkdky_exe.exe	Get hash	malicious	Browse	59.103.164.174/zeZ30sx6u6cxuuDrRRH
71.222.233.135	8930500066919696641336649.doc	Get hash	malicious	Browse	71.222.233.135:443/XCnXSEs6/O1gOah4tcPNdbv/zdMbVPP9og9sa/
60.250.78.22	JM5z7TPkX5.exe	Get hash	malicious	Browse
188.0.135.237	AUDIOKSE.exe	Get hash	malicious	Browse
	_000819.exe	Get hash	malicious	Browse
	_000822.exe	Get hash	malicious	Browse
71.126.247.90	http://mail.daw.lk/rainloop/docs/abzbl9903668066esolq17vvf/	Get hash	malicious	Browse	71.126.247.90/UOAEodt5UzLlCQ/0dW69/MxdzEiNUxNue/
71.126.247.90	VJW-020120 SKT-020720.doc	Get hash	malicious	Browse	71.126.247.90/em0StrbgyF1rMGAyHE/irxhN9ps3YEgB9agV/xAhxY/END0L/FVgPFqYg/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VODAFONE-IT-ASNIT	ppc_unpacked	Get hash	malicious	Browse	109.119.90.149
	4JQil8gLKd	Get hash	malicious	Browse	109.114.214.154
	v8iFmF7XPp.dll	Get hash	malicious	Browse	93.146.48.84
	2ojdmC51As.exe	Get hash	malicious	Browse	188.219.31.12
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse	93.146.48.84
	Io8ic2291n.doc	Get hash	malicious	Browse	31.27.59.105
	WUHU95Apq3	Get hash	malicious	Browse	2.43.4.130
	fil1	Get hash	malicious	Browse	31.27.203.58
	1808_2020.doc	Get hash	malicious	Browse	93.149.120.214
	file 0113165085 323975.doc	Get hash	malicious	Browse	93.149.120.214
	Inf 2020_12_30 FPJ6997.doc	Get hash	malicious	Browse	93.149.120.214
	09648_2020.doc	Get hash	malicious	Browse	93.149.120.214
	bijlagen 658.doc	Get hash	malicious	Browse	93.149.120.214
	File 2020 RVT_724564.doc	Get hash	malicious	Browse	93.149.120.214
	sample4.dll	Get hash	malicious	Browse	37.116.152.122
	sample2.dll	Get hash	malicious	Browse	93.149.167.254
	42H3JnmK5y.exe	Get hash	malicious	Browse	2.45.176.233
	fiksat.exe	Get hash	malicious	Browse	37.116.152.122
	7M5xbLL8eO.exe	Get hash	malicious	Browse	2.45.176.233
	d21iCa31cs.exe	Get hash	malicious	Browse	2.45.176.233
ASN-TELSTRATelstraCorporationLtdAU	KnAY2OIPI3	Get hash	malicious	Browse	1.151.13.11
	x86_unpacked	Get hash	malicious	Browse	1.153.223.118
	ppc_unpacked	Get hash	malicious	Browse	1.126.33.34
	rIbyGX66Op	Get hash	malicious	Browse	203.49.228.158
	MGuvcs6Ocz	Get hash	malicious	Browse	139.130.197.234
	4JQil8gLKd	Get hash	malicious	Browse	124.177.182.198
	z3hir.x86	Get hash	malicious	Browse	1.150.156.5
	v8iFmF7XPp.dll	Get hash	malicious	Browse	110.145.101.66
	2ojdmC51As.exe	Get hash	malicious	Browse	110.142.236.207
	3kDM9S0iGA.exe	Get hash	malicious	Browse	124.182.146.41
	networkmanager	Get hash	malicious	Browse	203.46.154.161
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse	110.142.236.207
	kF1JPCXvSq.dll	Get hash	malicious	Browse	144.139.47.206
	oHqMFmPndx.exe	Get hash	malicious	Browse	101.184.48.99
	utox.exe	Get hash	malicious	Browse	1.132.105.157
	SecuriteInfo.com.Trojan.BtcMine.3311.17146.exe	Get hash	malicious	Browse	101.187.176.67
	e5ad48f310b56ceb013a30be125d967e.exe	Get hash	malicious	Browse	139.130.242.43
	fIk5kbvEeK.exe	Get hash	malicious	Browse	139.130.242.43
	xESLg6TBHK.exe	Get hash	malicious	Browse	139.130.242.43
	fNaqLAFUM2.exe	Get hash	malicious	Browse	139.130.242.43

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5952146479015531
Encrypted:	false
SSDEEP:	6:0FV0k1GaD0JOCEfMuaaD0JOCEfMKQmDsS/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0f7GaD0JcaaD0JwQQsitAg/0bjSQJ
MD5:	0F6FD21B4533C3048B9246C0733FA845
SHA1:	BF13D8B9CBDC0273712893539DFEF1F36DCB50E4
SHA-256:	64C532DC365D08E405CFF78F5D877EE2A9FD94BC1B28EBF1C231CA6BA9EE0BF5
SHA-512:	CE3D42A93C38E2335F2AE0B7EFC6B165766283BD2CD4BA74C8F87C6EE3BCDD6365D9E343BC59D68C57C369A32DD16D8E5D1C4AD3A3E279152B9CD89808389CDC
Malicious:	false
Preview:	......:{..(..........yC.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................yC...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x105ec6eb, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09638746104869653
Encrypted:	false
SSDEEP:	12:T0+TelXO4blM6lYsKd0+TelXO4blM6lYsK:oQ6/Q6
MD5:	939CA7367FE39301A850A839C0966BB4
SHA1:	0450CA27131159C79B60FB1C3F69C42BCABBBCBD
SHA-256:	7FC816C68E1934CF7DAE2AC4D23DFF39F4A195DA12886E6C5E5D534B339C7548
SHA-512:	2A1299132CA75E84E21154F5ED90D57DD90653ACF97C10D7532BC0BEF2AE9ADFBF655DDB1D602112BBBC3A1982B3CA3045A491FDC72D4E57B4489BD3CB473819
Malicious:	false
Preview:	.^..... ................e.f.3...w........................&..........w.......yC.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................=i.....yCo.................r.>.....yC.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11153392933833282
Encrypted:	false
SSDEEP:	3:ugmll9Ev3S7DAl/bJdAtiYwll:ujlykDAt4tQ
MD5:	DA520874C490C0C2EFB70948BFF976BA
SHA1:	03D2E41E1F263A944C54678DA0CEFAFF6824A11A
SHA-256:	2CC14C26D7770616EB6DD51CE3B1E841DBF9F00BB5F2EE72D6426E2B66B6C4B5
SHA-512:	F73C423A5056DD851211E8A04191FBCD1B410413A8E194D438F08B3E64C26B0CD5A3C7BE50332A42C574A9003A5C5AB7EEA7114EDCC6274E8B116AEA64FADF3F
Malicious:	false
Preview:	.*.......................................3...w.......yC......w...............w.......w....:O.....w...................r.>.....yC.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10997851866389849
Encrypted:	false
SSDEEP:	12:26qXm/Ey6q9995QLNOy3q3qQ10nMCldimE8eawHjch:26fl68VDLyMCldzE9BHjch
MD5:	F14DF28934C7F9E1E0EBCC368C9B19D7
SHA1:	71B9BF1B8537B5346CCC9936849D1D929982C348
SHA-256:	54EF695C66F237A20429E67DFF77CC6D241BA00E0AD8138BBC431C9398DC10BC
SHA-512:	F34A50359F0EFE1EEA5F2D228D9F44559A2BEE445F5A388F29A1D917DE483C40B9A6D7FDCF7657268DB57DD2BCCE3050B556A43F5DF94EC8CB222BF03BF109B7
Malicious:	false
Preview:	....................................................................................\...8........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}.h.-..... .......{.yB..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....\...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11256005945646773
Encrypted:	false
SSDEEP:	12:OYXm/Ey6q9995QLNw1miM3qQ10nMCldimE8eawHza1miI0:Ul68Z1tMLyMCldzE9BHza1tI0
MD5:	F51ED03CC89897E1FCE7EE4809947FD4
SHA1:	1BF8A0C56AFB8D988647C465564E41C39BD9F900
SHA-256:	CB5C6FF4F886E095565BBED2560A5A3DDB45AB3FF42CCC38661D2691601B8C1D
SHA-512:	CA9FC7E2A70FEE62184B1A30D73E7E4814F43265FC074F341C8FAF4BAE0A2E501C074E42B19D4D2A39E0B64F5F0565BFDDD4FBA3F84621620FC9022C60F0551B
Malicious:	false
Preview:	....................................................................................\.../........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}.h.-..... ......Wt.yB..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....\...........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11245941337902163
Encrypted:	false
SSDEEP:	12:D/STXm/Ey6q9995QLN3w1mK2P3qQ10nMCldimE8eawHza1mKY/:GKl68iw1iPLyMCldzE9BHza10/
MD5:	8BF54ABB25B5325FEC1DA8253831ECFD
SHA1:	F0B58E7FDCD9FFC5335C1C87F45473CDE261B075
SHA-256:	9AEB5C55AA52AF5372F41E1FC9A2787E368A76208E7F54C8F26C3C88B34F6B32
SHA-512:	472326E8D30462FF0036C18530CBEF163D70F5A859B49AB040D2869673323F52892F7C9A87A180488C5CB7460C5B88B3DFCAE8837C0CADB99DECA797793E45B2
Malicious:	false
Preview:	....................................................................................\...<L.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}.h.-..... ......1m.yB..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....\....W......................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.1519327164727655
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rXZk9+MlWlLehB4yAq7ejCSo:OaqdmuF3rO+kWReH4yJ7MQ
MD5:	5F9AEF3B9D25DA8899C12A0893E2B7F1
SHA1:	629336E7BC2F276EE0222FDA815D95682AB95659
SHA-256:	7271985673CAD32281A84FAC07FE23B8CEBCBFF0D27C23230AAEBC58A396ED4B
SHA-512:	0BF5BA04B81B802DB2714804E0467E5151461EC9DA8649D35EE8E065B8A4134D99B2BA1017FF12FAAD166DA71951BF8B282001D15BD4A05572682BD24CEDEEBD
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. M.a.y. .. 0.6. .. 2.0.2.1. .0.6.:.1.0.:.3.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. M.a.y. .. 0.6. .. 2.0.2.1. .0.6.:.1.0.:.3.4.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.702887312906918
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	9cf2c56e_by_Libranalysis.exe
File size:	429632
MD5:	9cf2c56ef2d9ed4c679013369c6bf4c0
SHA1:	77a2d90daf8ccff12ba036924d49c0d57cfbc89b
SHA256:	ea1025ebfb2cbc8b7ee79006a44c6c036329701015d45f6f3777e58915b83726
SHA512:	824fa156c422176b7f41aeae17fe10ea40bd0cb4337a3093b76b7416add2412d6de606d12b0f50a9de0b68e92456728b4b6e1829f2c2324a667282c73a0e6598
SSDEEP:	12288:wd3HiRnI38fT5bqzqNTrrU2mItW++9AnUZ6:wu88bEO9rU2LtPP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D...%...%...%......%......%...%...'.......%......Z%......b%.......%.......%..Rich.%..........................PE..L...;.=^...

File Icon


Icon Hash:	71b018ccc6577131

Static PE Info

General
Entrypoint:	0x4ce8a0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5E3DBF3B [Fri Feb 7 19:49:15 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e7a9b88f332bb9f5267fa2cb2fef50f5

Entrypoint Preview

Instruction
pushad
mov esi, 00475000h
lea edi, dword ptr [esi-00074000h]
push edi
or ebp, FFFFFFFFh
jmp 00007FD1F4D5DB92h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FD1F4D5DB89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FD1F4D5DB6Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FD1F4D5DB89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FD1F4D5DB71h
jne 00007FD1F4D5DB8Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FD1F4D5DB66h
xor ecx, ecx
sub eax, 03h
jc 00007FD1F4D5DB8Fh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FD1F4D5DBF6h
mov ebp, eax
add ebx, ebx
jne 00007FD1F4D5DB89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007FD1F4D5DB89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007FD1F4D5DBA2h
inc ecx
add ebx, ebx
jne 00007FD1F4D5DB89h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FD1F4D5DB71h
jne 00007FD1F4D5DB8Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FD1F4D5DB66h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FD1F4D5DB91h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007FD1F4D5DB79h
jmp 00007FD1F4D5DAE8h
nop
mov eax, dword ptr [edx]
add edx, 04h
mov dword ptr [edi], eax
add edi, 04h
sub ecx, 00000000h

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[LNK] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdd9a4	0x294	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcf000	0xe9a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xddc38	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xcea3c	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb04dc	0x40	UPX1
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x74000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x75000	0x5a000	0x59c00	False	0.962308495822	data	7.73574464577	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xcf000	0xf000	0xee00	False	0.77276457458	data	7.13622388256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
BRESSMON	0xcfb68	0x9f44	data	German	Germany
RT_CURSOR	0xd9ab0	0x134	data	German	Germany
RT_CURSOR	0xd9be8	0xb4	data	German	Germany
RT_CURSOR	0xd9ca0	0x134	AmigaOS bitmap font	German	Germany
RT_CURSOR	0xd9dd8	0x134	data	German	Germany
RT_CURSOR	0xd9f10	0x134	data	German	Germany
RT_CURSOR	0xda048	0x134	data	German	Germany
RT_CURSOR	0xda180	0x134	data	German	Germany
RT_CURSOR	0xda2b8	0x134	data	German	Germany
RT_CURSOR	0xda3f0	0x134	data	German	Germany
RT_CURSOR	0xda528	0x134	data	German	Germany
RT_CURSOR	0xda660	0x134	data	German	Germany
RT_CURSOR	0xda798	0x134	data	German	Germany
RT_CURSOR	0xda8d0	0x134	AmigaOS bitmap font	German	Germany
RT_CURSOR	0xdaa08	0x134	data	German	Germany
RT_CURSOR	0xdab40	0x134	data	German	Germany
RT_CURSOR	0xdac78	0x134	data	German	Germany
RT_BITMAP	0xdadb0	0xb8	data	German	Germany
RT_BITMAP	0xdae6c	0x144	data	German	Germany
RT_ICON	0xdafb4	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 67108992, next used block 3293332676	German	Germany
RT_ICON	0xdb2a0	0x128	GLS_BINARY_LSB_FIRST	German	Germany
RT_DIALOG	0xdb3cc	0xba	data	German	Germany
RT_DIALOG	0xdb48c	0xee	data	German	Germany
RT_DIALOG	0xdb580	0x34	data	German	Germany
RT_STRING	0xdb5b8	0xaa	data	German	Germany
RT_STRING	0xdb668	0x36	data	German	Germany
RT_STRING	0xdb6a4	0x21c	data	German	Germany
RT_STRING	0xdb8c4	0x668	data	German	Germany
RT_STRING	0xdbf30	0x3a6	data	German	Germany
RT_STRING	0xdc2dc	0x3d6	data	German	Germany
RT_STRING	0xdc6b8	0x9c	data	German	Germany
RT_STRING	0xdc758	0x110	data	German	Germany
RT_STRING	0xdc86c	0x12a	data	German	Germany
RT_STRING	0xdc99c	0x65a	data	German	Germany
RT_STRING	0xdcffc	0x2f2	data	German	Germany
RT_STRING	0xdd2f4	0x2a	Hitachi SH big-endian COFF object file, not stripped, 20480 sections, symbol offset=0x65006c00	German	Germany
RT_STRING	0xdd324	0x5c	data	German	Germany
RT_GROUP_CURSOR	0xdd384	0x22	Lotus unknown worksheet or configuration, revision 0x2	German	Germany
RT_GROUP_CURSOR	0xdd3ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd3c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd3dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd3f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd40c	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd424	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd43c	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd454	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd46c	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd484	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd49c	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd4b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd4cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_CURSOR	0xdd4e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany
RT_GROUP_ICON	0xdd4fc	0x22	data	German	Germany
RT_VERSION	0xdd524	0x424	data	German	Germany
RT_MANIFEST	0xdd94c	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	RegEnumKeyA
comdlg32.dll	GetFileTitleA
GDI32.dll	ArcTo
ole32.dll	OleRun
OLEAUT32.dll	SysFreeString
oledlg.dll
SHELL32.dll	DragFinish
SHLWAPI.dll	PathIsUNCA
USER32.dll	GetDC
WINSPOOL.DRV	OpenPrinterA

Version Infos

Description	Data
LegalCopyright	he Senate Republican investigation into the Bidens
InternalName	he administration told House Democrats
FileVersion	8, 8, 33, 13
CompanyName
LegalTrademarks
ProductName	easury has provided to the Senate committees
ProductVersion	8, 8, 33, 13
FileDescription	Wyden's office is not saying what documents were turned
OriginalFilename	It's unfortunate that Democrats whom
Translation	0x0407 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
05/06/21-06:10:04.894919	ICMP	486	ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited	211.63.71.72	192.168.2.3
05/06/21-06:10:07.900739	ICMP	486	ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited	211.63.71.72	192.168.2.3
05/06/21-06:10:13.918993	ICMP	486	ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited	211.63.71.72	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 6, 2021 06:09:10.313368082 CEST	49720	80	192.168.2.3	47.148.241.179
May 6, 2021 06:09:13.319434881 CEST	49720	80	192.168.2.3	47.148.241.179
May 6, 2021 06:09:19.320025921 CEST	49720	80	192.168.2.3	47.148.241.179
May 6, 2021 06:09:32.799273968 CEST	49726	80	192.168.2.3	24.204.47.87
May 6, 2021 06:09:35.883891106 CEST	49726	80	192.168.2.3	24.204.47.87
May 6, 2021 06:09:41.885298967 CEST	49726	80	192.168.2.3	24.204.47.87
May 6, 2021 06:09:55.998558044 CEST	49729	8080	192.168.2.3	80.86.91.91
May 6, 2021 06:09:56.042613983 CEST	8080	49729	80.86.91.91	192.168.2.3
May 6, 2021 06:09:56.557445049 CEST	49729	8080	192.168.2.3	80.86.91.91
May 6, 2021 06:09:56.601542950 CEST	8080	49729	80.86.91.91	192.168.2.3
May 6, 2021 06:09:57.104403973 CEST	49729	8080	192.168.2.3	80.86.91.91
May 6, 2021 06:09:57.150954962 CEST	8080	49729	80.86.91.91	192.168.2.3
May 6, 2021 06:09:59.244982004 CEST	49731	8080	192.168.2.3	104.236.28.47
May 6, 2021 06:09:59.371568918 CEST	8080	49731	104.236.28.47	192.168.2.3
May 6, 2021 06:09:59.885878086 CEST	49731	8080	192.168.2.3	104.236.28.47
May 6, 2021 06:10:00.010428905 CEST	8080	49731	104.236.28.47	192.168.2.3
May 6, 2021 06:10:00.511013031 CEST	49731	8080	192.168.2.3	104.236.28.47
May 6, 2021 06:10:00.635886908 CEST	8080	49731	104.236.28.47	192.168.2.3
May 6, 2021 06:10:02.239794016 CEST	49732	8080	192.168.2.3	87.106.136.232
May 6, 2021 06:10:02.283035040 CEST	8080	49732	87.106.136.232	192.168.2.3
May 6, 2021 06:10:02.792334080 CEST	49732	8080	192.168.2.3	87.106.136.232
May 6, 2021 06:10:02.835707903 CEST	8080	49732	87.106.136.232	192.168.2.3
May 6, 2021 06:10:03.339267969 CEST	49732	8080	192.168.2.3	87.106.136.232
May 6, 2021 06:10:03.382550001 CEST	8080	49732	87.106.136.232	192.168.2.3
May 6, 2021 06:10:04.630796909 CEST	49733	8080	192.168.2.3	211.63.71.72
May 6, 2021 06:10:07.636548996 CEST	49733	8080	192.168.2.3	211.63.71.72
May 6, 2021 06:10:13.652617931 CEST	49733	8080	192.168.2.3	211.63.71.72
May 6, 2021 06:10:27.223115921 CEST	49742	7080	192.168.2.3	113.52.123.226
May 6, 2021 06:10:30.216577053 CEST	49742	7080	192.168.2.3	113.52.123.226
May 6, 2021 06:10:36.232716084 CEST	49742	7080	192.168.2.3	113.52.123.226
May 6, 2021 06:10:50.446994066 CEST	49745	443	192.168.2.3	78.101.70.199
May 6, 2021 06:10:53.452801943 CEST	49745	443	192.168.2.3	78.101.70.199
May 6, 2021 06:10:59.469136000 CEST	49745	443	192.168.2.3	78.101.70.199

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 6, 2021 06:08:43.648482084 CEST	49199	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:43.661489964 CEST	50620	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:43.677668095 CEST	53	51281	8.8.8.8	192.168.2.3
May 6, 2021 06:08:43.709163904 CEST	53	49199	8.8.8.8	192.168.2.3
May 6, 2021 06:08:43.721419096 CEST	53	50620	8.8.8.8	192.168.2.3
May 6, 2021 06:08:43.845272064 CEST	64938	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:43.904246092 CEST	53	64938	8.8.8.8	192.168.2.3
May 6, 2021 06:08:45.895320892 CEST	60152	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:45.954001904 CEST	53	60152	8.8.8.8	192.168.2.3
May 6, 2021 06:08:46.713224888 CEST	57544	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:46.775345087 CEST	53	57544	8.8.8.8	192.168.2.3
May 6, 2021 06:08:47.742640018 CEST	55984	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:47.795698881 CEST	53	55984	8.8.8.8	192.168.2.3
May 6, 2021 06:08:49.039964914 CEST	64185	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:49.090310097 CEST	53	64185	8.8.8.8	192.168.2.3
May 6, 2021 06:08:51.417107105 CEST	65110	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:51.466041088 CEST	53	65110	8.8.8.8	192.168.2.3
May 6, 2021 06:08:52.808597088 CEST	58361	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:52.860326052 CEST	53	58361	8.8.8.8	192.168.2.3
May 6, 2021 06:08:54.190702915 CEST	63492	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:54.239727974 CEST	53	63492	8.8.8.8	192.168.2.3
May 6, 2021 06:08:55.342299938 CEST	60831	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:55.395782948 CEST	53	60831	8.8.8.8	192.168.2.3
May 6, 2021 06:08:56.257246971 CEST	60100	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:56.317956924 CEST	53	60100	8.8.8.8	192.168.2.3
May 6, 2021 06:08:57.564135075 CEST	53195	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:57.626063108 CEST	53	53195	8.8.8.8	192.168.2.3
May 6, 2021 06:08:59.458223104 CEST	50141	53	192.168.2.3	8.8.8.8
May 6, 2021 06:08:59.506890059 CEST	53	50141	8.8.8.8	192.168.2.3
May 6, 2021 06:09:00.587193966 CEST	53023	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:00.640106916 CEST	53	53023	8.8.8.8	192.168.2.3
May 6, 2021 06:09:01.794179916 CEST	49563	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:01.844228029 CEST	53	49563	8.8.8.8	192.168.2.3
May 6, 2021 06:09:02.796205044 CEST	51352	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:02.844795942 CEST	53	51352	8.8.8.8	192.168.2.3
May 6, 2021 06:09:03.696526051 CEST	59349	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:03.747992992 CEST	53	59349	8.8.8.8	192.168.2.3
May 6, 2021 06:09:04.592780113 CEST	57084	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:04.644337893 CEST	53	57084	8.8.8.8	192.168.2.3
May 6, 2021 06:09:05.526129961 CEST	58823	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:05.577703953 CEST	53	58823	8.8.8.8	192.168.2.3
May 6, 2021 06:09:06.735541105 CEST	57568	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:06.784509897 CEST	53	57568	8.8.8.8	192.168.2.3
May 6, 2021 06:09:21.605896950 CEST	50540	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:21.664710045 CEST	53	50540	8.8.8.8	192.168.2.3
May 6, 2021 06:09:23.747514963 CEST	54366	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:23.826237917 CEST	53	54366	8.8.8.8	192.168.2.3
May 6, 2021 06:09:40.153147936 CEST	53034	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:40.203900099 CEST	53	53034	8.8.8.8	192.168.2.3
May 6, 2021 06:09:49.365027905 CEST	57762	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:49.423904896 CEST	53	57762	8.8.8.8	192.168.2.3
May 6, 2021 06:09:57.568806887 CEST	55435	53	192.168.2.3	8.8.8.8
May 6, 2021 06:09:57.642674923 CEST	53	55435	8.8.8.8	192.168.2.3
May 6, 2021 06:10:07.521384954 CEST	50713	53	192.168.2.3	8.8.8.8
May 6, 2021 06:10:07.578579903 CEST	53	50713	8.8.8.8	192.168.2.3
May 6, 2021 06:10:12.188858032 CEST	56132	53	192.168.2.3	8.8.8.8
May 6, 2021 06:10:12.253554106 CEST	53	56132	8.8.8.8	192.168.2.3
May 6, 2021 06:10:42.984541893 CEST	58987	53	192.168.2.3	8.8.8.8
May 6, 2021 06:10:43.054387093 CEST	53	58987	8.8.8.8	192.168.2.3
May 6, 2021 06:10:44.906478882 CEST	56579	53	192.168.2.3	8.8.8.8
May 6, 2021 06:10:44.978080988 CEST	53	56579	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
May 6, 2021 06:10:04.894918919 CEST	211.63.71.72	192.168.2.3	da4f	(Unknown)	Destination Unreachable
May 6, 2021 06:10:07.900738955 CEST	211.63.71.72	192.168.2.3	da4f	(Unknown)	Destination Unreachable
May 6, 2021 06:10:13.918992996 CEST	211.63.71.72	192.168.2.3	da4f	(Unknown)	Destination Unreachable

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 9cf2c56e_by_Libranalysis.exe PID: 5732 Parent PID: 5608

General

Start time:	06:08:52
Start date:	06/05/2021
Path:	C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\9cf2c56e_by_Libranalysis.exe'
Imagebase:	0x400000
File size:	429632 bytes
MD5 hash:	9CF2C56EF2D9ED4C679013369C6BF4C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, Author: Joe Security Rule: Win32_Trojan_Emotet, Description: unknown, Source: 00000000.00000002.217998392.00000000022E1000.00000020.00000001.sdmp, Author: ReversingLabs Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Win32_Trojan_Emotet, Description: unknown, Source: 00000000.00000002.217986642.00000000022D0000.00000040.00000001.sdmp, Author: ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: aeevts.exe PID: 6096 Parent PID: 5732

General

Start time:	06:08:59
Start date:	06/05/2021
Path:	C:\Windows\SysWOW64\aeevts\aeevts.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\aeevts\aeevts.exe
Imagebase:	0x400000
File size:	429632 bytes
MD5 hash:	9CF2C56EF2D9ED4C679013369C6BF4C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, Author: Joe Security Rule: Win32_Trojan_Emotet, Description: unknown, Source: 00000004.00000002.471904242.0000000000AE1000.00000020.00000001.sdmp, Author: ReversingLabs Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Win32_Trojan_Emotet, Description: unknown, Source: 00000004.00000002.471824961.0000000000AD0000.00000040.00000001.sdmp, Author: ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 6012 Parent PID: 568

General

Start time:	06:09:03
Start date:	06/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 3360 Parent PID: 568

General

Start time:	06:09:18
Start date:	06/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1288 Parent PID: 568

General

Start time:	06:09:29
Start date:	06/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5448 Parent PID: 568

General

Start time:	06:09:29
Start date:	06/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4936 Parent PID: 568

General

Start time:	06:09:30
Start date:	06/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5980 Parent PID: 568

General

Start time:	06:09:30
Start date:	06/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 2416 Parent PID: 568

General

Start time:	06:09:31
Start date:	06/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1260 Parent PID: 568

General

Start time:	06:09:31
Start date:	06/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 2000 Parent PID: 568

General

Start time:	06:09:32
Start date:	06/05/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6edd60000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1048 Parent PID: 568

General

Start time:	06:09:32
Start date:	06/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6528 Parent PID: 568

General

Start time:	06:09:48
Start date:	06/05/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 6220 Parent PID: 1048

General

Start time:	06:10:33
Start date:	06/05/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff7640f0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6244 Parent PID: 6220

General

Start time:	06:10:34
Start date:	06/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 9cf2c56e_by_Libranalysis.exe PID: 5732 Parent PID: 5608 9cf2c56e_by_Libranalysis.exeCOMMON

Executed Functions

Function 004204F0, Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 270memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004203C0: RegOpenKeyExW.KERNELBASE(80000001,00020019,00000000,00020019,?,FBEF3A85), ref: 0042041B

Part of subcall function 00420BF0: _memcpy_s.LIBCMT ref: 00420C40

Part of subcall function 00420AB0: _memcpy_s.LIBCMT ref: 00420B9B

Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411CB8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411CC0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411CC8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411CD0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411CD8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411CE0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411CE8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411CF0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411CF8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D00
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D08
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D10
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D18
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D20
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D28
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D30
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D38
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D40
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D48
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D50
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D58
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D60
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D68
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D70
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D78
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D80
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D88
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D90
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D98
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411DA0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411DA8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411DB0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411DB8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411DC0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411DC8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411DD0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411DD8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411DE0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411DE8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411DF0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411DF8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E00
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E08
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E10
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E18
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E20
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E28
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E30

Part of subcall function 004202B0: _strlen.LIBCMT ref: 00420362

Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E38
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E40
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E48
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E50
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E58
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E60
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E68
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E70
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E78
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E80
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E88
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E90
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E98
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411EA0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411EA8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411EB0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411EB8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411EC0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411EC8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411ED0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411ED8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411EE0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411EE8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411EF0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411EF8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F00
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F08
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F10
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F18
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F20
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F28
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F30
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F38
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F40
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F48
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F50
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F58
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F60
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F68
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F70
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F78
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F80
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F88
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F90
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F98
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411FA0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411FA8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411FB0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411FB8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411FC0

Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411FC8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411FD0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411FD8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411FE0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411FE8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411FF0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411FF8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412000
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412008
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412010
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412018
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412020
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412028
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412030
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412038
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412040
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412048
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412050
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412058
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412060
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412068
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412070
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412078
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412080
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412088
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412090
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412098
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004120A0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004120A8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004120B0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004120B8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004120C0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004120C8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004120D0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004120D8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004120E0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004120E8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004120F0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004120F8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412100
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412108
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412110
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412118
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412120
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412128
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412130
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412138
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412140
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412148
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412150

Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412158
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412160
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412168
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412170
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412178
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412180
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412188
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412190
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412198
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004121A0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004121A8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004121B0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004121B8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004121C0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004121C8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004121D0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004121D8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004121E0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004121E8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004121F0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004121F8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412200
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412208
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412210
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412218
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412220
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412228
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412230
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412238
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412240
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412248
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412250
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412258
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412260
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412268
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412270
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412278
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412280
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412288
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412290
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412298
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004122A0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004122A8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004122B0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004122B8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004122C0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004122C8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004122D0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004122D8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004122E0

Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004122E8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004122F0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004122F8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412300
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412308
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412310
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412318
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412320
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412328
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412330
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412338
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412340
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412348
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412350
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412358
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412360
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412368
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412370
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412378
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412380
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412388
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412390
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412398
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004123A0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004123A8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004123B0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004123B8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004123C0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004123C8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004123D0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004123D8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004123E0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004123E8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004123F0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004123F8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412400
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412408
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412410
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412418
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412420
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412428
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412430
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412438
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412440
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412448
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412450
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412458
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412460
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412468
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412470

Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412478
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412480
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412488
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412490
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412498
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004124A0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004124A8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004124B0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004124B8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004124C0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004124C8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004124D0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004124D8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004124E0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004124E8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004124F0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004124F8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412500
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412508
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412510
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412518
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412520
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412528
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412530
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412538
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412540
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412548
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412550
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412558
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412560
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412568
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412570
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412578
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412580
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412588
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412590
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412598
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004125A0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004125A8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004125B0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004125B8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004125C0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004125C8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004125D0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004125D8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004125E0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004125E8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004125F0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004125F8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412600

FindResourceA.KERNEL32(00000000,00051A74,BRESSMON), ref: 00420858
VirtualAllocExNuma.KERNELBASE(00000000), ref: 004208AB

Part of subcall function 004119D0: GetKeyState.USER32(0000002D), ref: 00411B64
Part of subcall function 004119D0: GetKeyState.USER32(0000000D), ref: 00411B6C
Part of subcall function 004119D0: GetKeyState.USER32(00000027), ref: 00411B74
Part of subcall function 004119D0: GetKeyState.USER32(0000002D), ref: 00411B7C

Part of subcall function 00421300: LoadIconA.USER32(0042091A,00000080), ref: 004213BE

Part of subcall function 0043423D: __EH_prolog3_catch.LIBCMT ref: 00434244
Part of subcall function 0043423D: FindResourceA.KERNEL32(?,?,00000005), ref: 00434277
Part of subcall function 0043423D: LoadResource.KERNEL32(?,00000000), ref: 0043427F
Part of subcall function 0043423D: LockResource.KERNEL32(628467F9,00000024,00420938,00000000), ref: 00434290

Strings

8jI, xrefs: 004206DE, 004208E3
^", xrefs: 00420559
QO, xrefs: 00420574
@lI, xrefs: 00420784, 004207A6, 004207CB, 004207F0, 00420812, 00420831, 0042078A, 004207AC, 004207D1, 004207F6, 00420818, 00420837
BRESSMON, xrefs: 0042084C
KERNEL32.DLL, xrefs: 0042057B
Fuck Sophos, xrefs: 0042053B
Console, xrefs: 00420524

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: State$Resource$FindLoad_memcpy_s$AllocH_prolog3_catchIconLockNumaOpenVirtual_strlen
String ID: 8jI$@lI$BRESSMON$Console$Fuck Sophos$KERNEL32.DLL$QO$^"
API String ID: 627226005-3970943249
Opcode ID: f22c9730643b7756b3a20709b895979a51cb8869e764964b83260d751c7d8538
Instruction ID: 28d8c610258704822d2c56de676a98e4425bfe340b7e3afdb808a948f0630b27
Opcode Fuzzy Hash: f22c9730643b7756b3a20709b895979a51cb8869e764964b83260d751c7d8538
Instruction Fuzzy Hash: 37C14DB0D402289FDB24DF64DC5ABDEBBB4BB44304F1041EAE508A7292DB755B84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00450942, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00450985
PathFindExtensionA.KERNELBASE(?), ref: 0045099F
__strdup.LIBCMT ref: 004509E1
__strdup.LIBCMT ref: 00450A1A
__strdup.LIBCMT ref: 00450A5E
_strcat_s.LIBCMT ref: 00450A84
__strdup.LIBCMT ref: 00450A96

Strings

.CHM, xrefs: 00450A3F
.INI, xrefs: 00450A77
.HLP, xrefs: 00450A46

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s
String ID: .CHM$.HLP$.INI
API String ID: 1153805871-4017452060
Opcode ID: 57dafd0c2345ca13c716e483e5e28e98ad2bcfdff3d937972c125f05c621c4c4
Instruction ID: e152d328a9782d2fbb0655f3a93d4856c3c47a001cb3f732594ca68d6527186b
Opcode Fuzzy Hash: 57dafd0c2345ca13c716e483e5e28e98ad2bcfdff3d937972c125f05c621c4c4
Instruction Fuzzy Hash: 01415FB55003089FEB30EF66CC85B9B77E8BF14305F00482BE945D6242EB78E948CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0043ABF3, Relevance: 16.6, APIs: 11, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(004B92A4), ref: 0043AC02
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,004B9288,0043B058,00000004,00436EA6,004263DA,00436F0F,0042819F,00000000,0042820B,00000001), ref: 0043AC58
GlobalHandle.KERNEL32(0060E448), ref: 0043AC61
GlobalUnWire.KERNEL32(00000000), ref: 0043AC6A
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0043AC81
GlobalHandle.KERNEL32(0060E448), ref: 0043AC93
GlobalFix.KERNEL32(00000000), ref: 0043AC9A
RtlLeaveCriticalSection.NTDLL(?), ref: 0043ACA4
GlobalFix.KERNEL32(00000000), ref: 0043ACB0
_memset.LIBCMT ref: 0043ACC9
RtlLeaveCriticalSection.NTDLL(?), ref: 0043ACF5

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Global$CriticalSection$AllocHandleLeave$EnterWire_memset
String ID:
API String ID: 9613507-0
Opcode ID: 60a6bd20c22d4e19049fde06165cdbf6700089dc543a5a62e2ed017185475871
Instruction ID: e2acf13cf94ea486f614e5ab0777da4e905886f84245dce22b7c56829da3bc2b
Opcode Fuzzy Hash: 60a6bd20c22d4e19049fde06165cdbf6700089dc543a5a62e2ed017185475871
Instruction Fuzzy Hash: B531A931240B04AFD7259F34DC48A2AB7E8FB58345F20692FF992C7651EB78F8148B19

Uniqueness

Uniqueness Score: -1.00%

Function 00450AC1, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000), ref: 00450ACA
SetErrorMode.KERNELBASE(00000000), ref: 00450AD2

Part of subcall function 004362AE: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004362EF
Part of subcall function 004362AE: SetLastError.KERNEL32(0000006F), ref: 00436309

GetModuleHandleA.KERNEL32(user32.dll), ref: 00450B24
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00450B34

Part of subcall function 00450942: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00450985
Part of subcall function 00450942: PathFindExtensionA.KERNELBASE(?), ref: 0045099F
Part of subcall function 00450942: __strdup.LIBCMT ref: 004509E1

Strings

NotifyWinEvent, xrefs: 00450B2E
user32.dll, xrefs: 00450B1F

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ErrorModule$FileModeName$AddressExtensionFindHandleLastPathProc__strdup
String ID: NotifyWinEvent$user32.dll
API String ID: 2454351968-597752486
Opcode ID: ec34f68550c7bab1aabb0d8ef77cb10f4a69e5d165261d1c4140b0de9de310a8
Instruction ID: 846f55b9a043e0f090bf512711f9740b481fa0ef53553220280576750a1f20e4
Opcode Fuzzy Hash: ec34f68550c7bab1aabb0d8ef77cb10f4a69e5d165261d1c4140b0de9de310a8
Instruction Fuzzy Hash: 84017CB4A102115FCB50EF75C84AA1A3BE8AF58715F16846FB44487262CB38D848CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0043C8BF, Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0043C8CC
GetSystemMetrics.USER32(0000000C), ref: 0043C8D3
GetSystemMetrics.USER32(00000002), ref: 0043C8DA
GetSystemMetrics.USER32(00000003), ref: 0043C8E4
72E6AC50.USER32(00000000,?,?,?,00429CEF), ref: 0043C8EE

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$CallbackDispatcherUser
String ID:
API String ID: 4241121291-0
Opcode ID: 97191096b00d77558c05f8ff526960d5c2c821391b050ff4e16237b8a0a0d0c5
Instruction ID: 8f4a2c6853b47d531706ec53ad1d093e90908563051e19cdb58132eaef453e8b
Opcode Fuzzy Hash: 97191096b00d77558c05f8ff526960d5c2c821391b050ff4e16237b8a0a0d0c5
Instruction Fuzzy Hash: 43F01D71A40B04AFE7206BB19C4AF277BB4EB91B11F11497AE6418B2D0D6B598018F54

Uniqueness

Uniqueness Score: -1.00%

Function 004370B4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,004B4E6C,00000000,00000001,?), ref: 004370F7
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00437117
RegCloseKey.ADVAPI32(?), ref: 0043715B

Strings

lNK, xrefs: 004370DD

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: lNK
API String ID: 3677997916-829952453
Opcode ID: 926f0717ac76e5b8c098fe0a98bef25dbc97c5dafafaab7653eebb67bd9faf12
Instruction ID: 9327fd2eab7472b8b4679cac3d111e8646d149e96cec5fba28668fa16a9c5724
Opcode Fuzzy Hash: 926f0717ac76e5b8c098fe0a98bef25dbc97c5dafafaab7653eebb67bd9faf12
Instruction Fuzzy Hash: C02137B2D04208EFDF25CF85C885AAEFBB8FF94301F2050ABE481A6310D3749A40DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004362AE, Relevance: 3.1, APIs: 2, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 004361D1: GetModuleHandleA.KERNEL32(KERNEL32), ref: 004361DF

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004362EF
SetLastError.KERNEL32(0000006F), ref: 00436309

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Module$ErrorFileHandleLastName
String ID:
API String ID: 613274587-0
Opcode ID: 203ae505bdb90cc8074560aa833afbacde3b547578d442adef1d2979f8b38998
Instruction ID: 5e2a219e443b85b366c628ed7903ebaf8665594a45b56253709aff8edcfd3d58
Opcode Fuzzy Hash: 203ae505bdb90cc8074560aa833afbacde3b547578d442adef1d2979f8b38998
Instruction Fuzzy Hash: F1214F719003099EDB70EFA9D8447EFB7B8BB09318F11822EE8699A1C1DB785548CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0047364E, Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00465721,00000001), ref: 0047365F
HeapDestroy.KERNEL32 ref: 00473695

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 853fb3dd6d985ecc2da1b0663cf20fc8c480ebd2d1f2776c26351d468cdbf7d1
Instruction ID: 5a6bd0caa0af8c9ba51958b858ecb0b934c87a70ea17b92affc1d19ef66e5c48
Opcode Fuzzy Hash: 853fb3dd6d985ecc2da1b0663cf20fc8c480ebd2d1f2776c26351d468cdbf7d1
Instruction Fuzzy Hash: E0E06DB0612301AFEB615F319C097BA7694EB5274BF10893BF105C43A0EBA98A51FB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0043871A, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0043872D
SetWindowsHookExA.USER32(000000FF,Function_00038586,00000000,00000000), ref: 0043873D

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 6c76bb69da60c37322477c080248d22df1013da82aa6d5a40da6090b00ecc20d
Instruction ID: 58e7bcf6d398a9cd06a5f60b95b17d72379c8291a62482560945d420e8dc7bc2
Opcode Fuzzy Hash: 6c76bb69da60c37322477c080248d22df1013da82aa6d5a40da6090b00ecc20d
Instruction Fuzzy Hash: 10D05E718056183EEB212B706C0DB5A7A904B1C360F25536BF410921D1CA6848404B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004203C0, Relevance: 1.6, APIs: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00020019,00000000,00020019,?,FBEF3A85), ref: 0042041B

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8902ab82161f437cd902d8d2e6cf86e3b96349bb478a030790a9ad83640b92f3
Instruction ID: 9378b56a913bf7dc4b63e55889d6f8b93d445e0b68a24e78eaa85000958afa91
Opcode Fuzzy Hash: 8902ab82161f437cd902d8d2e6cf86e3b96349bb478a030790a9ad83640b92f3
Instruction Fuzzy Hash: 6211C170A04248EFDB10DF94D841BEEBBB0EB04724F10821AF9256B3C2C7B95605CB95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00411CB0, Relevance: 12868.5, APIs: 7344, Strings: 1, Instructions: 14729keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(0000002D), ref: 00411CB8
GetKeyState.USER32(0000000D), ref: 00411CC0
GetKeyState.USER32(00000027), ref: 00411CC8
GetKeyState.USER32(0000002D), ref: 00411CD0
GetKeyState.USER32(0000000D), ref: 00411CD8
GetKeyState.USER32(00000027), ref: 00411CE0
GetKeyState.USER32(0000002D), ref: 00411CE8
GetKeyState.USER32(0000000D), ref: 00411CF0
GetKeyState.USER32(00000027), ref: 00411CF8
GetKeyState.USER32(0000002D), ref: 00411D00
GetKeyState.USER32(0000000D), ref: 00411D08
GetKeyState.USER32(00000027), ref: 00411D10
GetKeyState.USER32(0000002D), ref: 00411D18
GetKeyState.USER32(0000000D), ref: 00411D20
GetKeyState.USER32(00000027), ref: 00411D28
GetKeyState.USER32(0000002D), ref: 00411D30
GetKeyState.USER32(0000000D), ref: 00411D38
GetKeyState.USER32(00000027), ref: 00411D40
GetKeyState.USER32(0000002D), ref: 00411D48
GetKeyState.USER32(0000000D), ref: 00411D50
GetKeyState.USER32(00000027), ref: 00411D58
GetKeyState.USER32(0000002D), ref: 00411D60
GetKeyState.USER32(0000000D), ref: 00411D68
GetKeyState.USER32(00000027), ref: 00411D70
GetKeyState.USER32(0000002D), ref: 00411D78
GetKeyState.USER32(0000000D), ref: 00411D80
GetKeyState.USER32(00000027), ref: 00411D88
GetKeyState.USER32(0000002D), ref: 00411D90
GetKeyState.USER32(0000000D), ref: 00411D98
GetKeyState.USER32(00000027), ref: 00411DA0
GetKeyState.USER32(0000002D), ref: 00411DA8
GetKeyState.USER32(0000000D), ref: 00411DB0
GetKeyState.USER32(00000027), ref: 00411DB8
GetKeyState.USER32(0000002D), ref: 00411DC0
GetKeyState.USER32(0000000D), ref: 00411DC8
GetKeyState.USER32(00000027), ref: 00411DD0
GetKeyState.USER32(0000002D), ref: 00411DD8
GetKeyState.USER32(0000000D), ref: 00411DE0
GetKeyState.USER32(00000027), ref: 00411DE8
GetKeyState.USER32(0000002D), ref: 00411DF0
GetKeyState.USER32(0000000D), ref: 00411DF8
GetKeyState.USER32(00000027), ref: 00411E00
GetKeyState.USER32(0000002D), ref: 00411E08
GetKeyState.USER32(0000000D), ref: 00411E10
GetKeyState.USER32(00000027), ref: 00411E18
GetKeyState.USER32(0000002D), ref: 00411E20
GetKeyState.USER32(0000000D), ref: 00411E28
GetKeyState.USER32(00000027), ref: 00411E30
GetKeyState.USER32(0000002D), ref: 00411E38
GetKeyState.USER32(0000000D), ref: 00411E40
GetKeyState.USER32(00000027), ref: 00411E48
GetKeyState.USER32(0000002D), ref: 00411E50
GetKeyState.USER32(0000000D), ref: 00411E58
GetKeyState.USER32(00000027), ref: 00411E60
GetKeyState.USER32(0000002D), ref: 00411E68
GetKeyState.USER32(0000000D), ref: 00411E70
GetKeyState.USER32(00000027), ref: 00411E78
GetKeyState.USER32(0000002D), ref: 00411E80
GetKeyState.USER32(0000000D), ref: 00411E88
GetKeyState.USER32(00000027), ref: 00411E90
GetKeyState.USER32(0000002D), ref: 00411E98
GetKeyState.USER32(0000000D), ref: 00411EA0
GetKeyState.USER32(00000027), ref: 00411EA8
GetKeyState.USER32(0000002D), ref: 00411EB0
GetKeyState.USER32(0000000D), ref: 00411EB8
GetKeyState.USER32(00000027), ref: 00411EC0
GetKeyState.USER32(0000002D), ref: 00411EC8
GetKeyState.USER32(0000000D), ref: 00411ED0
GetKeyState.USER32(00000027), ref: 00411ED8
GetKeyState.USER32(0000002D), ref: 00411EE0
GetKeyState.USER32(0000000D), ref: 00411EE8
GetKeyState.USER32(00000027), ref: 00411EF0
GetKeyState.USER32(0000002D), ref: 00411EF8
GetKeyState.USER32(0000000D), ref: 00411F00
GetKeyState.USER32(00000027), ref: 00411F08
GetKeyState.USER32(0000002D), ref: 00411F10
GetKeyState.USER32(0000000D), ref: 00411F18
GetKeyState.USER32(00000027), ref: 00411F20
GetKeyState.USER32(0000002D), ref: 00411F28
GetKeyState.USER32(0000000D), ref: 00411F30
GetKeyState.USER32(00000027), ref: 00411F38
GetKeyState.USER32(0000002D), ref: 00411F40
GetKeyState.USER32(0000000D), ref: 00411F48
GetKeyState.USER32(00000027), ref: 00411F50
GetKeyState.USER32(0000002D), ref: 00411F58
GetKeyState.USER32(0000000D), ref: 00411F60
GetKeyState.USER32(00000027), ref: 00411F68
GetKeyState.USER32(0000002D), ref: 00411F70
GetKeyState.USER32(0000000D), ref: 00411F78
GetKeyState.USER32(00000027), ref: 00411F80
GetKeyState.USER32(0000002D), ref: 00411F88
GetKeyState.USER32(0000000D), ref: 00411F90
GetKeyState.USER32(00000027), ref: 00411F98
GetKeyState.USER32(0000002D), ref: 00411FA0
GetKeyState.USER32(0000000D), ref: 00411FA8
GetKeyState.USER32(00000027), ref: 00411FB0
GetKeyState.USER32(0000002D), ref: 00411FB8
GetKeyState.USER32(0000000D), ref: 00411FC0
GetKeyState.USER32(00000027), ref: 00411FC8
GetKeyState.USER32(0000002D), ref: 00411FD0
GetKeyState.USER32(0000000D), ref: 00411FD8
GetKeyState.USER32(00000027), ref: 00411FE0
GetKeyState.USER32(0000002D), ref: 00411FE8
GetKeyState.USER32(0000000D), ref: 00411FF0
GetKeyState.USER32(00000027), ref: 00411FF8
GetKeyState.USER32(0000002D), ref: 00412000
GetKeyState.USER32(0000000D), ref: 00412008
GetKeyState.USER32(00000027), ref: 00412010
GetKeyState.USER32(0000002D), ref: 00412018
GetKeyState.USER32(0000000D), ref: 00412020
GetKeyState.USER32(00000027), ref: 00412028
GetKeyState.USER32(0000002D), ref: 00412030
GetKeyState.USER32(0000000D), ref: 00412038
GetKeyState.USER32(00000027), ref: 00412040
GetKeyState.USER32(0000002D), ref: 00412048
GetKeyState.USER32(0000000D), ref: 00412050
GetKeyState.USER32(00000027), ref: 00412058
GetKeyState.USER32(0000002D), ref: 00412060
GetKeyState.USER32(0000000D), ref: 00412068
GetKeyState.USER32(00000027), ref: 00412070
GetKeyState.USER32(0000002D), ref: 00412078
GetKeyState.USER32(0000000D), ref: 00412080
GetKeyState.USER32(00000027), ref: 00412088
GetKeyState.USER32(0000002D), ref: 00412090
GetKeyState.USER32(0000000D), ref: 00412098
GetKeyState.USER32(00000027), ref: 004120A0
GetKeyState.USER32(0000002D), ref: 004120A8
GetKeyState.USER32(0000000D), ref: 004120B0
GetKeyState.USER32(00000027), ref: 004120B8
GetKeyState.USER32(0000002D), ref: 004120C0
GetKeyState.USER32(0000000D), ref: 004120C8
GetKeyState.USER32(00000027), ref: 004120D0
GetKeyState.USER32(0000002D), ref: 004120D8
GetKeyState.USER32(0000000D), ref: 004120E0
GetKeyState.USER32(00000027), ref: 004120E8
GetKeyState.USER32(0000002D), ref: 004120F0
GetKeyState.USER32(0000000D), ref: 004120F8
GetKeyState.USER32(00000027), ref: 00412100
GetKeyState.USER32(0000002D), ref: 00412108
GetKeyState.USER32(0000000D), ref: 00412110
GetKeyState.USER32(00000027), ref: 00412118
GetKeyState.USER32(0000002D), ref: 00412120
GetKeyState.USER32(0000000D), ref: 00412128
GetKeyState.USER32(00000027), ref: 00412130
GetKeyState.USER32(0000002D), ref: 00412138
GetKeyState.USER32(0000000D), ref: 00412140
GetKeyState.USER32(00000027), ref: 00412148
GetKeyState.USER32(0000002D), ref: 00412150
GetKeyState.USER32(0000000D), ref: 00412158
GetKeyState.USER32(00000027), ref: 00412160
GetKeyState.USER32(0000002D), ref: 00412168
GetKeyState.USER32(0000000D), ref: 00412170
GetKeyState.USER32(00000027), ref: 00412178
GetKeyState.USER32(0000002D), ref: 00412180
GetKeyState.USER32(0000000D), ref: 00412188
GetKeyState.USER32(00000027), ref: 00412190
GetKeyState.USER32(0000002D), ref: 00412198
GetKeyState.USER32(0000000D), ref: 004121A0
GetKeyState.USER32(00000027), ref: 004121A8
GetKeyState.USER32(0000002D), ref: 004121B0
GetKeyState.USER32(0000000D), ref: 004121B8
GetKeyState.USER32(00000027), ref: 004121C0
GetKeyState.USER32(0000002D), ref: 004121C8
GetKeyState.USER32(0000000D), ref: 004121D0
GetKeyState.USER32(00000027), ref: 004121D8
GetKeyState.USER32(0000002D), ref: 004121E0
GetKeyState.USER32(0000000D), ref: 004121E8
GetKeyState.USER32(00000027), ref: 004121F0
GetKeyState.USER32(0000002D), ref: 004121F8
GetKeyState.USER32(0000000D), ref: 00412200
GetKeyState.USER32(00000027), ref: 00412208
GetKeyState.USER32(0000002D), ref: 00412210
GetKeyState.USER32(0000000D), ref: 00412218
GetKeyState.USER32(00000027), ref: 00412220
GetKeyState.USER32(0000002D), ref: 00412228
GetKeyState.USER32(0000000D), ref: 00412230
GetKeyState.USER32(00000027), ref: 00412238
GetKeyState.USER32(0000002D), ref: 00412240
GetKeyState.USER32(0000000D), ref: 00412248
GetKeyState.USER32(00000027), ref: 00412250
GetKeyState.USER32(0000002D), ref: 00412258
GetKeyState.USER32(0000000D), ref: 00412260
GetKeyState.USER32(00000027), ref: 00412268
GetKeyState.USER32(0000002D), ref: 00412270
GetKeyState.USER32(0000000D), ref: 00412278
GetKeyState.USER32(00000027), ref: 00412280
GetKeyState.USER32(0000002D), ref: 00412288
GetKeyState.USER32(0000000D), ref: 00412290
GetKeyState.USER32(00000027), ref: 00412298
GetKeyState.USER32(0000002D), ref: 004122A0
GetKeyState.USER32(0000000D), ref: 004122A8
GetKeyState.USER32(00000027), ref: 004122B0
GetKeyState.USER32(0000002D), ref: 004122B8
GetKeyState.USER32(0000000D), ref: 004122C0
GetKeyState.USER32(00000027), ref: 004122C8
GetKeyState.USER32(0000002D), ref: 004122D0
GetKeyState.USER32(0000000D), ref: 004122D8
GetKeyState.USER32(00000027), ref: 004122E0
GetKeyState.USER32(0000002D), ref: 004122E8
GetKeyState.USER32(0000000D), ref: 004122F0
GetKeyState.USER32(00000027), ref: 004122F8
GetKeyState.USER32(0000002D), ref: 00412300
GetKeyState.USER32(0000000D), ref: 00412308
GetKeyState.USER32(00000027), ref: 00412310
GetKeyState.USER32(0000002D), ref: 00412318
GetKeyState.USER32(0000000D), ref: 00412320
GetKeyState.USER32(00000027), ref: 00412328
GetKeyState.USER32(0000002D), ref: 00412330
GetKeyState.USER32(0000000D), ref: 00412338
GetKeyState.USER32(00000027), ref: 00412340
GetKeyState.USER32(0000002D), ref: 00412348
GetKeyState.USER32(0000000D), ref: 00412350
GetKeyState.USER32(00000027), ref: 00412358
GetKeyState.USER32(0000002D), ref: 00412360
GetKeyState.USER32(0000000D), ref: 00412368
GetKeyState.USER32(00000027), ref: 00412370
GetKeyState.USER32(0000002D), ref: 00412378
GetKeyState.USER32(0000000D), ref: 00412380
GetKeyState.USER32(00000027), ref: 00412388
GetKeyState.USER32(0000002D), ref: 00412390
GetKeyState.USER32(0000000D), ref: 00412398
GetKeyState.USER32(00000027), ref: 004123A0
GetKeyState.USER32(0000002D), ref: 004123A8
GetKeyState.USER32(0000000D), ref: 004123B0
GetKeyState.USER32(00000027), ref: 004123B8
GetKeyState.USER32(0000002D), ref: 004123C0
GetKeyState.USER32(0000000D), ref: 004123C8
GetKeyState.USER32(00000027), ref: 004123D0
GetKeyState.USER32(0000002D), ref: 004123D8
GetKeyState.USER32(0000000D), ref: 004123E0
GetKeyState.USER32(00000027), ref: 004123E8
GetKeyState.USER32(0000002D), ref: 004123F0
GetKeyState.USER32(0000000D), ref: 004123F8
GetKeyState.USER32(00000027), ref: 00412400
GetKeyState.USER32(0000002D), ref: 00412408
GetKeyState.USER32(0000000D), ref: 00412410
GetKeyState.USER32(00000027), ref: 00412418
GetKeyState.USER32(0000002D), ref: 00412420
GetKeyState.USER32(0000000D), ref: 00412428
GetKeyState.USER32(00000027), ref: 00412430
GetKeyState.USER32(0000002D), ref: 00412438
GetKeyState.USER32(0000000D), ref: 00412440
GetKeyState.USER32(00000027), ref: 00412448
GetKeyState.USER32(0000002D), ref: 00412450
GetKeyState.USER32(0000000D), ref: 00412458
GetKeyState.USER32(00000027), ref: 00412460
GetKeyState.USER32(0000002D), ref: 00412468
GetKeyState.USER32(0000000D), ref: 00412470
GetKeyState.USER32(00000027), ref: 00412478
GetKeyState.USER32(0000002D), ref: 00412480
GetKeyState.USER32(0000000D), ref: 00412488
GetKeyState.USER32(00000027), ref: 00412490
GetKeyState.USER32(0000002D), ref: 00412498
GetKeyState.USER32(0000000D), ref: 004124A0
GetKeyState.USER32(00000027), ref: 004124A8
GetKeyState.USER32(0000002D), ref: 004124B0
GetKeyState.USER32(0000000D), ref: 004124B8
GetKeyState.USER32(00000027), ref: 004124C0
GetKeyState.USER32(0000002D), ref: 004124C8
GetKeyState.USER32(0000000D), ref: 004124D0
GetKeyState.USER32(00000027), ref: 004124D8
GetKeyState.USER32(0000002D), ref: 004124E0
GetKeyState.USER32(0000000D), ref: 004124E8
GetKeyState.USER32(00000027), ref: 004124F0
GetKeyState.USER32(0000002D), ref: 004124F8
GetKeyState.USER32(0000000D), ref: 00412500
GetKeyState.USER32(00000027), ref: 00412508
GetKeyState.USER32(0000002D), ref: 00412510
GetKeyState.USER32(0000000D), ref: 00412518
GetKeyState.USER32(00000027), ref: 00412520
GetKeyState.USER32(0000002D), ref: 00412528
GetKeyState.USER32(0000000D), ref: 00412530
GetKeyState.USER32(00000027), ref: 00412538
GetKeyState.USER32(0000002D), ref: 00412540
GetKeyState.USER32(0000000D), ref: 00412548
GetKeyState.USER32(00000027), ref: 00412550
GetKeyState.USER32(0000002D), ref: 00412558
GetKeyState.USER32(0000000D), ref: 00412560
GetKeyState.USER32(00000027), ref: 00412568
GetKeyState.USER32(0000002D), ref: 00412570
GetKeyState.USER32(0000000D), ref: 00412578
GetKeyState.USER32(00000027), ref: 00412580
GetKeyState.USER32(0000002D), ref: 00412588
GetKeyState.USER32(0000000D), ref: 00412590
GetKeyState.USER32(00000027), ref: 00412598
GetKeyState.USER32(0000002D), ref: 004125A0
GetKeyState.USER32(0000000D), ref: 004125A8
GetKeyState.USER32(00000027), ref: 004125B0
GetKeyState.USER32(0000002D), ref: 004125B8
GetKeyState.USER32(0000000D), ref: 004125C0
GetKeyState.USER32(00000027), ref: 004125C8
GetKeyState.USER32(0000002D), ref: 004125D0
GetKeyState.USER32(0000000D), ref: 004125D8
GetKeyState.USER32(00000027), ref: 004125E0
GetKeyState.USER32(0000002D), ref: 004125E8
GetKeyState.USER32(0000000D), ref: 004125F0
GetKeyState.USER32(00000027), ref: 004125F8
GetKeyState.USER32(0000002D), ref: 00412600
GetKeyState.USER32(0000000D), ref: 00412608
GetKeyState.USER32(00000027), ref: 00412610
GetKeyState.USER32(0000002D), ref: 00412618
GetKeyState.USER32(0000000D), ref: 00412620
GetKeyState.USER32(00000027), ref: 00412628
GetKeyState.USER32(0000002D), ref: 00412630
GetKeyState.USER32(0000000D), ref: 00412638
GetKeyState.USER32(00000027), ref: 00412640
GetKeyState.USER32(0000002D), ref: 00412648
GetKeyState.USER32(0000000D), ref: 00412650
GetKeyState.USER32(00000027), ref: 00412658
GetKeyState.USER32(0000002D), ref: 00412660
GetKeyState.USER32(0000000D), ref: 00412668
GetKeyState.USER32(00000027), ref: 00412670
GetKeyState.USER32(0000002D), ref: 00412678
GetKeyState.USER32(0000000D), ref: 00412680
GetKeyState.USER32(00000027), ref: 00412688
GetKeyState.USER32(0000002D), ref: 00412690
GetKeyState.USER32(0000000D), ref: 00412698
GetKeyState.USER32(00000027), ref: 004126A0
GetKeyState.USER32(0000002D), ref: 004126A8
GetKeyState.USER32(0000000D), ref: 004126B0
GetKeyState.USER32(00000027), ref: 004126B8
GetKeyState.USER32(0000002D), ref: 004126C0
GetKeyState.USER32(0000000D), ref: 004126C8
GetKeyState.USER32(00000027), ref: 004126D0
GetKeyState.USER32(0000002D), ref: 004126D8
GetKeyState.USER32(0000000D), ref: 004126E0
GetKeyState.USER32(00000027), ref: 004126E8
GetKeyState.USER32(0000002D), ref: 004126F0
GetKeyState.USER32(0000000D), ref: 004126F8
GetKeyState.USER32(00000027), ref: 00412700
GetKeyState.USER32(0000002D), ref: 00412708
GetKeyState.USER32(0000000D), ref: 00412710
GetKeyState.USER32(00000027), ref: 00412718
GetKeyState.USER32(0000002D), ref: 00412720
GetKeyState.USER32(0000000D), ref: 00412728
GetKeyState.USER32(00000027), ref: 00412730
GetKeyState.USER32(0000002D), ref: 00412738
GetKeyState.USER32(0000000D), ref: 00412740
GetKeyState.USER32(00000027), ref: 00412748
GetKeyState.USER32(0000002D), ref: 00412750
GetKeyState.USER32(0000000D), ref: 00412758
GetKeyState.USER32(00000027), ref: 00412760
GetKeyState.USER32(0000002D), ref: 00412768
GetKeyState.USER32(0000000D), ref: 00412770
GetKeyState.USER32(00000027), ref: 00412778
GetKeyState.USER32(0000002D), ref: 00412780
GetKeyState.USER32(0000000D), ref: 00412788
GetKeyState.USER32(00000027), ref: 00412790
GetKeyState.USER32(0000002D), ref: 00412798
GetKeyState.USER32(0000000D), ref: 004127A0
GetKeyState.USER32(00000027), ref: 004127A8
GetKeyState.USER32(0000002D), ref: 004127B0
GetKeyState.USER32(0000000D), ref: 004127B8
GetKeyState.USER32(00000027), ref: 004127C0
GetKeyState.USER32(0000002D), ref: 004127C8
GetKeyState.USER32(0000000D), ref: 004127D0
GetKeyState.USER32(00000027), ref: 004127D8
GetKeyState.USER32(0000002D), ref: 004127E0
GetKeyState.USER32(0000000D), ref: 004127E8
GetKeyState.USER32(00000027), ref: 004127F0
GetKeyState.USER32(0000002D), ref: 004127F8
GetKeyState.USER32(0000000D), ref: 00412800
GetKeyState.USER32(00000027), ref: 00412808
GetKeyState.USER32(0000002D), ref: 00412810
GetKeyState.USER32(0000000D), ref: 00412818
GetKeyState.USER32(00000027), ref: 00412820
GetKeyState.USER32(0000002D), ref: 00412828
GetKeyState.USER32(0000000D), ref: 00412830
GetKeyState.USER32(00000027), ref: 00412838
GetKeyState.USER32(0000002D), ref: 00412840
GetKeyState.USER32(0000000D), ref: 00412848
GetKeyState.USER32(00000027), ref: 00412850
GetKeyState.USER32(0000002D), ref: 00412858
GetKeyState.USER32(0000000D), ref: 00412860
GetKeyState.USER32(00000027), ref: 00412868
GetKeyState.USER32(0000002D), ref: 00412870
GetKeyState.USER32(0000000D), ref: 00412878
GetKeyState.USER32(00000027), ref: 00412880
GetKeyState.USER32(0000002D), ref: 00412888
GetKeyState.USER32(0000000D), ref: 00412890
GetKeyState.USER32(00000027), ref: 00412898
GetKeyState.USER32(0000002D), ref: 004128A0
GetKeyState.USER32(0000000D), ref: 004128A8
GetKeyState.USER32(00000027), ref: 004128B0
GetKeyState.USER32(0000002D), ref: 004128B8
GetKeyState.USER32(0000000D), ref: 004128C0
GetKeyState.USER32(00000027), ref: 004128C8
GetKeyState.USER32(0000002D), ref: 004128D0
GetKeyState.USER32(0000000D), ref: 004128D8
GetKeyState.USER32(00000027), ref: 004128E0
GetKeyState.USER32(0000002D), ref: 004128E8
GetKeyState.USER32(0000000D), ref: 004128F0
GetKeyState.USER32(00000027), ref: 004128F8
GetKeyState.USER32(0000002D), ref: 00412900
GetKeyState.USER32(0000000D), ref: 00412908
GetKeyState.USER32(00000027), ref: 00412910
GetKeyState.USER32(0000002D), ref: 00412918
GetKeyState.USER32(0000000D), ref: 00412920
GetKeyState.USER32(00000027), ref: 00412928
GetKeyState.USER32(0000002D), ref: 00412930
GetKeyState.USER32(0000000D), ref: 00412938
GetKeyState.USER32(00000027), ref: 00412940
GetKeyState.USER32(0000002D), ref: 00412948
GetKeyState.USER32(0000000D), ref: 00412950
GetKeyState.USER32(00000027), ref: 00412958
GetKeyState.USER32(0000002D), ref: 00412960
GetKeyState.USER32(0000000D), ref: 00412968
GetKeyState.USER32(00000027), ref: 00412970
GetKeyState.USER32(0000002D), ref: 00412978
GetKeyState.USER32(0000000D), ref: 00412980
GetKeyState.USER32(00000027), ref: 00412988
GetKeyState.USER32(0000002D), ref: 00412990
GetKeyState.USER32(0000000D), ref: 00412998
GetKeyState.USER32(00000027), ref: 004129A0
GetKeyState.USER32(0000002D), ref: 004129A8
GetKeyState.USER32(0000000D), ref: 004129B0
GetKeyState.USER32(00000027), ref: 004129B8
GetKeyState.USER32(0000002D), ref: 004129C0
GetKeyState.USER32(0000000D), ref: 004129C8
GetKeyState.USER32(00000027), ref: 004129D0
GetKeyState.USER32(0000002D), ref: 004129D8
GetKeyState.USER32(0000000D), ref: 004129E0
GetKeyState.USER32(00000027), ref: 004129E8
GetKeyState.USER32(0000002D), ref: 004129F0
GetKeyState.USER32(0000000D), ref: 004129F8
GetKeyState.USER32(00000027), ref: 00412A00
GetKeyState.USER32(0000002D), ref: 00412A08
GetKeyState.USER32(0000000D), ref: 00412A10
GetKeyState.USER32(00000027), ref: 00412A18
GetKeyState.USER32(0000002D), ref: 00412A20
GetKeyState.USER32(0000000D), ref: 00412A28
GetKeyState.USER32(00000027), ref: 00412A30
GetKeyState.USER32(0000002D), ref: 00412A38
GetKeyState.USER32(0000000D), ref: 00412A40
GetKeyState.USER32(00000027), ref: 00412A48
GetKeyState.USER32(0000002D), ref: 00412A50
GetKeyState.USER32(0000000D), ref: 00412A58
GetKeyState.USER32(00000027), ref: 00412A60
GetKeyState.USER32(0000002D), ref: 00412A68
GetKeyState.USER32(0000000D), ref: 00412A70
GetKeyState.USER32(00000027), ref: 00412A78
GetKeyState.USER32(0000002D), ref: 00412A80
GetKeyState.USER32(0000000D), ref: 00412A88
GetKeyState.USER32(00000027), ref: 00412A90
GetKeyState.USER32(0000002D), ref: 00412A98
GetKeyState.USER32(0000000D), ref: 00412AA0
GetKeyState.USER32(00000027), ref: 00412AA8
GetKeyState.USER32(0000002D), ref: 00412AB0
GetKeyState.USER32(0000000D), ref: 00412AB8
GetKeyState.USER32(00000027), ref: 00412AC0
GetKeyState.USER32(0000002D), ref: 00412AC8
GetKeyState.USER32(0000000D), ref: 00412AD0
GetKeyState.USER32(00000027), ref: 00412AD8
GetKeyState.USER32(0000002D), ref: 00412AE0
GetKeyState.USER32(0000000D), ref: 00412AE8
GetKeyState.USER32(00000027), ref: 00412AF0
GetKeyState.USER32(0000002D), ref: 00412AF8
GetKeyState.USER32(0000000D), ref: 00412B00
GetKeyState.USER32(00000027), ref: 00412B08
GetKeyState.USER32(0000002D), ref: 00412B10
GetKeyState.USER32(0000000D), ref: 00412B18
GetKeyState.USER32(00000027), ref: 00412B20
GetKeyState.USER32(0000002D), ref: 00412B28
GetKeyState.USER32(0000000D), ref: 00412B30
GetKeyState.USER32(00000027), ref: 00412B38
GetKeyState.USER32(0000002D), ref: 00412B40
GetKeyState.USER32(0000000D), ref: 00412B48
GetKeyState.USER32(00000027), ref: 00412B50
GetKeyState.USER32(0000002D), ref: 00412B58
GetKeyState.USER32(0000000D), ref: 00412B60
GetKeyState.USER32(00000027), ref: 00412B68
GetKeyState.USER32(0000002D), ref: 00412B70
GetKeyState.USER32(0000000D), ref: 00412B78
GetKeyState.USER32(00000027), ref: 00412B80
GetKeyState.USER32(0000002D), ref: 00412B88
GetKeyState.USER32(0000000D), ref: 00412B90
GetKeyState.USER32(00000027), ref: 00412B98
GetKeyState.USER32(0000002D), ref: 00412BA0
GetKeyState.USER32(0000000D), ref: 00412BA8
GetKeyState.USER32(00000027), ref: 00412BB0
GetKeyState.USER32(0000002D), ref: 00412BB8
GetKeyState.USER32(0000000D), ref: 00412BC0
GetKeyState.USER32(00000027), ref: 00412BC8
GetKeyState.USER32(0000002D), ref: 00412BD0
GetKeyState.USER32(0000000D), ref: 00412BD8
GetKeyState.USER32(00000027), ref: 00412BE0
GetKeyState.USER32(0000002D), ref: 00412BE8
GetKeyState.USER32(0000000D), ref: 00412BF0
GetKeyState.USER32(00000027), ref: 00412BF8
GetKeyState.USER32(0000002D), ref: 00412C00
GetKeyState.USER32(0000000D), ref: 00412C08
GetKeyState.USER32(00000027), ref: 00412C10
GetKeyState.USER32(0000002D), ref: 00412C18
GetKeyState.USER32(0000000D), ref: 00412C20
GetKeyState.USER32(00000027), ref: 00412C28
GetKeyState.USER32(0000002D), ref: 00412C30
GetKeyState.USER32(0000000D), ref: 00412C38
GetKeyState.USER32(00000027), ref: 00412C40
GetKeyState.USER32(0000002D), ref: 00412C48
GetKeyState.USER32(0000000D), ref: 00412C50
GetKeyState.USER32(00000027), ref: 00412C58
GetKeyState.USER32(0000002D), ref: 00412C60
GetKeyState.USER32(0000000D), ref: 00412C68
GetKeyState.USER32(00000027), ref: 00412C70
GetKeyState.USER32(0000002D), ref: 00412C78
GetKeyState.USER32(0000000D), ref: 00412C80
GetKeyState.USER32(00000027), ref: 00412C88
GetKeyState.USER32(0000002D), ref: 00412C90
GetKeyState.USER32(0000000D), ref: 00412C98
GetKeyState.USER32(00000027), ref: 00412CA0
GetKeyState.USER32(0000002D), ref: 00412CA8
GetKeyState.USER32(0000000D), ref: 00412CB0
GetKeyState.USER32(00000027), ref: 00412CB8
GetKeyState.USER32(0000002D), ref: 00412CC0
GetKeyState.USER32(0000000D), ref: 00412CC8
GetKeyState.USER32(00000027), ref: 00412CD0
GetKeyState.USER32(0000002D), ref: 00412CD8
GetKeyState.USER32(0000000D), ref: 00412CE0
GetKeyState.USER32(00000027), ref: 00412CE8
GetKeyState.USER32(0000002D), ref: 00412CF0
GetKeyState.USER32(0000000D), ref: 00412CF8
GetKeyState.USER32(00000027), ref: 00412D00
GetKeyState.USER32(0000002D), ref: 00412D08
GetKeyState.USER32(0000000D), ref: 00412D10
GetKeyState.USER32(00000027), ref: 00412D18
GetKeyState.USER32(0000002D), ref: 00412D20
GetKeyState.USER32(0000000D), ref: 00412D28
GetKeyState.USER32(00000027), ref: 00412D30
GetKeyState.USER32(0000002D), ref: 00412D38
GetKeyState.USER32(0000000D), ref: 00412D40
GetKeyState.USER32(00000027), ref: 00412D48
GetKeyState.USER32(0000002D), ref: 00412D50
GetKeyState.USER32(0000000D), ref: 00412D58
GetKeyState.USER32(00000027), ref: 00412D60
GetKeyState.USER32(0000002D), ref: 00412D68
GetKeyState.USER32(0000000D), ref: 00412D70
GetKeyState.USER32(00000027), ref: 00412D78
GetKeyState.USER32(0000002D), ref: 00412D80
GetKeyState.USER32(0000000D), ref: 00412D88
GetKeyState.USER32(00000027), ref: 00412D90
GetKeyState.USER32(0000002D), ref: 00412D98
GetKeyState.USER32(0000000D), ref: 00412DA0
GetKeyState.USER32(00000027), ref: 00412DA8
GetKeyState.USER32(0000002D), ref: 00412DB0
GetKeyState.USER32(0000000D), ref: 00412DB8
GetKeyState.USER32(00000027), ref: 00412DC0
GetKeyState.USER32(0000002D), ref: 00412DC8
GetKeyState.USER32(0000000D), ref: 00412DD0
GetKeyState.USER32(00000027), ref: 00412DD8
GetKeyState.USER32(0000002D), ref: 00412DE0
GetKeyState.USER32(0000000D), ref: 00412DE8
GetKeyState.USER32(00000027), ref: 00412DF0
GetKeyState.USER32(0000002D), ref: 00412DF8
GetKeyState.USER32(0000000D), ref: 00412E00
GetKeyState.USER32(00000027), ref: 00412E08
GetKeyState.USER32(0000002D), ref: 00412E10
GetKeyState.USER32(0000000D), ref: 00412E18
GetKeyState.USER32(00000027), ref: 00412E20
GetKeyState.USER32(0000002D), ref: 00412E28
GetKeyState.USER32(0000000D), ref: 00412E30
GetKeyState.USER32(00000027), ref: 00412E38
GetKeyState.USER32(0000002D), ref: 00412E40
GetKeyState.USER32(0000000D), ref: 00412E48
GetKeyState.USER32(00000027), ref: 00412E50
GetKeyState.USER32(0000002D), ref: 00412E58
GetKeyState.USER32(0000000D), ref: 00412E60
GetKeyState.USER32(00000027), ref: 00412E68
GetKeyState.USER32(0000002D), ref: 00412E70
GetKeyState.USER32(0000000D), ref: 00412E78
GetKeyState.USER32(00000027), ref: 00412E80
GetKeyState.USER32(0000002D), ref: 00412E88
GetKeyState.USER32(0000000D), ref: 00412E90
GetKeyState.USER32(00000027), ref: 00412E98
GetKeyState.USER32(0000002D), ref: 00412EA0
GetKeyState.USER32(0000000D), ref: 00412EA8
GetKeyState.USER32(00000027), ref: 00412EB0
GetKeyState.USER32(0000002D), ref: 00412EB8
GetKeyState.USER32(0000000D), ref: 00412EC0
GetKeyState.USER32(00000027), ref: 00412EC8
GetKeyState.USER32(0000002D), ref: 00412ED0
GetKeyState.USER32(0000000D), ref: 00412ED8
GetKeyState.USER32(00000027), ref: 00412EE0
GetKeyState.USER32(0000002D), ref: 00412EE8
GetKeyState.USER32(0000000D), ref: 00412EF0
GetKeyState.USER32(00000027), ref: 00412EF8
GetKeyState.USER32(0000002D), ref: 00412F00
GetKeyState.USER32(0000000D), ref: 00412F08
GetKeyState.USER32(00000027), ref: 00412F10
GetKeyState.USER32(0000002D), ref: 00412F18
GetKeyState.USER32(0000000D), ref: 00412F20
GetKeyState.USER32(00000027), ref: 00412F28
GetKeyState.USER32(0000002D), ref: 00412F30
GetKeyState.USER32(0000000D), ref: 00412F38
GetKeyState.USER32(00000027), ref: 00412F40
GetKeyState.USER32(0000002D), ref: 00412F48
GetKeyState.USER32(0000000D), ref: 00412F50
GetKeyState.USER32(00000027), ref: 00412F58
GetKeyState.USER32(0000002D), ref: 00412F60
GetKeyState.USER32(0000000D), ref: 00412F68
GetKeyState.USER32(00000027), ref: 00412F70
GetKeyState.USER32(0000002D), ref: 00412F78
GetKeyState.USER32(0000000D), ref: 00412F80
GetKeyState.USER32(00000027), ref: 00412F88
GetKeyState.USER32(0000002D), ref: 00412F90
GetKeyState.USER32(0000000D), ref: 00412F98
GetKeyState.USER32(00000027), ref: 00412FA0
GetKeyState.USER32(0000002D), ref: 00412FA8
GetKeyState.USER32(0000000D), ref: 00412FB0
GetKeyState.USER32(00000027), ref: 00412FB8
GetKeyState.USER32(0000002D), ref: 00412FC0
GetKeyState.USER32(0000000D), ref: 00412FC8
GetKeyState.USER32(00000027), ref: 00412FD0
GetKeyState.USER32(0000002D), ref: 00412FD8
GetKeyState.USER32(0000000D), ref: 00412FE0
GetKeyState.USER32(00000027), ref: 00412FE8
GetKeyState.USER32(0000002D), ref: 00412FF0
GetKeyState.USER32(0000000D), ref: 00412FF8
GetKeyState.USER32(00000027), ref: 00413000
GetKeyState.USER32(0000002D), ref: 00413008
GetKeyState.USER32(0000000D), ref: 00413010
GetKeyState.USER32(00000027), ref: 00413018
GetKeyState.USER32(0000002D), ref: 00413020
GetKeyState.USER32(0000000D), ref: 00413028
GetKeyState.USER32(00000027), ref: 00413030
GetKeyState.USER32(0000002D), ref: 00413038
GetKeyState.USER32(0000000D), ref: 00413040
GetKeyState.USER32(00000027), ref: 00413048
GetKeyState.USER32(0000002D), ref: 00413050
GetKeyState.USER32(0000000D), ref: 00413058
GetKeyState.USER32(00000027), ref: 00413060
GetKeyState.USER32(0000002D), ref: 00413068
GetKeyState.USER32(0000000D), ref: 00413070
GetKeyState.USER32(00000027), ref: 00413078
GetKeyState.USER32(0000002D), ref: 00413080
GetKeyState.USER32(0000000D), ref: 00413088
GetKeyState.USER32(00000027), ref: 00413090
GetKeyState.USER32(0000002D), ref: 00413098
GetKeyState.USER32(0000000D), ref: 004130A0
GetKeyState.USER32(00000027), ref: 004130A8
GetKeyState.USER32(0000002D), ref: 004130B0
GetKeyState.USER32(0000000D), ref: 004130B8
GetKeyState.USER32(00000027), ref: 004130C0
GetKeyState.USER32(0000002D), ref: 004130C8
GetKeyState.USER32(0000000D), ref: 004130D0
GetKeyState.USER32(00000027), ref: 004130D8
GetKeyState.USER32(0000002D), ref: 004130E0
GetKeyState.USER32(0000000D), ref: 004130E8
GetKeyState.USER32(00000027), ref: 004130F0
GetKeyState.USER32(0000002D), ref: 004130F8
GetKeyState.USER32(0000000D), ref: 00413100
GetKeyState.USER32(00000027), ref: 00413108
GetKeyState.USER32(0000002D), ref: 00413110
GetKeyState.USER32(0000000D), ref: 00413118
GetKeyState.USER32(00000027), ref: 00413120
GetKeyState.USER32(0000002D), ref: 00413128
GetKeyState.USER32(0000000D), ref: 00413130
GetKeyState.USER32(00000027), ref: 00413138
GetKeyState.USER32(0000002D), ref: 00413140
GetKeyState.USER32(0000000D), ref: 00413148
GetKeyState.USER32(00000027), ref: 00413150
GetKeyState.USER32(0000002D), ref: 00413158
GetKeyState.USER32(0000000D), ref: 00413160
GetKeyState.USER32(00000027), ref: 00413168
GetKeyState.USER32(0000002D), ref: 00413170
GetKeyState.USER32(0000000D), ref: 00413178
GetKeyState.USER32(00000027), ref: 00413180
GetKeyState.USER32(0000002D), ref: 00413188
GetKeyState.USER32(0000000D), ref: 00413190
GetKeyState.USER32(00000027), ref: 00413198
GetKeyState.USER32(0000002D), ref: 004131A0
GetKeyState.USER32(0000000D), ref: 004131A8
GetKeyState.USER32(00000027), ref: 004131B0
GetKeyState.USER32(0000002D), ref: 004131B8
GetKeyState.USER32(0000000D), ref: 004131C0
GetKeyState.USER32(00000027), ref: 004131C8
GetKeyState.USER32(0000002D), ref: 004131D0
GetKeyState.USER32(0000000D), ref: 004131D8
GetKeyState.USER32(00000027), ref: 004131E0
GetKeyState.USER32(0000002D), ref: 004131E8
GetKeyState.USER32(0000000D), ref: 004131F0
GetKeyState.USER32(00000027), ref: 004131F8
GetKeyState.USER32(0000002D), ref: 00413200
GetKeyState.USER32(0000000D), ref: 00413208
GetKeyState.USER32(00000027), ref: 00413210
GetKeyState.USER32(0000002D), ref: 00413218
GetKeyState.USER32(0000000D), ref: 00413220
GetKeyState.USER32(00000027), ref: 00413228
GetKeyState.USER32(0000002D), ref: 00413230
GetKeyState.USER32(0000000D), ref: 00413238
GetKeyState.USER32(00000027), ref: 00413240
GetKeyState.USER32(0000002D), ref: 00413248
GetKeyState.USER32(0000000D), ref: 00413250
GetKeyState.USER32(00000027), ref: 00413258
GetKeyState.USER32(0000002D), ref: 00413260
GetKeyState.USER32(0000000D), ref: 00413268
GetKeyState.USER32(00000027), ref: 00413270
GetKeyState.USER32(0000002D), ref: 00413278
GetKeyState.USER32(0000000D), ref: 00413280
GetKeyState.USER32(00000027), ref: 00413288
GetKeyState.USER32(0000002D), ref: 00413290
GetKeyState.USER32(0000000D), ref: 00413298
GetKeyState.USER32(00000027), ref: 004132A0
GetKeyState.USER32(0000002D), ref: 004132A8
GetKeyState.USER32(0000000D), ref: 004132B0
GetKeyState.USER32(00000027), ref: 004132B8
GetKeyState.USER32(0000002D), ref: 004132C0
GetKeyState.USER32(0000000D), ref: 004132C8
GetKeyState.USER32(00000027), ref: 004132D0
GetKeyState.USER32(0000002D), ref: 004132D8
GetKeyState.USER32(0000000D), ref: 004132E0
GetKeyState.USER32(00000027), ref: 004132E8
GetKeyState.USER32(0000002D), ref: 004132F0
GetKeyState.USER32(0000000D), ref: 004132F8
GetKeyState.USER32(00000027), ref: 00413300
GetKeyState.USER32(0000002D), ref: 00413308
GetKeyState.USER32(0000000D), ref: 00413310
GetKeyState.USER32(00000027), ref: 00413318
GetKeyState.USER32(0000002D), ref: 00413320
GetKeyState.USER32(0000000D), ref: 00413328
GetKeyState.USER32(00000027), ref: 00413330
GetKeyState.USER32(0000002D), ref: 00413338
GetKeyState.USER32(0000000D), ref: 00413340
GetKeyState.USER32(00000027), ref: 00413348
GetKeyState.USER32(0000002D), ref: 00413350
GetKeyState.USER32(0000000D), ref: 00413358
GetKeyState.USER32(00000027), ref: 00413360
GetKeyState.USER32(0000002D), ref: 00413368
GetKeyState.USER32(0000000D), ref: 00413370
GetKeyState.USER32(00000027), ref: 00413378
GetKeyState.USER32(0000002D), ref: 00413380
GetKeyState.USER32(0000000D), ref: 00413388
GetKeyState.USER32(00000027), ref: 00413390
GetKeyState.USER32(0000002D), ref: 00413398
GetKeyState.USER32(0000000D), ref: 004133A0
GetKeyState.USER32(00000027), ref: 004133A8
GetKeyState.USER32(0000002D), ref: 004133B0
GetKeyState.USER32(0000000D), ref: 004133B8
GetKeyState.USER32(00000027), ref: 004133C0
GetKeyState.USER32(0000002D), ref: 004133C8
GetKeyState.USER32(0000000D), ref: 004133D0
GetKeyState.USER32(00000027), ref: 004133D8
GetKeyState.USER32(0000002D), ref: 004133E0
GetKeyState.USER32(0000000D), ref: 004133E8
GetKeyState.USER32(00000027), ref: 004133F0
GetKeyState.USER32(0000002D), ref: 004133F8
GetKeyState.USER32(0000000D), ref: 00413400
GetKeyState.USER32(00000027), ref: 00413408
GetKeyState.USER32(0000002D), ref: 00413410
GetKeyState.USER32(0000000D), ref: 00413418
GetKeyState.USER32(00000027), ref: 00413420
GetKeyState.USER32(0000002D), ref: 00413428
GetKeyState.USER32(0000000D), ref: 00413430
GetKeyState.USER32(00000027), ref: 00413438
GetKeyState.USER32(0000002D), ref: 00413440
GetKeyState.USER32(0000000D), ref: 00413448
GetKeyState.USER32(00000027), ref: 00413450
GetKeyState.USER32(0000002D), ref: 00413458
GetKeyState.USER32(0000000D), ref: 00413460
GetKeyState.USER32(00000027), ref: 00413468
GetKeyState.USER32(0000002D), ref: 00413470
GetKeyState.USER32(0000000D), ref: 00413478
GetKeyState.USER32(00000027), ref: 00413480
GetKeyState.USER32(0000002D), ref: 00413488
GetKeyState.USER32(0000000D), ref: 00413490
GetKeyState.USER32(00000027), ref: 00413498
GetKeyState.USER32(0000002D), ref: 004134A0
GetKeyState.USER32(0000000D), ref: 004134A8
GetKeyState.USER32(00000027), ref: 004134B0
GetKeyState.USER32(0000002D), ref: 004134B8
GetKeyState.USER32(0000000D), ref: 004134C0
GetKeyState.USER32(00000027), ref: 004134C8
GetKeyState.USER32(0000002D), ref: 004134D0
GetKeyState.USER32(0000000D), ref: 004134D8
GetKeyState.USER32(00000027), ref: 004134E0
GetKeyState.USER32(0000002D), ref: 004134E8
GetKeyState.USER32(0000000D), ref: 004134F0
GetKeyState.USER32(00000027), ref: 004134F8
GetKeyState.USER32(0000002D), ref: 00413500
GetKeyState.USER32(0000000D), ref: 00413508
GetKeyState.USER32(00000027), ref: 00413510
GetKeyState.USER32(0000002D), ref: 00413518
GetKeyState.USER32(0000000D), ref: 00413520
GetKeyState.USER32(00000027), ref: 00413528
GetKeyState.USER32(0000002D), ref: 00413530
GetKeyState.USER32(0000000D), ref: 00413538
GetKeyState.USER32(00000027), ref: 00413540
GetKeyState.USER32(0000002D), ref: 00413548
GetKeyState.USER32(0000000D), ref: 00413550
GetKeyState.USER32(00000027), ref: 00413558
GetKeyState.USER32(0000002D), ref: 00413560
GetKeyState.USER32(0000000D), ref: 00413568
GetKeyState.USER32(00000027), ref: 00413570
GetKeyState.USER32(0000002D), ref: 00413578
GetKeyState.USER32(0000000D), ref: 00413580
GetKeyState.USER32(00000027), ref: 00413588
GetKeyState.USER32(0000002D), ref: 00413590
GetKeyState.USER32(0000000D), ref: 00413598
GetKeyState.USER32(00000027), ref: 004135A0
GetKeyState.USER32(0000002D), ref: 004135A8
GetKeyState.USER32(0000000D), ref: 004135B0
GetKeyState.USER32(00000027), ref: 004135B8
GetKeyState.USER32(0000002D), ref: 004135C0
GetKeyState.USER32(0000000D), ref: 004135C8
GetKeyState.USER32(00000027), ref: 004135D0
GetKeyState.USER32(0000002D), ref: 004135D8
GetKeyState.USER32(0000000D), ref: 004135E0
GetKeyState.USER32(00000027), ref: 004135E8
GetKeyState.USER32(0000002D), ref: 004135F0
GetKeyState.USER32(0000000D), ref: 004135F8
GetKeyState.USER32(00000027), ref: 00413600
GetKeyState.USER32(0000002D), ref: 00413608
GetKeyState.USER32(0000000D), ref: 00413610
GetKeyState.USER32(00000027), ref: 00413618
GetKeyState.USER32(0000002D), ref: 00413620
GetKeyState.USER32(0000000D), ref: 00413628
GetKeyState.USER32(00000027), ref: 00413630
GetKeyState.USER32(0000002D), ref: 00413649
GetKeyState.USER32(0000000D), ref: 00413651
GetKeyState.USER32(00000027), ref: 00413659
GetKeyState.USER32(0000002D), ref: 00413661
GetKeyState.USER32(0000000D), ref: 00413669
GetKeyState.USER32(00000027), ref: 00413671
GetKeyState.USER32(0000002D), ref: 00413679
GetKeyState.USER32(0000000D), ref: 00413681
GetKeyState.USER32(00000027), ref: 00413689
GetKeyState.USER32(0000002D), ref: 00413691
GetKeyState.USER32(0000000D), ref: 00413699
GetKeyState.USER32(00000027), ref: 004136A1
GetKeyState.USER32(0000002D), ref: 004136A9
GetKeyState.USER32(0000000D), ref: 004136B1
GetKeyState.USER32(00000027), ref: 004136B9
GetKeyState.USER32(0000002D), ref: 004136C1
GetKeyState.USER32(0000000D), ref: 004136C9
GetKeyState.USER32(00000027), ref: 004136D1
GetKeyState.USER32(0000002D), ref: 004136D9
GetKeyState.USER32(0000000D), ref: 004136E1
GetKeyState.USER32(00000027), ref: 004136E9
GetKeyState.USER32(0000002D), ref: 004136F1
GetKeyState.USER32(0000000D), ref: 004136F9
GetKeyState.USER32(00000027), ref: 00413701
GetKeyState.USER32(0000002D), ref: 00413709
GetKeyState.USER32(0000000D), ref: 00413711
GetKeyState.USER32(00000027), ref: 00413719
GetKeyState.USER32(0000002D), ref: 00413721
GetKeyState.USER32(0000000D), ref: 00413729
GetKeyState.USER32(00000027), ref: 00413731
GetKeyState.USER32(0000002D), ref: 00413739
GetKeyState.USER32(0000000D), ref: 00413741
GetKeyState.USER32(00000027), ref: 00413749
GetKeyState.USER32(0000002D), ref: 00413751
GetKeyState.USER32(0000000D), ref: 00413759
GetKeyState.USER32(00000027), ref: 00413761
GetKeyState.USER32(0000002D), ref: 00413769
GetKeyState.USER32(0000000D), ref: 00413771
GetKeyState.USER32(00000027), ref: 00413779
GetKeyState.USER32(0000002D), ref: 00413781
GetKeyState.USER32(0000000D), ref: 00413789
GetKeyState.USER32(00000027), ref: 00413791
GetKeyState.USER32(0000002D), ref: 00413799
GetKeyState.USER32(0000000D), ref: 004137A1
GetKeyState.USER32(00000027), ref: 004137A9
GetKeyState.USER32(0000002D), ref: 004137B1
GetKeyState.USER32(0000000D), ref: 004137B9
GetKeyState.USER32(00000027), ref: 004137C1
GetKeyState.USER32(0000002D), ref: 004137C9
GetKeyState.USER32(0000000D), ref: 004137D1
GetKeyState.USER32(00000027), ref: 004137D9
GetKeyState.USER32(0000002D), ref: 004137E1
GetKeyState.USER32(0000000D), ref: 004137E9
GetKeyState.USER32(00000027), ref: 004137F1
GetKeyState.USER32(0000002D), ref: 004137F9
GetKeyState.USER32(0000000D), ref: 00413801
GetKeyState.USER32(00000027), ref: 00413809
GetKeyState.USER32(0000002D), ref: 00413811
GetKeyState.USER32(0000000D), ref: 00413819
GetKeyState.USER32(00000027), ref: 00413821
GetKeyState.USER32(0000002D), ref: 00413829
GetKeyState.USER32(0000000D), ref: 00413831
GetKeyState.USER32(00000027), ref: 00413839
GetKeyState.USER32(0000002D), ref: 00413841
GetKeyState.USER32(0000000D), ref: 00413849
GetKeyState.USER32(00000027), ref: 00413851
GetKeyState.USER32(0000002D), ref: 00413859
GetKeyState.USER32(0000000D), ref: 00413861
GetKeyState.USER32(00000027), ref: 00413869
GetKeyState.USER32(0000002D), ref: 00413871
GetKeyState.USER32(0000000D), ref: 00413879
GetKeyState.USER32(00000027), ref: 00413881
GetKeyState.USER32(0000002D), ref: 00413889
GetKeyState.USER32(0000000D), ref: 00413891
GetKeyState.USER32(00000027), ref: 00413899
GetKeyState.USER32(0000002D), ref: 004138A1
GetKeyState.USER32(0000000D), ref: 004138A9
GetKeyState.USER32(00000027), ref: 004138B1
GetKeyState.USER32(0000002D), ref: 004138B9
GetKeyState.USER32(0000000D), ref: 004138C1
GetKeyState.USER32(00000027), ref: 004138C9
GetKeyState.USER32(0000002D), ref: 004138D1
GetKeyState.USER32(0000000D), ref: 004138D9
GetKeyState.USER32(00000027), ref: 004138E1
GetKeyState.USER32(0000002D), ref: 004138E9
GetKeyState.USER32(0000000D), ref: 004138F1
GetKeyState.USER32(00000027), ref: 004138F9
GetKeyState.USER32(0000002D), ref: 00413901
GetKeyState.USER32(0000000D), ref: 00413909
GetKeyState.USER32(00000027), ref: 00413911
GetKeyState.USER32(0000002D), ref: 00413919
GetKeyState.USER32(0000000D), ref: 00413921
GetKeyState.USER32(00000027), ref: 00413929
GetKeyState.USER32(0000002D), ref: 00413931
GetKeyState.USER32(0000000D), ref: 00413939
GetKeyState.USER32(00000027), ref: 00413941
GetKeyState.USER32(0000002D), ref: 00413949
GetKeyState.USER32(0000000D), ref: 00413951
GetKeyState.USER32(00000027), ref: 00413959
GetKeyState.USER32(0000002D), ref: 00413961
GetKeyState.USER32(0000000D), ref: 00413969
GetKeyState.USER32(00000027), ref: 00413971
GetKeyState.USER32(0000002D), ref: 00413979
GetKeyState.USER32(0000000D), ref: 00413981
GetKeyState.USER32(00000027), ref: 00413989
GetKeyState.USER32(0000002D), ref: 00413991
GetKeyState.USER32(0000000D), ref: 00413999
GetKeyState.USER32(00000027), ref: 004139A1
GetKeyState.USER32(0000002D), ref: 004139A9
GetKeyState.USER32(0000000D), ref: 004139B1
GetKeyState.USER32(00000027), ref: 004139B9
GetKeyState.USER32(0000002D), ref: 004139C1
GetKeyState.USER32(0000000D), ref: 004139C9
GetKeyState.USER32(00000027), ref: 004139D1
GetKeyState.USER32(0000002D), ref: 004139D9
GetKeyState.USER32(0000000D), ref: 004139E1
GetKeyState.USER32(00000027), ref: 004139E9
GetKeyState.USER32(0000002D), ref: 004139F1
GetKeyState.USER32(0000000D), ref: 004139F9
GetKeyState.USER32(00000027), ref: 00413A01
GetKeyState.USER32(0000002D), ref: 00413A09
GetKeyState.USER32(0000000D), ref: 00413A11
GetKeyState.USER32(00000027), ref: 00413A19
GetKeyState.USER32(0000002D), ref: 00413A21
GetKeyState.USER32(0000000D), ref: 00413A29
GetKeyState.USER32(00000027), ref: 00413A31
GetKeyState.USER32(0000002D), ref: 00413A39
GetKeyState.USER32(0000000D), ref: 00413A41
GetKeyState.USER32(00000027), ref: 00413A49
GetKeyState.USER32(0000002D), ref: 00413A51
GetKeyState.USER32(0000000D), ref: 00413A59
GetKeyState.USER32(00000027), ref: 00413A61
GetKeyState.USER32(0000002D), ref: 00413A69
GetKeyState.USER32(0000000D), ref: 00413A71
GetKeyState.USER32(00000027), ref: 00413A79
GetKeyState.USER32(0000002D), ref: 00413A81
GetKeyState.USER32(0000000D), ref: 00413A89
GetKeyState.USER32(00000027), ref: 00413A91
GetKeyState.USER32(0000002D), ref: 00413A99
GetKeyState.USER32(0000000D), ref: 00413AA1
GetKeyState.USER32(00000027), ref: 00413AA9
GetKeyState.USER32(0000002D), ref: 00413AB1
GetKeyState.USER32(0000000D), ref: 00413AB9
GetKeyState.USER32(00000027), ref: 00413AC1
GetKeyState.USER32(0000002D), ref: 00413AC9
GetKeyState.USER32(0000000D), ref: 00413AD1
GetKeyState.USER32(00000027), ref: 00413AD9
GetKeyState.USER32(0000002D), ref: 00413AE1
GetKeyState.USER32(0000000D), ref: 00413AE9
GetKeyState.USER32(00000027), ref: 00413AF1
GetKeyState.USER32(0000002D), ref: 00413AF9
GetKeyState.USER32(0000000D), ref: 00413B01
GetKeyState.USER32(00000027), ref: 00413B09
GetKeyState.USER32(0000002D), ref: 00413B11
GetKeyState.USER32(0000000D), ref: 00413B19
GetKeyState.USER32(00000027), ref: 00413B21
GetKeyState.USER32(0000002D), ref: 00413B29
GetKeyState.USER32(0000000D), ref: 00413B31
GetKeyState.USER32(00000027), ref: 00413B39
GetKeyState.USER32(0000002D), ref: 00413B41
GetKeyState.USER32(0000000D), ref: 00413B49
GetKeyState.USER32(00000027), ref: 00413B51
GetKeyState.USER32(0000002D), ref: 00413B59
GetKeyState.USER32(0000000D), ref: 00413B61
GetKeyState.USER32(00000027), ref: 00413B69
GetKeyState.USER32(0000002D), ref: 00413B71
GetKeyState.USER32(0000000D), ref: 00413B79
GetKeyState.USER32(00000027), ref: 00413B81
GetKeyState.USER32(0000002D), ref: 00413B89
GetKeyState.USER32(0000000D), ref: 00413B91
GetKeyState.USER32(00000027), ref: 00413B99
GetKeyState.USER32(0000002D), ref: 00413BA1
GetKeyState.USER32(0000000D), ref: 00413BA9
GetKeyState.USER32(00000027), ref: 00413BB1
GetKeyState.USER32(0000002D), ref: 00413BB9
GetKeyState.USER32(0000000D), ref: 00413BC1
GetKeyState.USER32(00000027), ref: 00413BC9
GetKeyState.USER32(0000002D), ref: 00413BD1
GetKeyState.USER32(0000000D), ref: 00413BD9
GetKeyState.USER32(00000027), ref: 00413BE1
GetKeyState.USER32(0000002D), ref: 00413BE9
GetKeyState.USER32(0000000D), ref: 00413BF1
GetKeyState.USER32(00000027), ref: 00413BF9
GetKeyState.USER32(0000002D), ref: 00413C01
GetKeyState.USER32(0000000D), ref: 00413C09
GetKeyState.USER32(00000027), ref: 00413C11
GetKeyState.USER32(0000002D), ref: 00413C19
GetKeyState.USER32(0000000D), ref: 00413C21
GetKeyState.USER32(00000027), ref: 00413C29
GetKeyState.USER32(0000002D), ref: 00413C31
GetKeyState.USER32(0000000D), ref: 00413C39
GetKeyState.USER32(00000027), ref: 00413C41
GetKeyState.USER32(0000002D), ref: 00413C49
GetKeyState.USER32(0000000D), ref: 00413C51
GetKeyState.USER32(00000027), ref: 00413C59
GetKeyState.USER32(0000002D), ref: 00413C61
GetKeyState.USER32(0000000D), ref: 00413C69
GetKeyState.USER32(00000027), ref: 00413C71
GetKeyState.USER32(0000002D), ref: 00413C79
GetKeyState.USER32(0000000D), ref: 00413C81
GetKeyState.USER32(00000027), ref: 00413C89
GetKeyState.USER32(0000002D), ref: 00413C91
GetKeyState.USER32(0000000D), ref: 00413C99
GetKeyState.USER32(00000027), ref: 00413CA1
GetKeyState.USER32(0000002D), ref: 00413CA9
GetKeyState.USER32(0000000D), ref: 00413CB1
GetKeyState.USER32(00000027), ref: 00413CB9
GetKeyState.USER32(0000002D), ref: 00413CC1
GetKeyState.USER32(0000000D), ref: 00413CC9
GetKeyState.USER32(00000027), ref: 00413CD1
GetKeyState.USER32(0000002D), ref: 00413CD9
GetKeyState.USER32(0000000D), ref: 00413CE1
GetKeyState.USER32(00000027), ref: 00413CE9
GetKeyState.USER32(0000002D), ref: 00413CF1
GetKeyState.USER32(0000000D), ref: 00413CF9
GetKeyState.USER32(00000027), ref: 00413D01
GetKeyState.USER32(0000002D), ref: 00413D09
GetKeyState.USER32(0000000D), ref: 00413D11
GetKeyState.USER32(00000027), ref: 00413D19
GetKeyState.USER32(0000002D), ref: 00413D21
GetKeyState.USER32(0000000D), ref: 00413D29
GetKeyState.USER32(00000027), ref: 00413D31
GetKeyState.USER32(0000002D), ref: 00413D39
GetKeyState.USER32(0000000D), ref: 00413D41
GetKeyState.USER32(00000027), ref: 00413D49
GetKeyState.USER32(0000002D), ref: 00413D51
GetKeyState.USER32(0000000D), ref: 00413D59
GetKeyState.USER32(00000027), ref: 00413D61
GetKeyState.USER32(0000002D), ref: 00413D69
GetKeyState.USER32(0000000D), ref: 00413D71
GetKeyState.USER32(00000027), ref: 00413D79
GetKeyState.USER32(0000002D), ref: 00413D81
GetKeyState.USER32(0000000D), ref: 00413D89
GetKeyState.USER32(00000027), ref: 00413D91
GetKeyState.USER32(0000002D), ref: 00413D99
GetKeyState.USER32(0000000D), ref: 00413DA1
GetKeyState.USER32(00000027), ref: 00413DA9
GetKeyState.USER32(0000002D), ref: 00413DB1
GetKeyState.USER32(0000000D), ref: 00413DB9
GetKeyState.USER32(00000027), ref: 00413DC1
GetKeyState.USER32(0000002D), ref: 00413DC9
GetKeyState.USER32(0000000D), ref: 00413DD1
GetKeyState.USER32(00000027), ref: 00413DD9
GetKeyState.USER32(0000002D), ref: 00413DE1
GetKeyState.USER32(0000000D), ref: 00413DE9
GetKeyState.USER32(00000027), ref: 00413DF1
GetKeyState.USER32(0000002D), ref: 00413DF9
GetKeyState.USER32(0000000D), ref: 00413E01
GetKeyState.USER32(00000027), ref: 00413E09
GetKeyState.USER32(0000002D), ref: 00413E11
GetKeyState.USER32(0000000D), ref: 00413E19
GetKeyState.USER32(00000027), ref: 00413E21
GetKeyState.USER32(0000002D), ref: 00413E29
GetKeyState.USER32(0000000D), ref: 00413E31
GetKeyState.USER32(00000027), ref: 00413E39
GetKeyState.USER32(0000002D), ref: 00413E41
GetKeyState.USER32(0000000D), ref: 00413E49
GetKeyState.USER32(00000027), ref: 00413E51
GetKeyState.USER32(0000002D), ref: 00413E59
GetKeyState.USER32(0000000D), ref: 00413E61
GetKeyState.USER32(00000027), ref: 00413E69
GetKeyState.USER32(0000002D), ref: 00413E71
GetKeyState.USER32(0000000D), ref: 00413E79
GetKeyState.USER32(00000027), ref: 00413E81
GetKeyState.USER32(0000002D), ref: 00413E89
GetKeyState.USER32(0000000D), ref: 00413E91
GetKeyState.USER32(00000027), ref: 00413E99
GetKeyState.USER32(0000002D), ref: 00413EA1
GetKeyState.USER32(0000000D), ref: 00413EA9
GetKeyState.USER32(00000027), ref: 00413EB1
GetKeyState.USER32(0000002D), ref: 00413EB9
GetKeyState.USER32(0000000D), ref: 00413EC1
GetKeyState.USER32(00000027), ref: 00413EC9
GetKeyState.USER32(0000002D), ref: 00413ED1
GetKeyState.USER32(0000000D), ref: 00413ED9
GetKeyState.USER32(00000027), ref: 00413EE1
GetKeyState.USER32(0000002D), ref: 00413EE9
GetKeyState.USER32(0000000D), ref: 00413EF1
GetKeyState.USER32(00000027), ref: 00413EF9
GetKeyState.USER32(0000002D), ref: 00413F01
GetKeyState.USER32(0000000D), ref: 00413F09
GetKeyState.USER32(00000027), ref: 00413F11
GetKeyState.USER32(0000002D), ref: 00413F19
GetKeyState.USER32(0000000D), ref: 00413F21
GetKeyState.USER32(00000027), ref: 00413F29
GetKeyState.USER32(0000002D), ref: 00413F31
GetKeyState.USER32(0000000D), ref: 00413F39
GetKeyState.USER32(00000027), ref: 00413F41
GetKeyState.USER32(0000002D), ref: 00413F49
GetKeyState.USER32(0000000D), ref: 00413F51
GetKeyState.USER32(00000027), ref: 00413F59
GetKeyState.USER32(0000002D), ref: 00413F61
GetKeyState.USER32(0000000D), ref: 00413F69
GetKeyState.USER32(00000027), ref: 00413F71
GetKeyState.USER32(0000002D), ref: 00413F79
GetKeyState.USER32(0000000D), ref: 00413F81
GetKeyState.USER32(00000027), ref: 00413F89
GetKeyState.USER32(0000002D), ref: 00413F91
GetKeyState.USER32(0000000D), ref: 00413F99
GetKeyState.USER32(00000027), ref: 00413FA1
GetKeyState.USER32(0000002D), ref: 00413FA9
GetKeyState.USER32(0000000D), ref: 00413FB1
GetKeyState.USER32(00000027), ref: 00413FB9
GetKeyState.USER32(0000002D), ref: 00413FC1
GetKeyState.USER32(0000000D), ref: 00413FC9
GetKeyState.USER32(00000027), ref: 00413FD1
GetKeyState.USER32(0000002D), ref: 00413FD9
GetKeyState.USER32(0000000D), ref: 00413FE1
GetKeyState.USER32(00000027), ref: 00413FE9
GetKeyState.USER32(0000002D), ref: 00413FF1
GetKeyState.USER32(0000000D), ref: 00413FF9
GetKeyState.USER32(00000027), ref: 00414001
GetKeyState.USER32(0000002D), ref: 00414009
GetKeyState.USER32(0000000D), ref: 00414011
GetKeyState.USER32(00000027), ref: 00414019
GetKeyState.USER32(0000002D), ref: 00414021
GetKeyState.USER32(0000000D), ref: 00414029
GetKeyState.USER32(00000027), ref: 00414031
GetKeyState.USER32(0000002D), ref: 00414039
GetKeyState.USER32(0000000D), ref: 00414041
GetKeyState.USER32(00000027), ref: 00414049
GetKeyState.USER32(0000002D), ref: 00414051
GetKeyState.USER32(0000000D), ref: 00414059
GetKeyState.USER32(00000027), ref: 00414061
GetKeyState.USER32(0000002D), ref: 00414069
GetKeyState.USER32(0000000D), ref: 00414071
GetKeyState.USER32(00000027), ref: 00414079
GetKeyState.USER32(0000002D), ref: 00414081
GetKeyState.USER32(0000000D), ref: 00414089
GetKeyState.USER32(00000027), ref: 00414091
GetKeyState.USER32(0000002D), ref: 00414099
GetKeyState.USER32(0000000D), ref: 004140A1
GetKeyState.USER32(00000027), ref: 004140A9
GetKeyState.USER32(0000002D), ref: 004140B1
GetKeyState.USER32(0000000D), ref: 004140B9
GetKeyState.USER32(00000027), ref: 004140C1
GetKeyState.USER32(0000002D), ref: 004140C9
GetKeyState.USER32(0000000D), ref: 004140D1
GetKeyState.USER32(00000027), ref: 004140D9
GetKeyState.USER32(0000002D), ref: 004140E1
GetKeyState.USER32(0000000D), ref: 004140E9
GetKeyState.USER32(00000027), ref: 004140F1
GetKeyState.USER32(0000002D), ref: 004140F9
GetKeyState.USER32(0000000D), ref: 00414101
GetKeyState.USER32(00000027), ref: 00414109
GetKeyState.USER32(0000002D), ref: 00414111
GetKeyState.USER32(0000000D), ref: 00414119
GetKeyState.USER32(00000027), ref: 00414121
GetKeyState.USER32(0000002D), ref: 00414129
GetKeyState.USER32(0000000D), ref: 00414131
GetKeyState.USER32(00000027), ref: 00414139
GetKeyState.USER32(0000002D), ref: 00414141
GetKeyState.USER32(0000000D), ref: 00414149
GetKeyState.USER32(00000027), ref: 00414151
GetKeyState.USER32(0000002D), ref: 00414159
GetKeyState.USER32(0000000D), ref: 00414161
GetKeyState.USER32(00000027), ref: 00414169
GetKeyState.USER32(0000002D), ref: 00414171
GetKeyState.USER32(0000000D), ref: 00414179
GetKeyState.USER32(00000027), ref: 00414181
GetKeyState.USER32(0000002D), ref: 00414189
GetKeyState.USER32(0000000D), ref: 00414191
GetKeyState.USER32(00000027), ref: 00414199
GetKeyState.USER32(0000002D), ref: 004141A1
GetKeyState.USER32(0000000D), ref: 004141A9
GetKeyState.USER32(00000027), ref: 004141B1
GetKeyState.USER32(0000002D), ref: 004141B9
GetKeyState.USER32(0000000D), ref: 004141C1
GetKeyState.USER32(00000027), ref: 004141C9
GetKeyState.USER32(0000002D), ref: 004141D1
GetKeyState.USER32(0000000D), ref: 004141D9
GetKeyState.USER32(00000027), ref: 004141E1
GetKeyState.USER32(0000002D), ref: 004141E9
GetKeyState.USER32(0000000D), ref: 004141F1
GetKeyState.USER32(00000027), ref: 004141F9
GetKeyState.USER32(0000002D), ref: 00414201
GetKeyState.USER32(0000000D), ref: 00414209
GetKeyState.USER32(00000027), ref: 00414211
GetKeyState.USER32(0000002D), ref: 00414219
GetKeyState.USER32(0000000D), ref: 00414221
GetKeyState.USER32(00000027), ref: 00414229
GetKeyState.USER32(0000002D), ref: 00414231
GetKeyState.USER32(0000000D), ref: 00414239
GetKeyState.USER32(00000027), ref: 00414241
GetKeyState.USER32(0000002D), ref: 00414249
GetKeyState.USER32(0000000D), ref: 00414251
GetKeyState.USER32(00000027), ref: 00414259
GetKeyState.USER32(0000002D), ref: 00414261
GetKeyState.USER32(0000000D), ref: 00414269
GetKeyState.USER32(00000027), ref: 00414271
GetKeyState.USER32(0000002D), ref: 00414279
GetKeyState.USER32(0000000D), ref: 00414281
GetKeyState.USER32(00000027), ref: 00414289
GetKeyState.USER32(0000002D), ref: 00414291
GetKeyState.USER32(0000000D), ref: 00414299
GetKeyState.USER32(00000027), ref: 004142A1
GetKeyState.USER32(0000002D), ref: 004142A9
GetKeyState.USER32(0000000D), ref: 004142B1
GetKeyState.USER32(00000027), ref: 004142B9
GetKeyState.USER32(0000002D), ref: 004142C1
GetKeyState.USER32(0000000D), ref: 004142C9
GetKeyState.USER32(00000027), ref: 004142D1
GetKeyState.USER32(0000002D), ref: 004142D9
GetKeyState.USER32(0000000D), ref: 004142E1
GetKeyState.USER32(00000027), ref: 004142E9
GetKeyState.USER32(0000002D), ref: 004142F1
GetKeyState.USER32(0000000D), ref: 004142F9
GetKeyState.USER32(00000027), ref: 00414301
GetKeyState.USER32(0000002D), ref: 00414309
GetKeyState.USER32(0000000D), ref: 00414311
GetKeyState.USER32(00000027), ref: 00414319
GetKeyState.USER32(0000002D), ref: 00414321
GetKeyState.USER32(0000000D), ref: 00414329
GetKeyState.USER32(00000027), ref: 00414331
GetKeyState.USER32(0000002D), ref: 00414339
GetKeyState.USER32(0000000D), ref: 00414341
GetKeyState.USER32(00000027), ref: 00414349
GetKeyState.USER32(0000002D), ref: 00414351
GetKeyState.USER32(0000000D), ref: 00414359
GetKeyState.USER32(00000027), ref: 00414361
GetKeyState.USER32(0000002D), ref: 00414369
GetKeyState.USER32(0000000D), ref: 00414371
GetKeyState.USER32(00000027), ref: 00414379
GetKeyState.USER32(0000002D), ref: 00414381
GetKeyState.USER32(0000000D), ref: 00414389
GetKeyState.USER32(00000027), ref: 00414391
GetKeyState.USER32(0000002D), ref: 00414399
GetKeyState.USER32(0000000D), ref: 004143A1
GetKeyState.USER32(00000027), ref: 004143A9
GetKeyState.USER32(0000002D), ref: 004143B1
GetKeyState.USER32(0000000D), ref: 004143B9
GetKeyState.USER32(00000027), ref: 004143C1
GetKeyState.USER32(0000002D), ref: 004143C9
GetKeyState.USER32(0000000D), ref: 004143D1
GetKeyState.USER32(00000027), ref: 004143D9
GetKeyState.USER32(0000002D), ref: 004143E1
GetKeyState.USER32(0000000D), ref: 004143E9
GetKeyState.USER32(00000027), ref: 004143F1
GetKeyState.USER32(0000002D), ref: 004143F9
GetKeyState.USER32(0000000D), ref: 00414401
GetKeyState.USER32(00000027), ref: 00414409
GetKeyState.USER32(0000002D), ref: 00414411
GetKeyState.USER32(0000000D), ref: 00414419
GetKeyState.USER32(00000027), ref: 00414421
GetKeyState.USER32(0000002D), ref: 00414429
GetKeyState.USER32(0000000D), ref: 00414431
GetKeyState.USER32(00000027), ref: 00414439
GetKeyState.USER32(0000002D), ref: 00414441
GetKeyState.USER32(0000000D), ref: 00414449
GetKeyState.USER32(00000027), ref: 00414451
GetKeyState.USER32(0000002D), ref: 00414459
GetKeyState.USER32(0000000D), ref: 00414461
GetKeyState.USER32(00000027), ref: 00414469
GetKeyState.USER32(0000002D), ref: 00414471
GetKeyState.USER32(0000000D), ref: 00414479
GetKeyState.USER32(00000027), ref: 00414481
GetKeyState.USER32(0000002D), ref: 00414489
GetKeyState.USER32(0000000D), ref: 00414491
GetKeyState.USER32(00000027), ref: 00414499
GetKeyState.USER32(0000002D), ref: 004144A1
GetKeyState.USER32(0000000D), ref: 004144A9
GetKeyState.USER32(00000027), ref: 004144B1
GetKeyState.USER32(0000002D), ref: 004144B9
GetKeyState.USER32(0000000D), ref: 004144C1
GetKeyState.USER32(00000027), ref: 004144C9
GetKeyState.USER32(0000002D), ref: 004144D1
GetKeyState.USER32(0000000D), ref: 004144D9
GetKeyState.USER32(00000027), ref: 004144E1
GetKeyState.USER32(0000002D), ref: 004144E9
GetKeyState.USER32(0000000D), ref: 004144F1
GetKeyState.USER32(00000027), ref: 004144F9
GetKeyState.USER32(0000002D), ref: 00414501
GetKeyState.USER32(0000000D), ref: 00414509
GetKeyState.USER32(00000027), ref: 00414511
GetKeyState.USER32(0000002D), ref: 00414519
GetKeyState.USER32(0000000D), ref: 00414521
GetKeyState.USER32(00000027), ref: 00414529
GetKeyState.USER32(0000002D), ref: 00414531
GetKeyState.USER32(0000000D), ref: 00414539
GetKeyState.USER32(00000027), ref: 00414541
GetKeyState.USER32(0000002D), ref: 00414549
GetKeyState.USER32(0000000D), ref: 00414551
GetKeyState.USER32(00000027), ref: 00414559
GetKeyState.USER32(0000002D), ref: 00414561
GetKeyState.USER32(0000000D), ref: 00414569
GetKeyState.USER32(00000027), ref: 00414571
GetKeyState.USER32(0000002D), ref: 00414579
GetKeyState.USER32(0000000D), ref: 00414581
GetKeyState.USER32(00000027), ref: 00414589
GetKeyState.USER32(0000002D), ref: 00414591
GetKeyState.USER32(0000000D), ref: 00414599
GetKeyState.USER32(00000027), ref: 004145A1
GetKeyState.USER32(0000002D), ref: 004145A9
GetKeyState.USER32(0000000D), ref: 004145B1
GetKeyState.USER32(00000027), ref: 004145B9
GetKeyState.USER32(0000002D), ref: 004145C1
GetKeyState.USER32(0000000D), ref: 004145C9
GetKeyState.USER32(00000027), ref: 004145D1
GetKeyState.USER32(0000002D), ref: 004145D9
GetKeyState.USER32(0000000D), ref: 004145E1
GetKeyState.USER32(00000027), ref: 004145E9
GetKeyState.USER32(0000002D), ref: 004145F1
GetKeyState.USER32(0000000D), ref: 004145F9
GetKeyState.USER32(00000027), ref: 00414601
GetKeyState.USER32(0000002D), ref: 00414609
GetKeyState.USER32(0000000D), ref: 00414611
GetKeyState.USER32(00000027), ref: 00414619
GetKeyState.USER32(0000002D), ref: 00414621
GetKeyState.USER32(0000000D), ref: 00414629
GetKeyState.USER32(00000027), ref: 00414631
GetKeyState.USER32(0000002D), ref: 00414639
GetKeyState.USER32(0000000D), ref: 00414641
GetKeyState.USER32(00000027), ref: 00414649
GetKeyState.USER32(0000002D), ref: 00414651
GetKeyState.USER32(0000000D), ref: 00414659
GetKeyState.USER32(00000027), ref: 00414661
GetKeyState.USER32(0000002D), ref: 00414669
GetKeyState.USER32(0000000D), ref: 00414671
GetKeyState.USER32(00000027), ref: 00414679
GetKeyState.USER32(0000002D), ref: 00414681
GetKeyState.USER32(0000000D), ref: 00414689
GetKeyState.USER32(00000027), ref: 00414691
GetKeyState.USER32(0000002D), ref: 00414699
GetKeyState.USER32(0000000D), ref: 004146A1
GetKeyState.USER32(00000027), ref: 004146A9
GetKeyState.USER32(0000002D), ref: 004146B1
GetKeyState.USER32(0000000D), ref: 004146B9
GetKeyState.USER32(00000027), ref: 004146C1
GetKeyState.USER32(0000002D), ref: 004146C9
GetKeyState.USER32(0000000D), ref: 004146D1
GetKeyState.USER32(00000027), ref: 004146D9
GetKeyState.USER32(0000002D), ref: 004146E1
GetKeyState.USER32(0000000D), ref: 004146E9
GetKeyState.USER32(00000027), ref: 004146F1
GetKeyState.USER32(0000002D), ref: 004146F9
GetKeyState.USER32(0000000D), ref: 00414701
GetKeyState.USER32(00000027), ref: 00414709
GetKeyState.USER32(0000002D), ref: 00414711
GetKeyState.USER32(0000000D), ref: 00414719
GetKeyState.USER32(00000027), ref: 00414721
GetKeyState.USER32(0000002D), ref: 00414729
GetKeyState.USER32(0000000D), ref: 00414731
GetKeyState.USER32(00000027), ref: 00414739
GetKeyState.USER32(0000002D), ref: 00414741
GetKeyState.USER32(0000000D), ref: 00414749
GetKeyState.USER32(00000027), ref: 00414751
GetKeyState.USER32(0000002D), ref: 00414759
GetKeyState.USER32(0000000D), ref: 00414761
GetKeyState.USER32(00000027), ref: 00414769
GetKeyState.USER32(0000002D), ref: 00414771
GetKeyState.USER32(0000000D), ref: 00414779
GetKeyState.USER32(00000027), ref: 00414781
GetKeyState.USER32(0000002D), ref: 00414789
GetKeyState.USER32(0000000D), ref: 00414791
GetKeyState.USER32(00000027), ref: 00414799
GetKeyState.USER32(0000002D), ref: 004147A1
GetKeyState.USER32(0000000D), ref: 004147A9
GetKeyState.USER32(00000027), ref: 004147B1
GetKeyState.USER32(0000002D), ref: 004147B9
GetKeyState.USER32(0000000D), ref: 004147C1
GetKeyState.USER32(00000027), ref: 004147C9
GetKeyState.USER32(0000002D), ref: 004147D1
GetKeyState.USER32(0000000D), ref: 004147D9
GetKeyState.USER32(00000027), ref: 004147E1
GetKeyState.USER32(0000002D), ref: 004147E9
GetKeyState.USER32(0000000D), ref: 004147F1
GetKeyState.USER32(00000027), ref: 004147F9
GetKeyState.USER32(0000002D), ref: 00414801
GetKeyState.USER32(0000000D), ref: 00414809
GetKeyState.USER32(00000027), ref: 00414811
GetKeyState.USER32(0000002D), ref: 00414819
GetKeyState.USER32(0000000D), ref: 00414821
GetKeyState.USER32(00000027), ref: 00414829
GetKeyState.USER32(0000002D), ref: 00414831
GetKeyState.USER32(0000000D), ref: 00414839
GetKeyState.USER32(00000027), ref: 00414841
GetKeyState.USER32(0000002D), ref: 00414849
GetKeyState.USER32(0000000D), ref: 00414851
GetKeyState.USER32(00000027), ref: 00414859
GetKeyState.USER32(0000002D), ref: 00414861
GetKeyState.USER32(0000000D), ref: 00414869
GetKeyState.USER32(00000027), ref: 00414871
GetKeyState.USER32(0000002D), ref: 00414879
GetKeyState.USER32(0000000D), ref: 00414881
GetKeyState.USER32(00000027), ref: 00414889
GetKeyState.USER32(0000002D), ref: 00414891
GetKeyState.USER32(0000000D), ref: 00414899
GetKeyState.USER32(00000027), ref: 004148A1
GetKeyState.USER32(0000002D), ref: 004148A9
GetKeyState.USER32(0000000D), ref: 004148B1
GetKeyState.USER32(00000027), ref: 004148B9
GetKeyState.USER32(0000002D), ref: 004148C1
GetKeyState.USER32(0000000D), ref: 004148C9
GetKeyState.USER32(00000027), ref: 004148D1
GetKeyState.USER32(0000002D), ref: 004148D9
GetKeyState.USER32(0000000D), ref: 004148E1
GetKeyState.USER32(00000027), ref: 004148E9
GetKeyState.USER32(0000002D), ref: 004148F1
GetKeyState.USER32(0000000D), ref: 004148F9
GetKeyState.USER32(00000027), ref: 00414901
GetKeyState.USER32(0000002D), ref: 00414909
GetKeyState.USER32(0000000D), ref: 00414911
GetKeyState.USER32(00000027), ref: 00414919
GetKeyState.USER32(0000002D), ref: 00414921
GetKeyState.USER32(0000000D), ref: 00414929
GetKeyState.USER32(00000027), ref: 00414931
GetKeyState.USER32(0000002D), ref: 00414939
GetKeyState.USER32(0000000D), ref: 00414941
GetKeyState.USER32(00000027), ref: 00414949
GetKeyState.USER32(0000002D), ref: 00414951
GetKeyState.USER32(0000000D), ref: 00414959
GetKeyState.USER32(00000027), ref: 00414961
GetKeyState.USER32(0000002D), ref: 00414969
GetKeyState.USER32(0000000D), ref: 00414971
GetKeyState.USER32(00000027), ref: 00414979
GetKeyState.USER32(0000002D), ref: 00414981
GetKeyState.USER32(0000000D), ref: 00414989
GetKeyState.USER32(00000027), ref: 00414991
GetKeyState.USER32(0000002D), ref: 00414999
GetKeyState.USER32(0000000D), ref: 004149A1
GetKeyState.USER32(00000027), ref: 004149A9
GetKeyState.USER32(0000002D), ref: 004149B1
GetKeyState.USER32(0000000D), ref: 004149B9
GetKeyState.USER32(00000027), ref: 004149C1
GetKeyState.USER32(0000002D), ref: 004149C9
GetKeyState.USER32(0000000D), ref: 004149D1
GetKeyState.USER32(00000027), ref: 004149D9
GetKeyState.USER32(0000002D), ref: 004149E1
GetKeyState.USER32(0000000D), ref: 004149E9
GetKeyState.USER32(00000027), ref: 004149F1
GetKeyState.USER32(0000002D), ref: 004149F9
GetKeyState.USER32(0000000D), ref: 00414A01
GetKeyState.USER32(00000027), ref: 00414A09
GetKeyState.USER32(0000002D), ref: 00414A11
GetKeyState.USER32(0000000D), ref: 00414A19
GetKeyState.USER32(00000027), ref: 00414A21
GetKeyState.USER32(0000002D), ref: 00414A29
GetKeyState.USER32(0000000D), ref: 00414A31
GetKeyState.USER32(00000027), ref: 00414A39
GetKeyState.USER32(0000002D), ref: 00414A41
GetKeyState.USER32(0000000D), ref: 00414A49
GetKeyState.USER32(00000027), ref: 00414A51
GetKeyState.USER32(0000002D), ref: 00414A59
GetKeyState.USER32(0000000D), ref: 00414A61
GetKeyState.USER32(00000027), ref: 00414A69
GetKeyState.USER32(0000002D), ref: 00414A71
GetKeyState.USER32(0000000D), ref: 00414A79
GetKeyState.USER32(00000027), ref: 00414A81
GetKeyState.USER32(0000002D), ref: 00414A89
GetKeyState.USER32(0000000D), ref: 00414A91
GetKeyState.USER32(00000027), ref: 00414A99
GetKeyState.USER32(0000002D), ref: 00414AA1
GetKeyState.USER32(0000000D), ref: 00414AA9
GetKeyState.USER32(00000027), ref: 00414AB1
GetKeyState.USER32(0000002D), ref: 00414AB9
GetKeyState.USER32(0000000D), ref: 00414AC1
GetKeyState.USER32(00000027), ref: 00414AC9
GetKeyState.USER32(0000002D), ref: 00414AD1
GetKeyState.USER32(0000000D), ref: 00414AD9
GetKeyState.USER32(00000027), ref: 00414AE1
GetKeyState.USER32(0000002D), ref: 00414AE9
GetKeyState.USER32(0000000D), ref: 00414AF1
GetKeyState.USER32(00000027), ref: 00414AF9
GetKeyState.USER32(0000002D), ref: 00414B01
GetKeyState.USER32(0000000D), ref: 00414B09
GetKeyState.USER32(00000027), ref: 00414B11
GetKeyState.USER32(0000002D), ref: 00414B19
GetKeyState.USER32(0000000D), ref: 00414B21
GetKeyState.USER32(00000027), ref: 00414B29
GetKeyState.USER32(0000002D), ref: 00414B31
GetKeyState.USER32(0000000D), ref: 00414B39
GetKeyState.USER32(00000027), ref: 00414B41
GetKeyState.USER32(0000002D), ref: 00414B49
GetKeyState.USER32(0000000D), ref: 00414B51
GetKeyState.USER32(00000027), ref: 00414B59
GetKeyState.USER32(0000002D), ref: 00414B61
GetKeyState.USER32(0000000D), ref: 00414B69
GetKeyState.USER32(00000027), ref: 00414B71
GetKeyState.USER32(0000002D), ref: 00414B79
GetKeyState.USER32(0000000D), ref: 00414B81
GetKeyState.USER32(00000027), ref: 00414B89
GetKeyState.USER32(0000002D), ref: 00414B91
GetKeyState.USER32(0000000D), ref: 00414B99
GetKeyState.USER32(00000027), ref: 00414BA1
GetKeyState.USER32(0000002D), ref: 00414BA9
GetKeyState.USER32(0000000D), ref: 00414BB1
GetKeyState.USER32(00000027), ref: 00414BB9
GetKeyState.USER32(0000002D), ref: 00414BC1
GetKeyState.USER32(0000000D), ref: 00414BC9
GetKeyState.USER32(00000027), ref: 00414BD1
GetKeyState.USER32(0000002D), ref: 00414BD9
GetKeyState.USER32(0000000D), ref: 00414BE1
GetKeyState.USER32(00000027), ref: 00414BE9
GetKeyState.USER32(0000002D), ref: 00414BF1
GetKeyState.USER32(0000000D), ref: 00414BF9
GetKeyState.USER32(00000027), ref: 00414C01
GetKeyState.USER32(0000002D), ref: 00414C09
GetKeyState.USER32(0000000D), ref: 00414C11
GetKeyState.USER32(00000027), ref: 00414C19
GetKeyState.USER32(0000002D), ref: 00414C21
GetKeyState.USER32(0000000D), ref: 00414C29
GetKeyState.USER32(00000027), ref: 00414C31
GetKeyState.USER32(0000002D), ref: 00414C39
GetKeyState.USER32(0000000D), ref: 00414C41
GetKeyState.USER32(00000027), ref: 00414C49
GetKeyState.USER32(0000002D), ref: 00414C51
GetKeyState.USER32(0000000D), ref: 00414C59
GetKeyState.USER32(00000027), ref: 00414C61
GetKeyState.USER32(0000002D), ref: 00414C69
GetKeyState.USER32(0000000D), ref: 00414C71
GetKeyState.USER32(00000027), ref: 00414C79
GetKeyState.USER32(0000002D), ref: 00414C81
GetKeyState.USER32(0000000D), ref: 00414C89
GetKeyState.USER32(00000027), ref: 00414C91
GetKeyState.USER32(0000002D), ref: 00414C99
GetKeyState.USER32(0000000D), ref: 00414CA1
GetKeyState.USER32(00000027), ref: 00414CA9
GetKeyState.USER32(0000002D), ref: 00414CB1
GetKeyState.USER32(0000000D), ref: 00414CB9
GetKeyState.USER32(00000027), ref: 00414CC1
GetKeyState.USER32(0000002D), ref: 00414CC9
GetKeyState.USER32(0000000D), ref: 00414CD1
GetKeyState.USER32(00000027), ref: 00414CD9
GetKeyState.USER32(0000002D), ref: 00414CE1
GetKeyState.USER32(0000000D), ref: 00414CE9
GetKeyState.USER32(00000027), ref: 00414CF1
GetKeyState.USER32(0000002D), ref: 00414CF9
GetKeyState.USER32(0000000D), ref: 00414D01
GetKeyState.USER32(00000027), ref: 00414D09
GetKeyState.USER32(0000002D), ref: 00414D11
GetKeyState.USER32(0000000D), ref: 00414D19
GetKeyState.USER32(00000027), ref: 00414D21
GetKeyState.USER32(0000002D), ref: 00414D29
GetKeyState.USER32(0000000D), ref: 00414D31
GetKeyState.USER32(00000027), ref: 00414D39
GetKeyState.USER32(0000002D), ref: 00414D41
GetKeyState.USER32(0000000D), ref: 00414D49
GetKeyState.USER32(00000027), ref: 00414D51
GetKeyState.USER32(0000002D), ref: 00414D59
GetKeyState.USER32(0000000D), ref: 00414D61
GetKeyState.USER32(00000027), ref: 00414D69
GetKeyState.USER32(0000002D), ref: 00414D71
GetKeyState.USER32(0000000D), ref: 00414D79
GetKeyState.USER32(00000027), ref: 00414D81
GetKeyState.USER32(0000002D), ref: 00414D89
GetKeyState.USER32(0000000D), ref: 00414D91
GetKeyState.USER32(00000027), ref: 00414D99
GetKeyState.USER32(0000002D), ref: 00414DA1
GetKeyState.USER32(0000000D), ref: 00414DA9
GetKeyState.USER32(00000027), ref: 00414DB1
GetKeyState.USER32(0000002D), ref: 00414DB9
GetKeyState.USER32(0000000D), ref: 00414DC1
GetKeyState.USER32(00000027), ref: 00414DC9
GetKeyState.USER32(0000002D), ref: 00414DD1
GetKeyState.USER32(0000000D), ref: 00414DD9
GetKeyState.USER32(00000027), ref: 00414DE1
GetKeyState.USER32(0000002D), ref: 00414DE9
GetKeyState.USER32(0000000D), ref: 00414DF1
GetKeyState.USER32(00000027), ref: 00414DF9
GetKeyState.USER32(0000002D), ref: 00414E01
GetKeyState.USER32(0000000D), ref: 00414E09
GetKeyState.USER32(00000027), ref: 00414E11
GetKeyState.USER32(0000002D), ref: 00414E19
GetKeyState.USER32(0000000D), ref: 00414E21
GetKeyState.USER32(00000027), ref: 00414E29
GetKeyState.USER32(0000002D), ref: 00414E31
GetKeyState.USER32(0000000D), ref: 00414E39
GetKeyState.USER32(00000027), ref: 00414E41
GetKeyState.USER32(0000002D), ref: 00414E49
GetKeyState.USER32(0000000D), ref: 00414E51
GetKeyState.USER32(00000027), ref: 00414E59
GetKeyState.USER32(0000002D), ref: 00414E61
GetKeyState.USER32(0000000D), ref: 00414E69
GetKeyState.USER32(00000027), ref: 00414E71
GetKeyState.USER32(0000002D), ref: 00414E79
GetKeyState.USER32(0000000D), ref: 00414E81
GetKeyState.USER32(00000027), ref: 00414E89
GetKeyState.USER32(0000002D), ref: 00414E91
GetKeyState.USER32(0000000D), ref: 00414E99
GetKeyState.USER32(00000027), ref: 00414EA1
GetKeyState.USER32(0000002D), ref: 00414EA9
GetKeyState.USER32(0000000D), ref: 00414EB1
GetKeyState.USER32(00000027), ref: 00414EB9
GetKeyState.USER32(0000002D), ref: 00414EC1
GetKeyState.USER32(0000000D), ref: 00414EC9
GetKeyState.USER32(00000027), ref: 00414ED1
GetKeyState.USER32(0000002D), ref: 00414ED9
GetKeyState.USER32(0000000D), ref: 00414EE1
GetKeyState.USER32(00000027), ref: 00414EE9
GetKeyState.USER32(0000002D), ref: 00414EF1
GetKeyState.USER32(0000000D), ref: 00414EF9
GetKeyState.USER32(00000027), ref: 00414F01
GetKeyState.USER32(0000002D), ref: 00414F09
GetKeyState.USER32(0000000D), ref: 00414F11
GetKeyState.USER32(00000027), ref: 00414F19
GetKeyState.USER32(0000002D), ref: 00414F21
GetKeyState.USER32(0000000D), ref: 00414F29
GetKeyState.USER32(00000027), ref: 00414F31
GetKeyState.USER32(0000002D), ref: 00414F39
GetKeyState.USER32(0000000D), ref: 00414F41
GetKeyState.USER32(00000027), ref: 00414F49
GetKeyState.USER32(0000002D), ref: 00414F51
GetKeyState.USER32(0000000D), ref: 00414F59
GetKeyState.USER32(00000027), ref: 00414F61
GetKeyState.USER32(0000002D), ref: 00414F69
GetKeyState.USER32(0000000D), ref: 00414F71
GetKeyState.USER32(00000027), ref: 00414F79
GetKeyState.USER32(0000002D), ref: 00414F81
GetKeyState.USER32(0000000D), ref: 00414F89
GetKeyState.USER32(00000027), ref: 00414F91
GetKeyState.USER32(0000002D), ref: 00414F99
GetKeyState.USER32(0000000D), ref: 00414FA1
GetKeyState.USER32(00000027), ref: 00414FA9
GetKeyState.USER32(0000002D), ref: 00414FB1
GetKeyState.USER32(0000000D), ref: 00414FB9
GetKeyState.USER32(00000027), ref: 00414FC1
GetKeyState.USER32(0000002D), ref: 00414FD1
GetKeyState.USER32(0000000D), ref: 00414FD9
GetKeyState.USER32(00000027), ref: 00414FE1
GetKeyState.USER32(0000002D), ref: 00414FE9
GetKeyState.USER32(0000000D), ref: 00414FF1
GetKeyState.USER32(00000027), ref: 00414FF9
GetKeyState.USER32(0000002D), ref: 00415001
GetKeyState.USER32(0000000D), ref: 00415009
GetKeyState.USER32(00000027), ref: 00415011
GetKeyState.USER32(0000002D), ref: 00415019
GetKeyState.USER32(0000000D), ref: 00415021
GetKeyState.USER32(00000027), ref: 00415029
GetKeyState.USER32(0000002D), ref: 00415031
GetKeyState.USER32(0000000D), ref: 00415039
GetKeyState.USER32(00000027), ref: 00415041
GetKeyState.USER32(0000002D), ref: 00415049
GetKeyState.USER32(0000000D), ref: 00415051
GetKeyState.USER32(00000027), ref: 00415059
GetKeyState.USER32(0000002D), ref: 00415061
GetKeyState.USER32(0000000D), ref: 00415069
GetKeyState.USER32(00000027), ref: 00415071
GetKeyState.USER32(0000002D), ref: 00415079
GetKeyState.USER32(0000000D), ref: 00415081
GetKeyState.USER32(00000027), ref: 00415089
GetKeyState.USER32(0000002D), ref: 00415091
GetKeyState.USER32(0000000D), ref: 00415099
GetKeyState.USER32(00000027), ref: 004150A1
GetKeyState.USER32(0000002D), ref: 004150A9
GetKeyState.USER32(0000000D), ref: 004150B1
GetKeyState.USER32(00000027), ref: 004150B9
GetKeyState.USER32(0000002D), ref: 004150C1
GetKeyState.USER32(0000000D), ref: 004150C9
GetKeyState.USER32(00000027), ref: 004150D1
GetKeyState.USER32(0000002D), ref: 004150D9
GetKeyState.USER32(0000000D), ref: 004150E1
GetKeyState.USER32(00000027), ref: 004150E9
GetKeyState.USER32(0000002D), ref: 004150F1
GetKeyState.USER32(0000000D), ref: 004150F9
GetKeyState.USER32(00000027), ref: 00415101
GetKeyState.USER32(0000002D), ref: 00415109
GetKeyState.USER32(0000000D), ref: 00415111
GetKeyState.USER32(00000027), ref: 00415119
GetKeyState.USER32(0000002D), ref: 00415121
GetKeyState.USER32(0000000D), ref: 00415129
GetKeyState.USER32(00000027), ref: 00415131
GetKeyState.USER32(0000002D), ref: 00415139
GetKeyState.USER32(0000000D), ref: 00415141
GetKeyState.USER32(00000027), ref: 00415149
GetKeyState.USER32(0000002D), ref: 00415151
GetKeyState.USER32(0000000D), ref: 00415159
GetKeyState.USER32(00000027), ref: 00415161
GetKeyState.USER32(0000002D), ref: 00415169
GetKeyState.USER32(0000000D), ref: 00415171
GetKeyState.USER32(00000027), ref: 00415179
GetKeyState.USER32(0000002D), ref: 00415181
GetKeyState.USER32(0000000D), ref: 00415189
GetKeyState.USER32(00000027), ref: 00415191
GetKeyState.USER32(0000002D), ref: 00415199
GetKeyState.USER32(0000000D), ref: 004151A1
GetKeyState.USER32(00000027), ref: 004151A9
GetKeyState.USER32(0000002D), ref: 004151B1
GetKeyState.USER32(0000000D), ref: 004151B9
GetKeyState.USER32(00000027), ref: 004151C1
GetKeyState.USER32(0000002D), ref: 004151C9
GetKeyState.USER32(0000000D), ref: 004151D1
GetKeyState.USER32(00000027), ref: 004151D9
GetKeyState.USER32(0000002D), ref: 004151E1
GetKeyState.USER32(0000000D), ref: 004151E9
GetKeyState.USER32(00000027), ref: 004151F1
GetKeyState.USER32(0000002D), ref: 004151F9
GetKeyState.USER32(0000000D), ref: 00415201
GetKeyState.USER32(00000027), ref: 00415209
GetKeyState.USER32(0000002D), ref: 00415211
GetKeyState.USER32(0000000D), ref: 00415219
GetKeyState.USER32(00000027), ref: 00415221
GetKeyState.USER32(0000002D), ref: 00415229
GetKeyState.USER32(0000000D), ref: 00415231
GetKeyState.USER32(00000027), ref: 00415239
GetKeyState.USER32(0000002D), ref: 00415241
GetKeyState.USER32(0000000D), ref: 00415249
GetKeyState.USER32(00000027), ref: 00415251
GetKeyState.USER32(0000002D), ref: 00415259
GetKeyState.USER32(0000000D), ref: 00415261
GetKeyState.USER32(00000027), ref: 00415269
GetKeyState.USER32(0000002D), ref: 00415271
GetKeyState.USER32(0000000D), ref: 00415279
GetKeyState.USER32(00000027), ref: 00415281
GetKeyState.USER32(0000002D), ref: 00415289
GetKeyState.USER32(0000000D), ref: 00415291
GetKeyState.USER32(00000027), ref: 00415299
GetKeyState.USER32(0000002D), ref: 004152A1
GetKeyState.USER32(0000000D), ref: 004152A9
GetKeyState.USER32(00000027), ref: 004152B1
GetKeyState.USER32(0000002D), ref: 004152B9
GetKeyState.USER32(0000000D), ref: 004152C1
GetKeyState.USER32(00000027), ref: 004152C9
GetKeyState.USER32(0000002D), ref: 004152D1
GetKeyState.USER32(0000000D), ref: 004152D9
GetKeyState.USER32(00000027), ref: 004152E1
GetKeyState.USER32(0000002D), ref: 004152E9
GetKeyState.USER32(0000000D), ref: 004152F1
GetKeyState.USER32(00000027), ref: 004152F9
GetKeyState.USER32(0000002D), ref: 00415301
GetKeyState.USER32(0000000D), ref: 00415309
GetKeyState.USER32(00000027), ref: 00415311
GetKeyState.USER32(0000002D), ref: 00415319
GetKeyState.USER32(0000000D), ref: 00415321
GetKeyState.USER32(00000027), ref: 00415329
GetKeyState.USER32(0000002D), ref: 00415331
GetKeyState.USER32(0000000D), ref: 00415339
GetKeyState.USER32(00000027), ref: 00415341
GetKeyState.USER32(0000002D), ref: 00415349
GetKeyState.USER32(0000000D), ref: 00415351
GetKeyState.USER32(00000027), ref: 00415359
GetKeyState.USER32(0000002D), ref: 00415361
GetKeyState.USER32(0000000D), ref: 00415369
GetKeyState.USER32(00000027), ref: 00415371
GetKeyState.USER32(0000002D), ref: 00415379
GetKeyState.USER32(0000000D), ref: 00415381
GetKeyState.USER32(00000027), ref: 00415389
GetKeyState.USER32(0000002D), ref: 00415391
GetKeyState.USER32(0000000D), ref: 00415399
GetKeyState.USER32(00000027), ref: 004153A1
GetKeyState.USER32(0000002D), ref: 004153A9
GetKeyState.USER32(0000000D), ref: 004153B1
GetKeyState.USER32(00000027), ref: 004153B9
GetKeyState.USER32(0000002D), ref: 004153C1
GetKeyState.USER32(0000000D), ref: 004153C9
GetKeyState.USER32(00000027), ref: 004153D1
GetKeyState.USER32(0000002D), ref: 004153D9
GetKeyState.USER32(0000000D), ref: 004153E1
GetKeyState.USER32(00000027), ref: 004153E9
GetKeyState.USER32(0000002D), ref: 004153F1
GetKeyState.USER32(0000000D), ref: 004153F9
GetKeyState.USER32(00000027), ref: 00415401
GetKeyState.USER32(0000002D), ref: 00415409
GetKeyState.USER32(0000000D), ref: 00415411
GetKeyState.USER32(00000027), ref: 00415419
GetKeyState.USER32(0000002D), ref: 00415421
GetKeyState.USER32(0000000D), ref: 00415429
GetKeyState.USER32(00000027), ref: 00415431
GetKeyState.USER32(0000002D), ref: 00415439
GetKeyState.USER32(0000000D), ref: 00415441
GetKeyState.USER32(00000027), ref: 00415449
GetKeyState.USER32(0000002D), ref: 00415451
GetKeyState.USER32(0000000D), ref: 00415459
GetKeyState.USER32(00000027), ref: 00415461
GetKeyState.USER32(0000002D), ref: 00415469
GetKeyState.USER32(0000000D), ref: 00415471
GetKeyState.USER32(00000027), ref: 00415479
GetKeyState.USER32(0000002D), ref: 00415481
GetKeyState.USER32(0000000D), ref: 00415489
GetKeyState.USER32(00000027), ref: 00415491
GetKeyState.USER32(0000002D), ref: 00415499
GetKeyState.USER32(0000000D), ref: 004154A1
GetKeyState.USER32(00000027), ref: 004154A9
GetKeyState.USER32(0000002D), ref: 004154B1
GetKeyState.USER32(0000000D), ref: 004154B9
GetKeyState.USER32(00000027), ref: 004154C1
GetKeyState.USER32(0000002D), ref: 004154C9
GetKeyState.USER32(0000000D), ref: 004154D1
GetKeyState.USER32(00000027), ref: 004154D9
GetKeyState.USER32(0000002D), ref: 004154E1
GetKeyState.USER32(0000000D), ref: 004154E9
GetKeyState.USER32(00000027), ref: 004154F1
GetKeyState.USER32(0000002D), ref: 004154F9
GetKeyState.USER32(0000000D), ref: 00415501
GetKeyState.USER32(00000027), ref: 00415509
GetKeyState.USER32(0000002D), ref: 00415511
GetKeyState.USER32(0000000D), ref: 00415519
GetKeyState.USER32(00000027), ref: 00415521
GetKeyState.USER32(0000002D), ref: 00415529
GetKeyState.USER32(0000000D), ref: 00415531
GetKeyState.USER32(00000027), ref: 00415539
GetKeyState.USER32(0000002D), ref: 00415541
GetKeyState.USER32(0000000D), ref: 00415549
GetKeyState.USER32(00000027), ref: 00415551
GetKeyState.USER32(0000002D), ref: 00415559
GetKeyState.USER32(0000000D), ref: 00415561
GetKeyState.USER32(00000027), ref: 00415569
GetKeyState.USER32(0000002D), ref: 00415571
GetKeyState.USER32(0000000D), ref: 00415579
GetKeyState.USER32(00000027), ref: 00415581
GetKeyState.USER32(0000002D), ref: 00415589
GetKeyState.USER32(0000000D), ref: 00415591
GetKeyState.USER32(00000027), ref: 00415599
GetKeyState.USER32(0000002D), ref: 004155A1
GetKeyState.USER32(0000000D), ref: 004155A9
GetKeyState.USER32(00000027), ref: 004155B1
GetKeyState.USER32(0000002D), ref: 004155B9
GetKeyState.USER32(0000000D), ref: 004155C1
GetKeyState.USER32(00000027), ref: 004155C9
GetKeyState.USER32(0000002D), ref: 004155D1
GetKeyState.USER32(0000000D), ref: 004155D9
GetKeyState.USER32(00000027), ref: 004155E1
GetKeyState.USER32(0000002D), ref: 004155E9
GetKeyState.USER32(0000000D), ref: 004155F1
GetKeyState.USER32(00000027), ref: 004155F9
GetKeyState.USER32(0000002D), ref: 00415601
GetKeyState.USER32(0000000D), ref: 00415609
GetKeyState.USER32(00000027), ref: 00415611
GetKeyState.USER32(0000002D), ref: 00415619
GetKeyState.USER32(0000000D), ref: 00415621
GetKeyState.USER32(00000027), ref: 00415629
GetKeyState.USER32(0000002D), ref: 00415631
GetKeyState.USER32(0000000D), ref: 00415639
GetKeyState.USER32(00000027), ref: 00415641
GetKeyState.USER32(0000002D), ref: 00415649
GetKeyState.USER32(0000000D), ref: 00415651
GetKeyState.USER32(00000027), ref: 00415659
GetKeyState.USER32(0000002D), ref: 00415661
GetKeyState.USER32(0000000D), ref: 00415669
GetKeyState.USER32(00000027), ref: 00415671
GetKeyState.USER32(0000002D), ref: 00415679
GetKeyState.USER32(0000000D), ref: 00415681
GetKeyState.USER32(00000027), ref: 00415689
GetKeyState.USER32(0000002D), ref: 00415691
GetKeyState.USER32(0000000D), ref: 00415699
GetKeyState.USER32(00000027), ref: 004156A1
GetKeyState.USER32(0000002D), ref: 004156A9
GetKeyState.USER32(0000000D), ref: 004156B1
GetKeyState.USER32(00000027), ref: 004156B9
GetKeyState.USER32(0000002D), ref: 004156C1
GetKeyState.USER32(0000000D), ref: 004156C9
GetKeyState.USER32(00000027), ref: 004156D1
GetKeyState.USER32(0000002D), ref: 004156D9
GetKeyState.USER32(0000000D), ref: 004156E1
GetKeyState.USER32(00000027), ref: 004156E9
GetKeyState.USER32(0000002D), ref: 004156F1
GetKeyState.USER32(0000000D), ref: 004156F9
GetKeyState.USER32(00000027), ref: 00415701
GetKeyState.USER32(0000002D), ref: 00415709
GetKeyState.USER32(0000000D), ref: 00415711
GetKeyState.USER32(00000027), ref: 00415719
GetKeyState.USER32(0000002D), ref: 00415721
GetKeyState.USER32(0000000D), ref: 00415729
GetKeyState.USER32(00000027), ref: 00415731
GetKeyState.USER32(0000002D), ref: 00415739
GetKeyState.USER32(0000000D), ref: 00415741
GetKeyState.USER32(00000027), ref: 00415749
GetKeyState.USER32(0000002D), ref: 00415751
GetKeyState.USER32(0000000D), ref: 00415759
GetKeyState.USER32(00000027), ref: 00415761
GetKeyState.USER32(0000002D), ref: 00415769
GetKeyState.USER32(0000000D), ref: 00415771
GetKeyState.USER32(00000027), ref: 00415779
GetKeyState.USER32(0000002D), ref: 00415781
GetKeyState.USER32(0000000D), ref: 00415789
GetKeyState.USER32(00000027), ref: 00415791
GetKeyState.USER32(0000002D), ref: 00415799
GetKeyState.USER32(0000000D), ref: 004157A1
GetKeyState.USER32(00000027), ref: 004157A9
GetKeyState.USER32(0000002D), ref: 004157B1
GetKeyState.USER32(0000000D), ref: 004157B9
GetKeyState.USER32(00000027), ref: 004157C1
GetKeyState.USER32(0000002D), ref: 004157C9
GetKeyState.USER32(0000000D), ref: 004157D1
GetKeyState.USER32(00000027), ref: 004157D9
GetKeyState.USER32(0000002D), ref: 004157E1
GetKeyState.USER32(0000000D), ref: 004157E9
GetKeyState.USER32(00000027), ref: 004157F1
GetKeyState.USER32(0000002D), ref: 004157F9
GetKeyState.USER32(0000000D), ref: 00415801
GetKeyState.USER32(00000027), ref: 00415809
GetKeyState.USER32(0000002D), ref: 00415811
GetKeyState.USER32(0000000D), ref: 00415819
GetKeyState.USER32(00000027), ref: 00415821
GetKeyState.USER32(0000002D), ref: 00415829
GetKeyState.USER32(0000000D), ref: 00415831
GetKeyState.USER32(00000027), ref: 00415839
GetKeyState.USER32(0000002D), ref: 00415841
GetKeyState.USER32(0000000D), ref: 00415849
GetKeyState.USER32(00000027), ref: 00415851
GetKeyState.USER32(0000002D), ref: 00415859
GetKeyState.USER32(0000000D), ref: 00415861
GetKeyState.USER32(00000027), ref: 00415869
GetKeyState.USER32(0000002D), ref: 00415871
GetKeyState.USER32(0000000D), ref: 00415879
GetKeyState.USER32(00000027), ref: 00415881
GetKeyState.USER32(0000002D), ref: 00415889
GetKeyState.USER32(0000000D), ref: 00415891
GetKeyState.USER32(00000027), ref: 00415899
GetKeyState.USER32(0000002D), ref: 004158A1
GetKeyState.USER32(0000000D), ref: 004158A9
GetKeyState.USER32(00000027), ref: 004158B1
GetKeyState.USER32(0000002D), ref: 004158B9
GetKeyState.USER32(0000000D), ref: 004158C1
GetKeyState.USER32(00000027), ref: 004158C9
GetKeyState.USER32(0000002D), ref: 004158D1
GetKeyState.USER32(0000000D), ref: 004158D9
GetKeyState.USER32(00000027), ref: 004158E1
GetKeyState.USER32(0000002D), ref: 004158E9
GetKeyState.USER32(0000000D), ref: 004158F1
GetKeyState.USER32(00000027), ref: 004158F9
GetKeyState.USER32(0000002D), ref: 00415901
GetKeyState.USER32(0000000D), ref: 00415909
GetKeyState.USER32(00000027), ref: 00415911
GetKeyState.USER32(0000002D), ref: 00415919
GetKeyState.USER32(0000000D), ref: 00415921
GetKeyState.USER32(00000027), ref: 00415929
GetKeyState.USER32(0000002D), ref: 00415931
GetKeyState.USER32(0000000D), ref: 00415939
GetKeyState.USER32(00000027), ref: 00415941
GetKeyState.USER32(0000002D), ref: 00415949
GetKeyState.USER32(0000000D), ref: 00415951
GetKeyState.USER32(00000027), ref: 00415959
GetKeyState.USER32(0000002D), ref: 00415961
GetKeyState.USER32(0000000D), ref: 00415969
GetKeyState.USER32(00000027), ref: 00415971
GetKeyState.USER32(0000002D), ref: 00415979
GetKeyState.USER32(0000000D), ref: 00415981
GetKeyState.USER32(00000027), ref: 00415989
GetKeyState.USER32(0000002D), ref: 00415991
GetKeyState.USER32(0000000D), ref: 00415999
GetKeyState.USER32(00000027), ref: 004159A1
GetKeyState.USER32(0000002D), ref: 004159A9
GetKeyState.USER32(0000000D), ref: 004159B1
GetKeyState.USER32(00000027), ref: 004159B9
GetKeyState.USER32(0000002D), ref: 004159C1
GetKeyState.USER32(0000000D), ref: 004159C9
GetKeyState.USER32(00000027), ref: 004159D1
GetKeyState.USER32(0000002D), ref: 004159D9
GetKeyState.USER32(0000000D), ref: 004159E1
GetKeyState.USER32(00000027), ref: 004159E9
GetKeyState.USER32(0000002D), ref: 004159F1
GetKeyState.USER32(0000000D), ref: 004159F9
GetKeyState.USER32(00000027), ref: 00415A01
GetKeyState.USER32(0000002D), ref: 00415A09
GetKeyState.USER32(0000000D), ref: 00415A11
GetKeyState.USER32(00000027), ref: 00415A19
GetKeyState.USER32(0000002D), ref: 00415A21
GetKeyState.USER32(0000000D), ref: 00415A29
GetKeyState.USER32(00000027), ref: 00415A31
GetKeyState.USER32(0000002D), ref: 00415A39
GetKeyState.USER32(0000000D), ref: 00415A41
GetKeyState.USER32(00000027), ref: 00415A49
GetKeyState.USER32(0000002D), ref: 00415A51
GetKeyState.USER32(0000000D), ref: 00415A59
GetKeyState.USER32(00000027), ref: 00415A61
GetKeyState.USER32(0000002D), ref: 00415A69
GetKeyState.USER32(0000000D), ref: 00415A71
GetKeyState.USER32(00000027), ref: 00415A79
GetKeyState.USER32(0000002D), ref: 00415A81
GetKeyState.USER32(0000000D), ref: 00415A89
GetKeyState.USER32(00000027), ref: 00415A91
GetKeyState.USER32(0000002D), ref: 00415A99
GetKeyState.USER32(0000000D), ref: 00415AA1
GetKeyState.USER32(00000027), ref: 00415AA9
GetKeyState.USER32(0000002D), ref: 00415AB1
GetKeyState.USER32(0000000D), ref: 00415AB9
GetKeyState.USER32(00000027), ref: 00415AC1
GetKeyState.USER32(0000002D), ref: 00415AC9
GetKeyState.USER32(0000000D), ref: 00415AD1
GetKeyState.USER32(00000027), ref: 00415AD9
GetKeyState.USER32(0000002D), ref: 00415AE1
GetKeyState.USER32(0000000D), ref: 00415AE9
GetKeyState.USER32(00000027), ref: 00415AF1
GetKeyState.USER32(0000002D), ref: 00415AF9
GetKeyState.USER32(0000000D), ref: 00415B01
GetKeyState.USER32(00000027), ref: 00415B09
GetKeyState.USER32(0000002D), ref: 00415B11
GetKeyState.USER32(0000000D), ref: 00415B19
GetKeyState.USER32(00000027), ref: 00415B21
GetKeyState.USER32(0000002D), ref: 00415B29
GetKeyState.USER32(0000000D), ref: 00415B31
GetKeyState.USER32(00000027), ref: 00415B39
GetKeyState.USER32(0000002D), ref: 00415B41
GetKeyState.USER32(0000000D), ref: 00415B49
GetKeyState.USER32(00000027), ref: 00415B51
GetKeyState.USER32(0000002D), ref: 00415B59
GetKeyState.USER32(0000000D), ref: 00415B61
GetKeyState.USER32(00000027), ref: 00415B69
GetKeyState.USER32(0000002D), ref: 00415B71
GetKeyState.USER32(0000000D), ref: 00415B79
GetKeyState.USER32(00000027), ref: 00415B81
GetKeyState.USER32(0000002D), ref: 00415B89
GetKeyState.USER32(0000000D), ref: 00415B91
GetKeyState.USER32(00000027), ref: 00415B99
GetKeyState.USER32(0000002D), ref: 00415BA1
GetKeyState.USER32(0000000D), ref: 00415BA9
GetKeyState.USER32(00000027), ref: 00415BB1
GetKeyState.USER32(0000002D), ref: 00415BB9
GetKeyState.USER32(0000000D), ref: 00415BC1
GetKeyState.USER32(00000027), ref: 00415BC9
GetKeyState.USER32(0000002D), ref: 00415BD1
GetKeyState.USER32(0000000D), ref: 00415BD9
GetKeyState.USER32(00000027), ref: 00415BE1
GetKeyState.USER32(0000002D), ref: 00415BE9
GetKeyState.USER32(0000000D), ref: 00415BF1
GetKeyState.USER32(00000027), ref: 00415BF9
GetKeyState.USER32(0000002D), ref: 00415C01
GetKeyState.USER32(0000000D), ref: 00415C09
GetKeyState.USER32(00000027), ref: 00415C11
GetKeyState.USER32(0000002D), ref: 00415C19
GetKeyState.USER32(0000000D), ref: 00415C21
GetKeyState.USER32(00000027), ref: 00415C29
GetKeyState.USER32(0000002D), ref: 00415C31
GetKeyState.USER32(0000000D), ref: 00415C39
GetKeyState.USER32(00000027), ref: 00415C41
GetKeyState.USER32(0000002D), ref: 00415C49
GetKeyState.USER32(0000000D), ref: 00415C51
GetKeyState.USER32(00000027), ref: 00415C59
GetKeyState.USER32(0000002D), ref: 00415C61
GetKeyState.USER32(0000000D), ref: 00415C69
GetKeyState.USER32(00000027), ref: 00415C71
GetKeyState.USER32(0000002D), ref: 00415C79
GetKeyState.USER32(0000000D), ref: 00415C81
GetKeyState.USER32(00000027), ref: 00415C89
GetKeyState.USER32(0000002D), ref: 00415C91
GetKeyState.USER32(0000000D), ref: 00415C99
GetKeyState.USER32(00000027), ref: 00415CA1
GetKeyState.USER32(0000002D), ref: 00415CA9
GetKeyState.USER32(0000000D), ref: 00415CB1
GetKeyState.USER32(00000027), ref: 00415CB9
GetKeyState.USER32(0000002D), ref: 00415CC1
GetKeyState.USER32(0000000D), ref: 00415CC9
GetKeyState.USER32(00000027), ref: 00415CD1
GetKeyState.USER32(0000002D), ref: 00415CD9
GetKeyState.USER32(0000000D), ref: 00415CE1
GetKeyState.USER32(00000027), ref: 00415CE9
GetKeyState.USER32(0000002D), ref: 00415CF1
GetKeyState.USER32(0000000D), ref: 00415CF9
GetKeyState.USER32(00000027), ref: 00415D01
GetKeyState.USER32(0000002D), ref: 00415D09
GetKeyState.USER32(0000000D), ref: 00415D11
GetKeyState.USER32(00000027), ref: 00415D19
GetKeyState.USER32(0000002D), ref: 00415D21
GetKeyState.USER32(0000000D), ref: 00415D29
GetKeyState.USER32(00000027), ref: 00415D31
GetKeyState.USER32(0000002D), ref: 00415D39
GetKeyState.USER32(0000000D), ref: 00415D41
GetKeyState.USER32(00000027), ref: 00415D49
GetKeyState.USER32(0000002D), ref: 00415D51
GetKeyState.USER32(0000000D), ref: 00415D59
GetKeyState.USER32(00000027), ref: 00415D61
GetKeyState.USER32(0000002D), ref: 00415D69
GetKeyState.USER32(0000000D), ref: 00415D71
GetKeyState.USER32(00000027), ref: 00415D79
GetKeyState.USER32(0000002D), ref: 00415D81
GetKeyState.USER32(0000000D), ref: 00415D89
GetKeyState.USER32(00000027), ref: 00415D91
GetKeyState.USER32(0000002D), ref: 00415D99
GetKeyState.USER32(0000000D), ref: 00415DA1
GetKeyState.USER32(00000027), ref: 00415DA9
GetKeyState.USER32(0000002D), ref: 00415DB1
GetKeyState.USER32(0000000D), ref: 00415DB9
GetKeyState.USER32(00000027), ref: 00415DC1
GetKeyState.USER32(0000002D), ref: 00415DC9
GetKeyState.USER32(0000000D), ref: 00415DD1
GetKeyState.USER32(00000027), ref: 00415DD9
GetKeyState.USER32(0000002D), ref: 00415DE1
GetKeyState.USER32(0000000D), ref: 00415DE9
GetKeyState.USER32(00000027), ref: 00415DF1
GetKeyState.USER32(0000002D), ref: 00415DF9
GetKeyState.USER32(0000000D), ref: 00415E01
GetKeyState.USER32(00000027), ref: 00415E09
GetKeyState.USER32(0000002D), ref: 00415E11
GetKeyState.USER32(0000000D), ref: 00415E19
GetKeyState.USER32(00000027), ref: 00415E21
GetKeyState.USER32(0000002D), ref: 00415E29
GetKeyState.USER32(0000000D), ref: 00415E31
GetKeyState.USER32(00000027), ref: 00415E39
GetKeyState.USER32(0000002D), ref: 00415E41
GetKeyState.USER32(0000000D), ref: 00415E49
GetKeyState.USER32(00000027), ref: 00415E51
GetKeyState.USER32(0000002D), ref: 00415E59
GetKeyState.USER32(0000000D), ref: 00415E61
GetKeyState.USER32(00000027), ref: 00415E69
GetKeyState.USER32(0000002D), ref: 00415E71
GetKeyState.USER32(0000000D), ref: 00415E79
GetKeyState.USER32(00000027), ref: 00415E81
GetKeyState.USER32(0000002D), ref: 00415E89
GetKeyState.USER32(0000000D), ref: 00415E91
GetKeyState.USER32(00000027), ref: 00415E99
GetKeyState.USER32(0000002D), ref: 00415EA1
GetKeyState.USER32(0000000D), ref: 00415EA9
GetKeyState.USER32(00000027), ref: 00415EB1
GetKeyState.USER32(0000002D), ref: 00415EB9
GetKeyState.USER32(0000000D), ref: 00415EC1
GetKeyState.USER32(00000027), ref: 00415EC9
GetKeyState.USER32(0000002D), ref: 00415ED1
GetKeyState.USER32(0000000D), ref: 00415ED9
GetKeyState.USER32(00000027), ref: 00415EE1
GetKeyState.USER32(0000002D), ref: 00415EE9
GetKeyState.USER32(0000000D), ref: 00415EF1
GetKeyState.USER32(00000027), ref: 00415EF9
GetKeyState.USER32(0000002D), ref: 00415F01
GetKeyState.USER32(0000000D), ref: 00415F09
GetKeyState.USER32(00000027), ref: 00415F11
GetKeyState.USER32(0000002D), ref: 00415F19
GetKeyState.USER32(0000000D), ref: 00415F21
GetKeyState.USER32(00000027), ref: 00415F29
GetKeyState.USER32(0000002D), ref: 00415F31
GetKeyState.USER32(0000000D), ref: 00415F39
GetKeyState.USER32(00000027), ref: 00415F41
GetKeyState.USER32(0000002D), ref: 00415F49
GetKeyState.USER32(0000000D), ref: 00415F51
GetKeyState.USER32(00000027), ref: 00415F59
GetKeyState.USER32(0000002D), ref: 00415F61
GetKeyState.USER32(0000000D), ref: 00415F69
GetKeyState.USER32(00000027), ref: 00415F71
GetKeyState.USER32(0000002D), ref: 00415F79
GetKeyState.USER32(0000000D), ref: 00415F81
GetKeyState.USER32(00000027), ref: 00415F89
GetKeyState.USER32(0000002D), ref: 00415F91
GetKeyState.USER32(0000000D), ref: 00415F99
GetKeyState.USER32(00000027), ref: 00415FA1
GetKeyState.USER32(0000002D), ref: 00415FA9
GetKeyState.USER32(0000000D), ref: 00415FB1
GetKeyState.USER32(00000027), ref: 00415FB9
GetKeyState.USER32(0000002D), ref: 00415FC1
GetKeyState.USER32(0000000D), ref: 00415FC9
GetKeyState.USER32(00000027), ref: 00415FD1
GetKeyState.USER32(0000002D), ref: 00415FD9
GetKeyState.USER32(0000000D), ref: 00415FE1
GetKeyState.USER32(00000027), ref: 00415FE9
GetKeyState.USER32(0000002D), ref: 00415FF1
GetKeyState.USER32(0000000D), ref: 00415FF9
GetKeyState.USER32(00000027), ref: 00416001
GetKeyState.USER32(0000002D), ref: 00416009
GetKeyState.USER32(0000000D), ref: 00416011
GetKeyState.USER32(00000027), ref: 00416019
GetKeyState.USER32(0000002D), ref: 00416021
GetKeyState.USER32(0000000D), ref: 00416029
GetKeyState.USER32(00000027), ref: 00416031
GetKeyState.USER32(0000002D), ref: 00416039
GetKeyState.USER32(0000000D), ref: 00416041
GetKeyState.USER32(00000027), ref: 00416049
GetKeyState.USER32(0000002D), ref: 00416051
GetKeyState.USER32(0000000D), ref: 00416059
GetKeyState.USER32(00000027), ref: 00416061
GetKeyState.USER32(0000002D), ref: 00416069
GetKeyState.USER32(0000000D), ref: 00416071
GetKeyState.USER32(00000027), ref: 00416079
GetKeyState.USER32(0000002D), ref: 00416081
GetKeyState.USER32(0000000D), ref: 00416089
GetKeyState.USER32(00000027), ref: 00416091
GetKeyState.USER32(0000002D), ref: 00416099
GetKeyState.USER32(0000000D), ref: 004160A1
GetKeyState.USER32(00000027), ref: 004160A9
GetKeyState.USER32(0000002D), ref: 004160B1
GetKeyState.USER32(0000000D), ref: 004160B9
GetKeyState.USER32(00000027), ref: 004160C1
GetKeyState.USER32(0000002D), ref: 004160C9
GetKeyState.USER32(0000000D), ref: 004160D1
GetKeyState.USER32(00000027), ref: 004160D9
GetKeyState.USER32(0000002D), ref: 004160E1
GetKeyState.USER32(0000000D), ref: 004160E9
GetKeyState.USER32(00000027), ref: 004160F1
GetKeyState.USER32(0000002D), ref: 004160F9
GetKeyState.USER32(0000000D), ref: 00416101
GetKeyState.USER32(00000027), ref: 00416109
GetKeyState.USER32(0000002D), ref: 00416111
GetKeyState.USER32(0000000D), ref: 00416119
GetKeyState.USER32(00000027), ref: 00416121
GetKeyState.USER32(0000002D), ref: 00416129
GetKeyState.USER32(0000000D), ref: 00416131
GetKeyState.USER32(00000027), ref: 00416139
GetKeyState.USER32(0000002D), ref: 00416141
GetKeyState.USER32(0000000D), ref: 00416149
GetKeyState.USER32(00000027), ref: 00416151
GetKeyState.USER32(0000002D), ref: 00416159
GetKeyState.USER32(0000000D), ref: 00416161
GetKeyState.USER32(00000027), ref: 00416169
GetKeyState.USER32(0000002D), ref: 00416171
GetKeyState.USER32(0000000D), ref: 00416179
GetKeyState.USER32(00000027), ref: 00416181
GetKeyState.USER32(0000002D), ref: 00416189
GetKeyState.USER32(0000000D), ref: 00416191
GetKeyState.USER32(00000027), ref: 00416199
GetKeyState.USER32(0000002D), ref: 004161A1
GetKeyState.USER32(0000000D), ref: 004161A9
GetKeyState.USER32(00000027), ref: 004161B1
GetKeyState.USER32(0000002D), ref: 004161B9
GetKeyState.USER32(0000000D), ref: 004161C1
GetKeyState.USER32(00000027), ref: 004161C9
GetKeyState.USER32(0000002D), ref: 004161D1
GetKeyState.USER32(0000000D), ref: 004161D9
GetKeyState.USER32(00000027), ref: 004161E1
GetKeyState.USER32(0000002D), ref: 004161E9
GetKeyState.USER32(0000000D), ref: 004161F1
GetKeyState.USER32(00000027), ref: 004161F9
GetKeyState.USER32(0000002D), ref: 00416201
GetKeyState.USER32(0000000D), ref: 00416209
GetKeyState.USER32(00000027), ref: 00416211
GetKeyState.USER32(0000002D), ref: 00416219
GetKeyState.USER32(0000000D), ref: 00416221
GetKeyState.USER32(00000027), ref: 00416229
GetKeyState.USER32(0000002D), ref: 00416231
GetKeyState.USER32(0000000D), ref: 00416239
GetKeyState.USER32(00000027), ref: 00416241
GetKeyState.USER32(0000002D), ref: 00416249
GetKeyState.USER32(0000000D), ref: 00416251
GetKeyState.USER32(00000027), ref: 00416259
GetKeyState.USER32(0000002D), ref: 00416261
GetKeyState.USER32(0000000D), ref: 00416269
GetKeyState.USER32(00000027), ref: 00416271
GetKeyState.USER32(0000002D), ref: 00416279
GetKeyState.USER32(0000000D), ref: 00416281
GetKeyState.USER32(00000027), ref: 00416289
GetKeyState.USER32(0000002D), ref: 00416291
GetKeyState.USER32(0000000D), ref: 00416299
GetKeyState.USER32(00000027), ref: 004162A1
GetKeyState.USER32(0000002D), ref: 004162A9
GetKeyState.USER32(0000000D), ref: 004162B1
GetKeyState.USER32(00000027), ref: 004162B9
GetKeyState.USER32(0000002D), ref: 004162C1
GetKeyState.USER32(0000000D), ref: 004162C9
GetKeyState.USER32(00000027), ref: 004162D1
GetKeyState.USER32(0000002D), ref: 004162D9
GetKeyState.USER32(0000000D), ref: 004162E1
GetKeyState.USER32(00000027), ref: 004162E9
GetKeyState.USER32(0000002D), ref: 004162F1
GetKeyState.USER32(0000000D), ref: 004162F9
GetKeyState.USER32(00000027), ref: 00416301
GetKeyState.USER32(0000002D), ref: 00416309
GetKeyState.USER32(0000000D), ref: 00416311
GetKeyState.USER32(00000027), ref: 00416319
GetKeyState.USER32(0000002D), ref: 00416321
GetKeyState.USER32(0000000D), ref: 00416329
GetKeyState.USER32(00000027), ref: 00416331
GetKeyState.USER32(0000002D), ref: 00416339
GetKeyState.USER32(0000000D), ref: 00416341
GetKeyState.USER32(00000027), ref: 00416349
GetKeyState.USER32(0000002D), ref: 00416351
GetKeyState.USER32(0000000D), ref: 00416359
GetKeyState.USER32(00000027), ref: 00416361
GetKeyState.USER32(0000002D), ref: 00416369
GetKeyState.USER32(0000000D), ref: 00416371
GetKeyState.USER32(00000027), ref: 00416379
GetKeyState.USER32(0000002D), ref: 00416381
GetKeyState.USER32(0000000D), ref: 00416389
GetKeyState.USER32(00000027), ref: 00416391
GetKeyState.USER32(0000002D), ref: 00416399
GetKeyState.USER32(0000000D), ref: 004163A1
GetKeyState.USER32(00000027), ref: 004163A9
GetKeyState.USER32(0000002D), ref: 004163B1
GetKeyState.USER32(0000000D), ref: 004163B9
GetKeyState.USER32(00000027), ref: 004163C1
GetKeyState.USER32(0000002D), ref: 004163C9
GetKeyState.USER32(0000000D), ref: 004163D1
GetKeyState.USER32(00000027), ref: 004163D9
GetKeyState.USER32(0000002D), ref: 004163E1
GetKeyState.USER32(0000000D), ref: 004163E9
GetKeyState.USER32(00000027), ref: 004163F1
GetKeyState.USER32(0000002D), ref: 004163F9
GetKeyState.USER32(0000000D), ref: 00416401
GetKeyState.USER32(00000027), ref: 00416409
GetKeyState.USER32(0000002D), ref: 00416411
GetKeyState.USER32(0000000D), ref: 00416419
GetKeyState.USER32(00000027), ref: 00416421
GetKeyState.USER32(0000002D), ref: 00416429
GetKeyState.USER32(0000000D), ref: 00416431
GetKeyState.USER32(00000027), ref: 00416439
GetKeyState.USER32(0000002D), ref: 00416441
GetKeyState.USER32(0000000D), ref: 00416449
GetKeyState.USER32(00000027), ref: 00416451
GetKeyState.USER32(0000002D), ref: 00416459
GetKeyState.USER32(0000000D), ref: 00416461
GetKeyState.USER32(00000027), ref: 00416469
GetKeyState.USER32(0000002D), ref: 00416471
GetKeyState.USER32(0000000D), ref: 00416479
GetKeyState.USER32(00000027), ref: 00416481
GetKeyState.USER32(0000002D), ref: 00416489
GetKeyState.USER32(0000000D), ref: 00416491
GetKeyState.USER32(00000027), ref: 00416499
GetKeyState.USER32(0000002D), ref: 004164A1
GetKeyState.USER32(0000000D), ref: 004164A9
GetKeyState.USER32(00000027), ref: 004164B1
GetKeyState.USER32(0000002D), ref: 004164B9
GetKeyState.USER32(0000000D), ref: 004164C1
GetKeyState.USER32(00000027), ref: 004164C9
GetKeyState.USER32(0000002D), ref: 004164D1
GetKeyState.USER32(0000000D), ref: 004164D9
GetKeyState.USER32(00000027), ref: 004164E1
GetKeyState.USER32(0000002D), ref: 004164E9
GetKeyState.USER32(0000000D), ref: 004164F1
GetKeyState.USER32(00000027), ref: 004164F9
GetKeyState.USER32(0000002D), ref: 00416501
GetKeyState.USER32(0000000D), ref: 00416509
GetKeyState.USER32(00000027), ref: 00416511
GetKeyState.USER32(0000002D), ref: 00416519
GetKeyState.USER32(0000000D), ref: 00416521
GetKeyState.USER32(00000027), ref: 00416529
GetKeyState.USER32(0000002D), ref: 00416531
GetKeyState.USER32(0000000D), ref: 00416539
GetKeyState.USER32(00000027), ref: 00416541
GetKeyState.USER32(0000002D), ref: 00416549
GetKeyState.USER32(0000000D), ref: 00416551
GetKeyState.USER32(00000027), ref: 00416559
GetKeyState.USER32(0000002D), ref: 00416561
GetKeyState.USER32(0000000D), ref: 00416569
GetKeyState.USER32(00000027), ref: 00416571
GetKeyState.USER32(0000002D), ref: 00416579
GetKeyState.USER32(0000000D), ref: 00416581
GetKeyState.USER32(00000027), ref: 00416589
GetKeyState.USER32(0000002D), ref: 00416591
GetKeyState.USER32(0000000D), ref: 00416599
GetKeyState.USER32(00000027), ref: 004165A1
GetKeyState.USER32(0000002D), ref: 004165A9
GetKeyState.USER32(0000000D), ref: 004165B1
GetKeyState.USER32(00000027), ref: 004165B9
GetKeyState.USER32(0000002D), ref: 004165C1
GetKeyState.USER32(0000000D), ref: 004165C9
GetKeyState.USER32(00000027), ref: 004165D1
GetKeyState.USER32(0000002D), ref: 004165D9
GetKeyState.USER32(0000000D), ref: 004165E1
GetKeyState.USER32(00000027), ref: 004165E9
GetKeyState.USER32(0000002D), ref: 004165F1
GetKeyState.USER32(0000000D), ref: 004165F9
GetKeyState.USER32(00000027), ref: 00416601
GetKeyState.USER32(0000002D), ref: 00416609
GetKeyState.USER32(0000000D), ref: 00416611
GetKeyState.USER32(00000027), ref: 00416619
GetKeyState.USER32(0000002D), ref: 00416621
GetKeyState.USER32(0000000D), ref: 00416629
GetKeyState.USER32(00000027), ref: 00416631
GetKeyState.USER32(0000002D), ref: 00416639
GetKeyState.USER32(0000000D), ref: 00416641
GetKeyState.USER32(00000027), ref: 00416649
GetKeyState.USER32(0000002D), ref: 00416651
GetKeyState.USER32(0000000D), ref: 00416659
GetKeyState.USER32(00000027), ref: 00416661
GetKeyState.USER32(0000002D), ref: 00416669
GetKeyState.USER32(0000000D), ref: 00416671
GetKeyState.USER32(00000027), ref: 00416679
GetKeyState.USER32(0000002D), ref: 00416681
GetKeyState.USER32(0000000D), ref: 00416689
GetKeyState.USER32(00000027), ref: 00416691
GetKeyState.USER32(0000002D), ref: 00416699
GetKeyState.USER32(0000000D), ref: 004166A1
GetKeyState.USER32(00000027), ref: 004166A9
GetKeyState.USER32(0000002D), ref: 004166B1
GetKeyState.USER32(0000000D), ref: 004166B9
GetKeyState.USER32(00000027), ref: 004166C1
GetKeyState.USER32(0000002D), ref: 004166C9
GetKeyState.USER32(0000000D), ref: 004166D1
GetKeyState.USER32(00000027), ref: 004166D9
GetKeyState.USER32(0000002D), ref: 004166E1
GetKeyState.USER32(0000000D), ref: 004166E9
GetKeyState.USER32(00000027), ref: 004166F1
GetKeyState.USER32(0000002D), ref: 004166F9
GetKeyState.USER32(0000000D), ref: 00416701
GetKeyState.USER32(00000027), ref: 00416709
GetKeyState.USER32(0000002D), ref: 00416711
GetKeyState.USER32(0000000D), ref: 00416719
GetKeyState.USER32(00000027), ref: 00416721
GetKeyState.USER32(0000002D), ref: 00416729
GetKeyState.USER32(0000000D), ref: 00416731
GetKeyState.USER32(00000027), ref: 00416739
GetKeyState.USER32(0000002D), ref: 00416741
GetKeyState.USER32(0000000D), ref: 00416749
GetKeyState.USER32(00000027), ref: 00416751
GetKeyState.USER32(0000002D), ref: 00416759
GetKeyState.USER32(0000000D), ref: 00416761
GetKeyState.USER32(00000027), ref: 00416769
GetKeyState.USER32(0000002D), ref: 00416771
GetKeyState.USER32(0000000D), ref: 00416779
GetKeyState.USER32(00000027), ref: 00416781
GetKeyState.USER32(0000002D), ref: 00416789
GetKeyState.USER32(0000000D), ref: 00416791
GetKeyState.USER32(00000027), ref: 00416799
GetKeyState.USER32(0000002D), ref: 004167A1
GetKeyState.USER32(0000000D), ref: 004167A9
GetKeyState.USER32(00000027), ref: 004167B1
GetKeyState.USER32(0000002D), ref: 004167B9
GetKeyState.USER32(0000000D), ref: 004167C1
GetKeyState.USER32(00000027), ref: 004167C9
GetKeyState.USER32(0000002D), ref: 004167D1
GetKeyState.USER32(0000000D), ref: 004167D9
GetKeyState.USER32(00000027), ref: 004167E1
GetKeyState.USER32(0000002D), ref: 004167E9
GetKeyState.USER32(0000000D), ref: 004167F1
GetKeyState.USER32(00000027), ref: 004167F9
GetKeyState.USER32(0000002D), ref: 00416801
GetKeyState.USER32(0000000D), ref: 00416809
GetKeyState.USER32(00000027), ref: 00416811
GetKeyState.USER32(0000002D), ref: 00416819
GetKeyState.USER32(0000000D), ref: 00416821
GetKeyState.USER32(00000027), ref: 00416829
GetKeyState.USER32(0000002D), ref: 00416831
GetKeyState.USER32(0000000D), ref: 00416839
GetKeyState.USER32(00000027), ref: 00416841
GetKeyState.USER32(0000002D), ref: 00416849
GetKeyState.USER32(0000000D), ref: 00416851
GetKeyState.USER32(00000027), ref: 00416859
GetKeyState.USER32(0000002D), ref: 00416861
GetKeyState.USER32(0000000D), ref: 00416869
GetKeyState.USER32(00000027), ref: 00416871
GetKeyState.USER32(0000002D), ref: 00416879
GetKeyState.USER32(0000000D), ref: 00416881
GetKeyState.USER32(00000027), ref: 00416889
GetKeyState.USER32(0000002D), ref: 00416891
GetKeyState.USER32(0000000D), ref: 00416899
GetKeyState.USER32(00000027), ref: 004168A1
GetKeyState.USER32(0000002D), ref: 004168A9
GetKeyState.USER32(0000000D), ref: 004168B1
GetKeyState.USER32(00000027), ref: 004168B9
GetKeyState.USER32(0000002D), ref: 004168C1
GetKeyState.USER32(0000000D), ref: 004168C9
GetKeyState.USER32(00000027), ref: 004168D1
GetKeyState.USER32(0000002D), ref: 004168D9
GetKeyState.USER32(0000000D), ref: 004168E1
GetKeyState.USER32(00000027), ref: 004168E9
GetKeyState.USER32(0000002D), ref: 004168F1
GetKeyState.USER32(0000000D), ref: 004168F9
GetKeyState.USER32(00000027), ref: 00416901
GetKeyState.USER32(0000002D), ref: 00416909
GetKeyState.USER32(0000000D), ref: 00416911
GetKeyState.USER32(00000027), ref: 00416919
GetKeyState.USER32(0000002D), ref: 00416921
GetKeyState.USER32(0000000D), ref: 00416929
GetKeyState.USER32(00000027), ref: 00416931
GetKeyState.USER32(0000002D), ref: 00416939
GetKeyState.USER32(0000000D), ref: 00416941
GetKeyState.USER32(00000027), ref: 00416949
GetKeyState.USER32(0000002D), ref: 0041695A
GetKeyState.USER32(0000000D), ref: 00416962
GetKeyState.USER32(00000027), ref: 0041696A
GetKeyState.USER32(0000002D), ref: 00416972
GetKeyState.USER32(0000000D), ref: 0041697A
GetKeyState.USER32(00000027), ref: 00416982
GetKeyState.USER32(0000002D), ref: 0041698A
GetKeyState.USER32(0000000D), ref: 00416992
GetKeyState.USER32(00000027), ref: 0041699A
GetKeyState.USER32(0000002D), ref: 004169A2
GetKeyState.USER32(0000000D), ref: 004169AA
GetKeyState.USER32(00000027), ref: 004169B2
GetKeyState.USER32(0000002D), ref: 004169BA
GetKeyState.USER32(0000000D), ref: 004169C2
GetKeyState.USER32(00000027), ref: 004169CA
GetKeyState.USER32(0000002D), ref: 004169D2
GetKeyState.USER32(0000000D), ref: 004169DA
GetKeyState.USER32(00000027), ref: 004169E2
GetKeyState.USER32(0000002D), ref: 004169EA
GetKeyState.USER32(0000000D), ref: 004169F2
GetKeyState.USER32(00000027), ref: 004169FA
GetKeyState.USER32(0000002D), ref: 00416A02
GetKeyState.USER32(0000000D), ref: 00416A0A
GetKeyState.USER32(00000027), ref: 00416A12
GetKeyState.USER32(0000002D), ref: 00416A1A
GetKeyState.USER32(0000000D), ref: 00416A22
GetKeyState.USER32(00000027), ref: 00416A2A
GetKeyState.USER32(0000002D), ref: 00416A32
GetKeyState.USER32(0000000D), ref: 00416A3A
GetKeyState.USER32(00000027), ref: 00416A42
GetKeyState.USER32(0000002D), ref: 00416A4A
GetKeyState.USER32(0000000D), ref: 00416A52
GetKeyState.USER32(00000027), ref: 00416A5A
GetKeyState.USER32(0000002D), ref: 00416A62
GetKeyState.USER32(0000000D), ref: 00416A6A
GetKeyState.USER32(00000027), ref: 00416A72
GetKeyState.USER32(0000002D), ref: 00416A7A
GetKeyState.USER32(0000000D), ref: 00416A82
GetKeyState.USER32(00000027), ref: 00416A8A
GetKeyState.USER32(0000002D), ref: 00416A92
GetKeyState.USER32(0000000D), ref: 00416A9A
GetKeyState.USER32(00000027), ref: 00416AA2
GetKeyState.USER32(0000002D), ref: 00416AAA
GetKeyState.USER32(0000000D), ref: 00416AB2
GetKeyState.USER32(00000027), ref: 00416ABA
GetKeyState.USER32(0000002D), ref: 00416AC2
GetKeyState.USER32(0000000D), ref: 00416ACA
GetKeyState.USER32(00000027), ref: 00416AD2
GetKeyState.USER32(0000002D), ref: 00416ADA
GetKeyState.USER32(0000000D), ref: 00416AE2
GetKeyState.USER32(00000027), ref: 00416AEA
GetKeyState.USER32(0000002D), ref: 00416AF2
GetKeyState.USER32(0000000D), ref: 00416AFA
GetKeyState.USER32(00000027), ref: 00416B02
GetKeyState.USER32(0000002D), ref: 00416B0A
GetKeyState.USER32(0000000D), ref: 00416B12
GetKeyState.USER32(00000027), ref: 00416B1A
GetKeyState.USER32(0000002D), ref: 00416B22
GetKeyState.USER32(0000000D), ref: 00416B2A
GetKeyState.USER32(00000027), ref: 00416B32
GetKeyState.USER32(0000002D), ref: 00416B3A
GetKeyState.USER32(0000000D), ref: 00416B42
GetKeyState.USER32(00000027), ref: 00416B4A
GetKeyState.USER32(0000002D), ref: 00416B52
GetKeyState.USER32(0000000D), ref: 00416B5A
GetKeyState.USER32(00000027), ref: 00416B62
GetKeyState.USER32(0000002D), ref: 00416B6A
GetKeyState.USER32(0000000D), ref: 00416B72
GetKeyState.USER32(00000027), ref: 00416B7A
GetKeyState.USER32(0000002D), ref: 00416B82
GetKeyState.USER32(0000000D), ref: 00416B8A
GetKeyState.USER32(00000027), ref: 00416B92
GetKeyState.USER32(0000002D), ref: 00416B9A
GetKeyState.USER32(0000000D), ref: 00416BA2
GetKeyState.USER32(00000027), ref: 00416BAA
GetKeyState.USER32(0000002D), ref: 00416BB2
GetKeyState.USER32(0000000D), ref: 00416BBA
GetKeyState.USER32(00000027), ref: 00416BC2
GetKeyState.USER32(0000002D), ref: 00416BCA
GetKeyState.USER32(0000000D), ref: 00416BD2
GetKeyState.USER32(00000027), ref: 00416BDA
GetKeyState.USER32(0000002D), ref: 00416BE2
GetKeyState.USER32(0000000D), ref: 00416BEA
GetKeyState.USER32(00000027), ref: 00416BF2
GetKeyState.USER32(0000002D), ref: 00416BFA
GetKeyState.USER32(0000000D), ref: 00416C02
GetKeyState.USER32(00000027), ref: 00416C0A
GetKeyState.USER32(0000002D), ref: 00416C12
GetKeyState.USER32(0000000D), ref: 00416C1A
GetKeyState.USER32(00000027), ref: 00416C22
GetKeyState.USER32(0000002D), ref: 00416C2A
GetKeyState.USER32(0000000D), ref: 00416C32
GetKeyState.USER32(00000027), ref: 00416C3A
GetKeyState.USER32(0000002D), ref: 00416C42
GetKeyState.USER32(0000000D), ref: 00416C4A
GetKeyState.USER32(00000027), ref: 00416C52
GetKeyState.USER32(0000002D), ref: 00416C5A
GetKeyState.USER32(0000000D), ref: 00416C62
GetKeyState.USER32(00000027), ref: 00416C6A
GetKeyState.USER32(0000002D), ref: 00416C72
GetKeyState.USER32(0000000D), ref: 00416C7A
GetKeyState.USER32(00000027), ref: 00416C82
GetKeyState.USER32(0000002D), ref: 00416C8A
GetKeyState.USER32(0000000D), ref: 00416C92
GetKeyState.USER32(00000027), ref: 00416C9A
GetKeyState.USER32(0000002D), ref: 00416CA2
GetKeyState.USER32(0000000D), ref: 00416CAA
GetKeyState.USER32(00000027), ref: 00416CB2
GetKeyState.USER32(0000002D), ref: 00416CBA
GetKeyState.USER32(0000000D), ref: 00416CC2
GetKeyState.USER32(00000027), ref: 00416CCA
GetKeyState.USER32(0000002D), ref: 00416CD2
GetKeyState.USER32(0000000D), ref: 00416CDA
GetKeyState.USER32(00000027), ref: 00416CE2
GetKeyState.USER32(0000002D), ref: 00416CEA
GetKeyState.USER32(0000000D), ref: 00416CF2
GetKeyState.USER32(00000027), ref: 00416CFA
GetKeyState.USER32(0000002D), ref: 00416D02
GetKeyState.USER32(0000000D), ref: 00416D0A
GetKeyState.USER32(00000027), ref: 00416D12
GetKeyState.USER32(0000002D), ref: 00416D1A
GetKeyState.USER32(0000000D), ref: 00416D22
GetKeyState.USER32(00000027), ref: 00416D2A
GetKeyState.USER32(0000002D), ref: 00416D32
GetKeyState.USER32(0000000D), ref: 00416D3A
GetKeyState.USER32(00000027), ref: 00416D42
GetKeyState.USER32(0000002D), ref: 00416D4A
GetKeyState.USER32(0000000D), ref: 00416D52
GetKeyState.USER32(00000027), ref: 00416D5A
GetKeyState.USER32(0000002D), ref: 00416D62
GetKeyState.USER32(0000000D), ref: 00416D6A
GetKeyState.USER32(00000027), ref: 00416D72
GetKeyState.USER32(0000002D), ref: 00416D7A
GetKeyState.USER32(0000000D), ref: 00416D82
GetKeyState.USER32(00000027), ref: 00416D8A
GetKeyState.USER32(0000002D), ref: 00416D92
GetKeyState.USER32(0000000D), ref: 00416D9A
GetKeyState.USER32(00000027), ref: 00416DA2
GetKeyState.USER32(0000002D), ref: 00416DAA
GetKeyState.USER32(0000000D), ref: 00416DB2
GetKeyState.USER32(00000027), ref: 00416DBA
GetKeyState.USER32(0000002D), ref: 00416DC2
GetKeyState.USER32(0000000D), ref: 00416DCA
GetKeyState.USER32(00000027), ref: 00416DD2
GetKeyState.USER32(0000002D), ref: 00416DDA
GetKeyState.USER32(0000000D), ref: 00416DE2
GetKeyState.USER32(00000027), ref: 00416DEA
GetKeyState.USER32(0000002D), ref: 00416DF2
GetKeyState.USER32(0000000D), ref: 00416DFA
GetKeyState.USER32(00000027), ref: 00416E02
GetKeyState.USER32(0000002D), ref: 00416E0A
GetKeyState.USER32(0000000D), ref: 00416E12
GetKeyState.USER32(00000027), ref: 00416E1A
GetKeyState.USER32(0000002D), ref: 00416E22
GetKeyState.USER32(0000000D), ref: 00416E2A
GetKeyState.USER32(00000027), ref: 00416E32
GetKeyState.USER32(0000002D), ref: 00416E3A
GetKeyState.USER32(0000000D), ref: 00416E42
GetKeyState.USER32(00000027), ref: 00416E4A
GetKeyState.USER32(0000002D), ref: 00416E52
GetKeyState.USER32(0000000D), ref: 00416E5A
GetKeyState.USER32(00000027), ref: 00416E62
GetKeyState.USER32(0000002D), ref: 00416E6A
GetKeyState.USER32(0000000D), ref: 00416E72
GetKeyState.USER32(00000027), ref: 00416E7A
GetKeyState.USER32(0000002D), ref: 00416E82
GetKeyState.USER32(0000000D), ref: 00416E8A
GetKeyState.USER32(00000027), ref: 00416E92
GetKeyState.USER32(0000002D), ref: 00416E9A
GetKeyState.USER32(0000000D), ref: 00416EA2
GetKeyState.USER32(00000027), ref: 00416EAA
GetKeyState.USER32(0000002D), ref: 00416EB2
GetKeyState.USER32(0000000D), ref: 00416EBA
GetKeyState.USER32(00000027), ref: 00416EC2
GetKeyState.USER32(0000002D), ref: 00416ECA
GetKeyState.USER32(0000000D), ref: 00416ED2
GetKeyState.USER32(00000027), ref: 00416EDA
GetKeyState.USER32(0000002D), ref: 00416EE2
GetKeyState.USER32(0000000D), ref: 00416EEA
GetKeyState.USER32(00000027), ref: 00416EF2
GetKeyState.USER32(0000002D), ref: 00416EFA
GetKeyState.USER32(0000000D), ref: 00416F02
GetKeyState.USER32(00000027), ref: 00416F0A
GetKeyState.USER32(0000002D), ref: 00416F12
GetKeyState.USER32(0000000D), ref: 00416F1A
GetKeyState.USER32(00000027), ref: 00416F22
GetKeyState.USER32(0000002D), ref: 00416F2A
GetKeyState.USER32(0000000D), ref: 00416F32
GetKeyState.USER32(00000027), ref: 00416F3A
GetKeyState.USER32(0000002D), ref: 00416F42
GetKeyState.USER32(0000000D), ref: 00416F4A
GetKeyState.USER32(00000027), ref: 00416F52
GetKeyState.USER32(0000002D), ref: 00416F5A
GetKeyState.USER32(0000000D), ref: 00416F62
GetKeyState.USER32(00000027), ref: 00416F6A
GetKeyState.USER32(0000002D), ref: 00416F72
GetKeyState.USER32(0000000D), ref: 00416F7A
GetKeyState.USER32(00000027), ref: 00416F82
GetKeyState.USER32(0000002D), ref: 00416F8A
GetKeyState.USER32(0000000D), ref: 00416F92
GetKeyState.USER32(00000027), ref: 00416F9A
GetKeyState.USER32(0000002D), ref: 00416FA2
GetKeyState.USER32(0000000D), ref: 00416FAA
GetKeyState.USER32(00000027), ref: 00416FB2
GetKeyState.USER32(0000002D), ref: 00416FBA
GetKeyState.USER32(0000000D), ref: 00416FC2
GetKeyState.USER32(00000027), ref: 00416FCA
GetKeyState.USER32(0000002D), ref: 00416FD2
GetKeyState.USER32(0000000D), ref: 00416FDA
GetKeyState.USER32(00000027), ref: 00416FE2
GetKeyState.USER32(0000002D), ref: 00416FEA
GetKeyState.USER32(0000000D), ref: 00416FF2
GetKeyState.USER32(00000027), ref: 00416FFA
GetKeyState.USER32(0000002D), ref: 00417002
GetKeyState.USER32(0000000D), ref: 0041700A
GetKeyState.USER32(00000027), ref: 00417012
GetKeyState.USER32(0000002D), ref: 0041701A
GetKeyState.USER32(0000000D), ref: 00417022
GetKeyState.USER32(00000027), ref: 0041702A
GetKeyState.USER32(0000002D), ref: 00417032
GetKeyState.USER32(0000000D), ref: 0041703A
GetKeyState.USER32(00000027), ref: 00417042
GetKeyState.USER32(0000002D), ref: 0041704A
GetKeyState.USER32(0000000D), ref: 00417052
GetKeyState.USER32(00000027), ref: 0041705A
GetKeyState.USER32(0000002D), ref: 00417062
GetKeyState.USER32(0000000D), ref: 0041706A
GetKeyState.USER32(00000027), ref: 00417072
GetKeyState.USER32(0000002D), ref: 0041707A
GetKeyState.USER32(0000000D), ref: 00417082
GetKeyState.USER32(00000027), ref: 0041708A
GetKeyState.USER32(0000002D), ref: 00417092
GetKeyState.USER32(0000000D), ref: 0041709A
GetKeyState.USER32(00000027), ref: 004170A2
GetKeyState.USER32(0000002D), ref: 004170AA
GetKeyState.USER32(0000000D), ref: 004170B2
GetKeyState.USER32(00000027), ref: 004170BA
GetKeyState.USER32(0000002D), ref: 004170C2
GetKeyState.USER32(0000000D), ref: 004170CA
GetKeyState.USER32(00000027), ref: 004170D2
GetKeyState.USER32(0000002D), ref: 004170DA
GetKeyState.USER32(0000000D), ref: 004170E2
GetKeyState.USER32(00000027), ref: 004170EA
GetKeyState.USER32(0000002D), ref: 004170F2
GetKeyState.USER32(0000000D), ref: 004170FA
GetKeyState.USER32(00000027), ref: 00417102
GetKeyState.USER32(0000002D), ref: 0041710A
GetKeyState.USER32(0000000D), ref: 00417112
GetKeyState.USER32(00000027), ref: 0041711A
GetKeyState.USER32(0000002D), ref: 00417122
GetKeyState.USER32(0000000D), ref: 0041712A
GetKeyState.USER32(00000027), ref: 00417132
GetKeyState.USER32(0000002D), ref: 0041713A
GetKeyState.USER32(0000000D), ref: 00417142
GetKeyState.USER32(00000027), ref: 0041714A
GetKeyState.USER32(0000002D), ref: 00417152
GetKeyState.USER32(0000000D), ref: 0041715A
GetKeyState.USER32(00000027), ref: 00417162
GetKeyState.USER32(0000002D), ref: 0041716A
GetKeyState.USER32(0000000D), ref: 00417172
GetKeyState.USER32(00000027), ref: 0041717A
GetKeyState.USER32(0000002D), ref: 00417182
GetKeyState.USER32(0000000D), ref: 0041718A
GetKeyState.USER32(00000027), ref: 00417192
GetKeyState.USER32(0000002D), ref: 0041719A
GetKeyState.USER32(0000000D), ref: 004171A2
GetKeyState.USER32(00000027), ref: 004171AA
GetKeyState.USER32(0000002D), ref: 004171B2
GetKeyState.USER32(0000000D), ref: 004171BA
GetKeyState.USER32(00000027), ref: 004171C2
GetKeyState.USER32(0000002D), ref: 004171CA
GetKeyState.USER32(0000000D), ref: 004171D2
GetKeyState.USER32(00000027), ref: 004171DA
GetKeyState.USER32(0000002D), ref: 004171E2
GetKeyState.USER32(0000000D), ref: 004171EA
GetKeyState.USER32(00000027), ref: 004171F2
GetKeyState.USER32(0000002D), ref: 004171FA
GetKeyState.USER32(0000000D), ref: 00417202
GetKeyState.USER32(00000027), ref: 0041720A
GetKeyState.USER32(0000002D), ref: 00417212
GetKeyState.USER32(0000000D), ref: 0041721A
GetKeyState.USER32(00000027), ref: 00417222
GetKeyState.USER32(0000002D), ref: 0041722A
GetKeyState.USER32(0000000D), ref: 00417232
GetKeyState.USER32(00000027), ref: 0041723A
GetKeyState.USER32(0000002D), ref: 00417242
GetKeyState.USER32(0000000D), ref: 0041724A
GetKeyState.USER32(00000027), ref: 00417252
GetKeyState.USER32(0000002D), ref: 0041725A
GetKeyState.USER32(0000000D), ref: 00417262
GetKeyState.USER32(00000027), ref: 0041726A
GetKeyState.USER32(0000002D), ref: 00417272
GetKeyState.USER32(0000000D), ref: 0041727A
GetKeyState.USER32(00000027), ref: 00417282
GetKeyState.USER32(0000002D), ref: 0041728A
GetKeyState.USER32(0000000D), ref: 00417292
GetKeyState.USER32(00000027), ref: 0041729A
GetKeyState.USER32(0000002D), ref: 004172A2
GetKeyState.USER32(0000000D), ref: 004172AA
GetKeyState.USER32(00000027), ref: 004172B2
GetKeyState.USER32(0000002D), ref: 004172BA
GetKeyState.USER32(0000000D), ref: 004172C2
GetKeyState.USER32(00000027), ref: 004172CA
GetKeyState.USER32(0000002D), ref: 004172D2
GetKeyState.USER32(0000000D), ref: 004172DA
GetKeyState.USER32(00000027), ref: 004172E2
GetKeyState.USER32(0000002D), ref: 004172EA
GetKeyState.USER32(0000000D), ref: 004172F2
GetKeyState.USER32(00000027), ref: 004172FA
GetKeyState.USER32(0000002D), ref: 00417302
GetKeyState.USER32(0000000D), ref: 0041730A
GetKeyState.USER32(00000027), ref: 00417312
GetKeyState.USER32(0000002D), ref: 0041731A
GetKeyState.USER32(0000000D), ref: 00417322
GetKeyState.USER32(00000027), ref: 0041732A
GetKeyState.USER32(0000002D), ref: 00417332
GetKeyState.USER32(0000000D), ref: 0041733A
GetKeyState.USER32(00000027), ref: 00417342
GetKeyState.USER32(0000002D), ref: 0041734A
GetKeyState.USER32(0000000D), ref: 00417352
GetKeyState.USER32(00000027), ref: 0041735A
GetKeyState.USER32(0000002D), ref: 00417362
GetKeyState.USER32(0000000D), ref: 0041736A
GetKeyState.USER32(00000027), ref: 00417372
GetKeyState.USER32(0000002D), ref: 0041737A
GetKeyState.USER32(0000000D), ref: 00417382
GetKeyState.USER32(00000027), ref: 0041738A
GetKeyState.USER32(0000002D), ref: 00417392
GetKeyState.USER32(0000000D), ref: 0041739A
GetKeyState.USER32(00000027), ref: 004173A2
GetKeyState.USER32(0000002D), ref: 004173AA
GetKeyState.USER32(0000000D), ref: 004173B2
GetKeyState.USER32(00000027), ref: 004173BA
GetKeyState.USER32(0000002D), ref: 004173C2
GetKeyState.USER32(0000000D), ref: 004173CA
GetKeyState.USER32(00000027), ref: 004173D2
GetKeyState.USER32(0000002D), ref: 004173DA
GetKeyState.USER32(0000000D), ref: 004173E2
GetKeyState.USER32(00000027), ref: 004173EA
GetKeyState.USER32(0000002D), ref: 004173F2
GetKeyState.USER32(0000000D), ref: 004173FA
GetKeyState.USER32(00000027), ref: 00417402
GetKeyState.USER32(0000002D), ref: 0041740A
GetKeyState.USER32(0000000D), ref: 00417412
GetKeyState.USER32(00000027), ref: 0041741A
GetKeyState.USER32(0000002D), ref: 00417422
GetKeyState.USER32(0000000D), ref: 0041742A
GetKeyState.USER32(00000027), ref: 00417432
GetKeyState.USER32(0000002D), ref: 0041743A
GetKeyState.USER32(0000000D), ref: 00417442
GetKeyState.USER32(00000027), ref: 0041744A
GetKeyState.USER32(0000002D), ref: 00417452
GetKeyState.USER32(0000000D), ref: 0041745A
GetKeyState.USER32(00000027), ref: 00417462
GetKeyState.USER32(0000002D), ref: 0041746A
GetKeyState.USER32(0000000D), ref: 00417472
GetKeyState.USER32(00000027), ref: 0041747A
GetKeyState.USER32(0000002D), ref: 00417482
GetKeyState.USER32(0000000D), ref: 0041748A
GetKeyState.USER32(00000027), ref: 00417492
GetKeyState.USER32(0000002D), ref: 0041749A
GetKeyState.USER32(0000000D), ref: 004174A2
GetKeyState.USER32(00000027), ref: 004174AA
GetKeyState.USER32(0000002D), ref: 004174B2
GetKeyState.USER32(0000000D), ref: 004174BA
GetKeyState.USER32(00000027), ref: 004174C2
GetKeyState.USER32(0000002D), ref: 004174CA
GetKeyState.USER32(0000000D), ref: 004174D2
GetKeyState.USER32(00000027), ref: 004174DA
GetKeyState.USER32(0000002D), ref: 004174E2
GetKeyState.USER32(0000000D), ref: 004174EA
GetKeyState.USER32(00000027), ref: 004174F2
GetKeyState.USER32(0000002D), ref: 004174FA
GetKeyState.USER32(0000000D), ref: 00417502
GetKeyState.USER32(00000027), ref: 0041750A
GetKeyState.USER32(0000002D), ref: 00417512
GetKeyState.USER32(0000000D), ref: 0041751A
GetKeyState.USER32(00000027), ref: 00417522
GetKeyState.USER32(0000002D), ref: 0041752A
GetKeyState.USER32(0000000D), ref: 00417532
GetKeyState.USER32(00000027), ref: 0041753A
GetKeyState.USER32(0000002D), ref: 00417542
GetKeyState.USER32(0000000D), ref: 0041754A
GetKeyState.USER32(00000027), ref: 00417552
GetKeyState.USER32(0000002D), ref: 0041755A
GetKeyState.USER32(0000000D), ref: 00417562
GetKeyState.USER32(00000027), ref: 0041756A
GetKeyState.USER32(0000002D), ref: 00417572
GetKeyState.USER32(0000000D), ref: 0041757A
GetKeyState.USER32(00000027), ref: 00417582
GetKeyState.USER32(0000002D), ref: 0041758A
GetKeyState.USER32(0000000D), ref: 00417592
GetKeyState.USER32(00000027), ref: 0041759A
GetKeyState.USER32(0000002D), ref: 004175A2
GetKeyState.USER32(0000000D), ref: 004175AA
GetKeyState.USER32(00000027), ref: 004175B2
GetKeyState.USER32(0000002D), ref: 004175BA
GetKeyState.USER32(0000000D), ref: 004175C2
GetKeyState.USER32(00000027), ref: 004175CA
GetKeyState.USER32(0000002D), ref: 004175D2
GetKeyState.USER32(0000000D), ref: 004175DA
GetKeyState.USER32(00000027), ref: 004175E2
GetKeyState.USER32(0000002D), ref: 004175EA
GetKeyState.USER32(0000000D), ref: 004175F2
GetKeyState.USER32(00000027), ref: 004175FA
GetKeyState.USER32(0000002D), ref: 00417602
GetKeyState.USER32(0000000D), ref: 0041760A
GetKeyState.USER32(00000027), ref: 00417612
GetKeyState.USER32(0000002D), ref: 0041761A
GetKeyState.USER32(0000000D), ref: 00417622
GetKeyState.USER32(00000027), ref: 0041762A
GetKeyState.USER32(0000002D), ref: 00417632
GetKeyState.USER32(0000000D), ref: 0041763A
GetKeyState.USER32(00000027), ref: 00417642
GetKeyState.USER32(0000002D), ref: 0041764A
GetKeyState.USER32(0000000D), ref: 00417652
GetKeyState.USER32(00000027), ref: 0041765A
GetKeyState.USER32(0000002D), ref: 00417662
GetKeyState.USER32(0000000D), ref: 0041766A
GetKeyState.USER32(00000027), ref: 00417672
GetKeyState.USER32(0000002D), ref: 0041767A
GetKeyState.USER32(0000000D), ref: 00417682
GetKeyState.USER32(00000027), ref: 0041768A
GetKeyState.USER32(0000002D), ref: 00417692
GetKeyState.USER32(0000000D), ref: 0041769A
GetKeyState.USER32(00000027), ref: 004176A2
GetKeyState.USER32(0000002D), ref: 004176AA
GetKeyState.USER32(0000000D), ref: 004176B2
GetKeyState.USER32(00000027), ref: 004176BA
GetKeyState.USER32(0000002D), ref: 004176C2
GetKeyState.USER32(0000000D), ref: 004176CA
GetKeyState.USER32(00000027), ref: 004176D2
GetKeyState.USER32(0000002D), ref: 004176DA
GetKeyState.USER32(0000000D), ref: 004176E2
GetKeyState.USER32(00000027), ref: 004176EA
GetKeyState.USER32(0000002D), ref: 004176F2
GetKeyState.USER32(0000000D), ref: 004176FA
GetKeyState.USER32(00000027), ref: 00417702
GetKeyState.USER32(0000002D), ref: 0041770A
GetKeyState.USER32(0000000D), ref: 00417712
GetKeyState.USER32(00000027), ref: 0041771A
GetKeyState.USER32(0000002D), ref: 00417722
GetKeyState.USER32(0000000D), ref: 0041772A
GetKeyState.USER32(00000027), ref: 00417732
GetKeyState.USER32(0000002D), ref: 0041773A
GetKeyState.USER32(0000000D), ref: 00417742
GetKeyState.USER32(00000027), ref: 0041774A
GetKeyState.USER32(0000002D), ref: 00417752
GetKeyState.USER32(0000000D), ref: 0041775A
GetKeyState.USER32(00000027), ref: 00417762
GetKeyState.USER32(0000002D), ref: 0041776A
GetKeyState.USER32(0000000D), ref: 00417772
GetKeyState.USER32(00000027), ref: 0041777A
GetKeyState.USER32(0000002D), ref: 00417782
GetKeyState.USER32(0000000D), ref: 0041778A
GetKeyState.USER32(00000027), ref: 00417792
GetKeyState.USER32(0000002D), ref: 0041779A
GetKeyState.USER32(0000000D), ref: 004177A2
GetKeyState.USER32(00000027), ref: 004177AA
GetKeyState.USER32(0000002D), ref: 004177B2
GetKeyState.USER32(0000000D), ref: 004177BA
GetKeyState.USER32(00000027), ref: 004177C2
GetKeyState.USER32(0000002D), ref: 004177CA
GetKeyState.USER32(0000000D), ref: 004177D2
GetKeyState.USER32(00000027), ref: 004177DA
GetKeyState.USER32(0000002D), ref: 004177E2
GetKeyState.USER32(0000000D), ref: 004177EA
GetKeyState.USER32(00000027), ref: 004177F2
GetKeyState.USER32(0000002D), ref: 004177FA
GetKeyState.USER32(0000000D), ref: 00417802
GetKeyState.USER32(00000027), ref: 0041780A
GetKeyState.USER32(0000002D), ref: 00417812
GetKeyState.USER32(0000000D), ref: 0041781A
GetKeyState.USER32(00000027), ref: 00417822
GetKeyState.USER32(0000002D), ref: 0041782A
GetKeyState.USER32(0000000D), ref: 00417832
GetKeyState.USER32(00000027), ref: 0041783A
GetKeyState.USER32(0000002D), ref: 00417842
GetKeyState.USER32(0000000D), ref: 0041784A
GetKeyState.USER32(00000027), ref: 00417852
GetKeyState.USER32(0000002D), ref: 0041785A
GetKeyState.USER32(0000000D), ref: 00417862
GetKeyState.USER32(00000027), ref: 0041786A
GetKeyState.USER32(0000002D), ref: 00417872
GetKeyState.USER32(0000000D), ref: 0041787A
GetKeyState.USER32(00000027), ref: 00417882
GetKeyState.USER32(0000002D), ref: 0041788A
GetKeyState.USER32(0000000D), ref: 00417892
GetKeyState.USER32(00000027), ref: 0041789A
GetKeyState.USER32(0000002D), ref: 004178A2
GetKeyState.USER32(0000000D), ref: 004178AA
GetKeyState.USER32(00000027), ref: 004178B2
GetKeyState.USER32(0000002D), ref: 004178BA
GetKeyState.USER32(0000000D), ref: 004178C2
GetKeyState.USER32(00000027), ref: 004178CA
GetKeyState.USER32(0000002D), ref: 004178D2
GetKeyState.USER32(0000000D), ref: 004178DA
GetKeyState.USER32(00000027), ref: 004178E2
GetKeyState.USER32(0000002D), ref: 004178EA
GetKeyState.USER32(0000000D), ref: 004178F2
GetKeyState.USER32(00000027), ref: 004178FA
GetKeyState.USER32(0000002D), ref: 00417902
GetKeyState.USER32(0000000D), ref: 0041790A
GetKeyState.USER32(00000027), ref: 00417912
GetKeyState.USER32(0000002D), ref: 0041791A
GetKeyState.USER32(0000000D), ref: 00417922
GetKeyState.USER32(00000027), ref: 0041792A
GetKeyState.USER32(0000002D), ref: 00417932
GetKeyState.USER32(0000000D), ref: 0041793A
GetKeyState.USER32(00000027), ref: 00417942
GetKeyState.USER32(0000002D), ref: 0041794A
GetKeyState.USER32(0000000D), ref: 00417952
GetKeyState.USER32(00000027), ref: 0041795A
GetKeyState.USER32(0000002D), ref: 00417962
GetKeyState.USER32(0000000D), ref: 0041796A
GetKeyState.USER32(00000027), ref: 00417972
GetKeyState.USER32(0000002D), ref: 0041797A
GetKeyState.USER32(0000000D), ref: 00417982
GetKeyState.USER32(00000027), ref: 0041798A
GetKeyState.USER32(0000002D), ref: 00417992
GetKeyState.USER32(0000000D), ref: 0041799A
GetKeyState.USER32(00000027), ref: 004179A2
GetKeyState.USER32(0000002D), ref: 004179AA
GetKeyState.USER32(0000000D), ref: 004179B2
GetKeyState.USER32(00000027), ref: 004179BA
GetKeyState.USER32(0000002D), ref: 004179C2
GetKeyState.USER32(0000000D), ref: 004179CA
GetKeyState.USER32(00000027), ref: 004179D2
GetKeyState.USER32(0000002D), ref: 004179DA
GetKeyState.USER32(0000000D), ref: 004179E2
GetKeyState.USER32(00000027), ref: 004179EA
GetKeyState.USER32(0000002D), ref: 004179F2
GetKeyState.USER32(0000000D), ref: 004179FA
GetKeyState.USER32(00000027), ref: 00417A02
GetKeyState.USER32(0000002D), ref: 00417A0A
GetKeyState.USER32(0000000D), ref: 00417A12
GetKeyState.USER32(00000027), ref: 00417A1A
GetKeyState.USER32(0000002D), ref: 00417A22
GetKeyState.USER32(0000000D), ref: 00417A2A
GetKeyState.USER32(00000027), ref: 00417A32
GetKeyState.USER32(0000002D), ref: 00417A3A
GetKeyState.USER32(0000000D), ref: 00417A42
GetKeyState.USER32(00000027), ref: 00417A4A
GetKeyState.USER32(0000002D), ref: 00417A52
GetKeyState.USER32(0000000D), ref: 00417A5A
GetKeyState.USER32(00000027), ref: 00417A62
GetKeyState.USER32(0000002D), ref: 00417A6A
GetKeyState.USER32(0000000D), ref: 00417A72
GetKeyState.USER32(00000027), ref: 00417A7A
GetKeyState.USER32(0000002D), ref: 00417A82
GetKeyState.USER32(0000000D), ref: 00417A8A
GetKeyState.USER32(00000027), ref: 00417A92
GetKeyState.USER32(0000002D), ref: 00417A9A
GetKeyState.USER32(0000000D), ref: 00417AA2
GetKeyState.USER32(00000027), ref: 00417AAA
GetKeyState.USER32(0000002D), ref: 00417AB2
GetKeyState.USER32(0000000D), ref: 00417ABA
GetKeyState.USER32(00000027), ref: 00417AC2
GetKeyState.USER32(0000002D), ref: 00417ACA
GetKeyState.USER32(0000000D), ref: 00417AD2
GetKeyState.USER32(00000027), ref: 00417ADA
GetKeyState.USER32(0000002D), ref: 00417AE2
GetKeyState.USER32(0000000D), ref: 00417AEA
GetKeyState.USER32(00000027), ref: 00417AF2
GetKeyState.USER32(0000002D), ref: 00417AFA
GetKeyState.USER32(0000000D), ref: 00417B02
GetKeyState.USER32(00000027), ref: 00417B0A
GetKeyState.USER32(0000002D), ref: 00417B12
GetKeyState.USER32(0000000D), ref: 00417B1A
GetKeyState.USER32(00000027), ref: 00417B22
GetKeyState.USER32(0000002D), ref: 00417B2A
GetKeyState.USER32(0000000D), ref: 00417B32
GetKeyState.USER32(00000027), ref: 00417B3A
GetKeyState.USER32(0000002D), ref: 00417B42
GetKeyState.USER32(0000000D), ref: 00417B4A
GetKeyState.USER32(00000027), ref: 00417B52
GetKeyState.USER32(0000002D), ref: 00417B5A
GetKeyState.USER32(0000000D), ref: 00417B62
GetKeyState.USER32(00000027), ref: 00417B6A
GetKeyState.USER32(0000002D), ref: 00417B72
GetKeyState.USER32(0000000D), ref: 00417B7A
GetKeyState.USER32(00000027), ref: 00417B82
GetKeyState.USER32(0000002D), ref: 00417B8A
GetKeyState.USER32(0000000D), ref: 00417B92
GetKeyState.USER32(00000027), ref: 00417B9A
GetKeyState.USER32(0000002D), ref: 00417BA2
GetKeyState.USER32(0000000D), ref: 00417BAA
GetKeyState.USER32(00000027), ref: 00417BB2
GetKeyState.USER32(0000002D), ref: 00417BBA
GetKeyState.USER32(0000000D), ref: 00417BC2
GetKeyState.USER32(00000027), ref: 00417BCA
GetKeyState.USER32(0000002D), ref: 00417BD2
GetKeyState.USER32(0000000D), ref: 00417BDA
GetKeyState.USER32(00000027), ref: 00417BE2
GetKeyState.USER32(0000002D), ref: 00417BEA
GetKeyState.USER32(0000000D), ref: 00417BF2
GetKeyState.USER32(00000027), ref: 00417BFA
GetKeyState.USER32(0000002D), ref: 00417C02
GetKeyState.USER32(0000000D), ref: 00417C0A
GetKeyState.USER32(00000027), ref: 00417C12
GetKeyState.USER32(0000002D), ref: 00417C1A
GetKeyState.USER32(0000000D), ref: 00417C22
GetKeyState.USER32(00000027), ref: 00417C2A
GetKeyState.USER32(0000002D), ref: 00417C32
GetKeyState.USER32(0000000D), ref: 00417C3A
GetKeyState.USER32(00000027), ref: 00417C42
GetKeyState.USER32(0000002D), ref: 00417C4A
GetKeyState.USER32(0000000D), ref: 00417C52
GetKeyState.USER32(00000027), ref: 00417C5A
GetKeyState.USER32(0000002D), ref: 00417C62
GetKeyState.USER32(0000000D), ref: 00417C6A
GetKeyState.USER32(00000027), ref: 00417C72
GetKeyState.USER32(0000002D), ref: 00417C7A
GetKeyState.USER32(0000000D), ref: 00417C82
GetKeyState.USER32(00000027), ref: 00417C8A
GetKeyState.USER32(0000002D), ref: 00417C92
GetKeyState.USER32(0000000D), ref: 00417C9A
GetKeyState.USER32(00000027), ref: 00417CA2
GetKeyState.USER32(0000002D), ref: 00417CAA
GetKeyState.USER32(0000000D), ref: 00417CB2
GetKeyState.USER32(00000027), ref: 00417CBA
GetKeyState.USER32(0000002D), ref: 00417CC2
GetKeyState.USER32(0000000D), ref: 00417CCA
GetKeyState.USER32(00000027), ref: 00417CD2
GetKeyState.USER32(0000002D), ref: 00417CDA
GetKeyState.USER32(0000000D), ref: 00417CE2
GetKeyState.USER32(00000027), ref: 00417CEA
GetKeyState.USER32(0000002D), ref: 00417CF2
GetKeyState.USER32(0000000D), ref: 00417CFA
GetKeyState.USER32(00000027), ref: 00417D02
GetKeyState.USER32(0000002D), ref: 00417D0A
GetKeyState.USER32(0000000D), ref: 00417D12
GetKeyState.USER32(00000027), ref: 00417D1A
GetKeyState.USER32(0000002D), ref: 00417D22
GetKeyState.USER32(0000000D), ref: 00417D2A
GetKeyState.USER32(00000027), ref: 00417D32
GetKeyState.USER32(0000002D), ref: 00417D3A
GetKeyState.USER32(0000000D), ref: 00417D42
GetKeyState.USER32(00000027), ref: 00417D4A
GetKeyState.USER32(0000002D), ref: 00417D52
GetKeyState.USER32(0000000D), ref: 00417D5A
GetKeyState.USER32(00000027), ref: 00417D62
GetKeyState.USER32(0000002D), ref: 00417D6A
GetKeyState.USER32(0000000D), ref: 00417D72
GetKeyState.USER32(00000027), ref: 00417D7A
GetKeyState.USER32(0000002D), ref: 00417D82
GetKeyState.USER32(0000000D), ref: 00417D8A
GetKeyState.USER32(00000027), ref: 00417D92
GetKeyState.USER32(0000002D), ref: 00417D9A
GetKeyState.USER32(0000000D), ref: 00417DA2
GetKeyState.USER32(00000027), ref: 00417DAA
GetKeyState.USER32(0000002D), ref: 00417DB2
GetKeyState.USER32(0000000D), ref: 00417DBA
GetKeyState.USER32(00000027), ref: 00417DC2
GetKeyState.USER32(0000002D), ref: 00417DCA
GetKeyState.USER32(0000000D), ref: 00417DD2
GetKeyState.USER32(00000027), ref: 00417DDA
GetKeyState.USER32(0000002D), ref: 00417DE2
GetKeyState.USER32(0000000D), ref: 00417DEA
GetKeyState.USER32(00000027), ref: 00417DF2
GetKeyState.USER32(0000002D), ref: 00417DFA
GetKeyState.USER32(0000000D), ref: 00417E02
GetKeyState.USER32(00000027), ref: 00417E0A
GetKeyState.USER32(0000002D), ref: 00417E12
GetKeyState.USER32(0000000D), ref: 00417E1A
GetKeyState.USER32(00000027), ref: 00417E22
GetKeyState.USER32(0000002D), ref: 00417E2A
GetKeyState.USER32(0000000D), ref: 00417E32
GetKeyState.USER32(00000027), ref: 00417E3A
GetKeyState.USER32(0000002D), ref: 00417E42
GetKeyState.USER32(0000000D), ref: 00417E4A
GetKeyState.USER32(00000027), ref: 00417E52
GetKeyState.USER32(0000002D), ref: 00417E5A
GetKeyState.USER32(0000000D), ref: 00417E62
GetKeyState.USER32(00000027), ref: 00417E6A
GetKeyState.USER32(0000002D), ref: 00417E72
GetKeyState.USER32(0000000D), ref: 00417E7A
GetKeyState.USER32(00000027), ref: 00417E82
GetKeyState.USER32(0000002D), ref: 00417E8A
GetKeyState.USER32(0000000D), ref: 00417E92
GetKeyState.USER32(00000027), ref: 00417E9A
GetKeyState.USER32(0000002D), ref: 00417EA2
GetKeyState.USER32(0000000D), ref: 00417EAA
GetKeyState.USER32(00000027), ref: 00417EB2
GetKeyState.USER32(0000002D), ref: 00417EBA
GetKeyState.USER32(0000000D), ref: 00417EC2
GetKeyState.USER32(00000027), ref: 00417ECA
GetKeyState.USER32(0000002D), ref: 00417ED2
GetKeyState.USER32(0000000D), ref: 00417EDA
GetKeyState.USER32(00000027), ref: 00417EE2
GetKeyState.USER32(0000002D), ref: 00417EEA
GetKeyState.USER32(0000000D), ref: 00417EF2
GetKeyState.USER32(00000027), ref: 00417EFA
GetKeyState.USER32(0000002D), ref: 00417F02
GetKeyState.USER32(0000000D), ref: 00417F0A
GetKeyState.USER32(00000027), ref: 00417F12
GetKeyState.USER32(0000002D), ref: 00417F1A
GetKeyState.USER32(0000000D), ref: 00417F22
GetKeyState.USER32(00000027), ref: 00417F2A
GetKeyState.USER32(0000002D), ref: 00417F32
GetKeyState.USER32(0000000D), ref: 00417F3A
GetKeyState.USER32(00000027), ref: 00417F42
GetKeyState.USER32(0000002D), ref: 00417F4A
GetKeyState.USER32(0000000D), ref: 00417F52
GetKeyState.USER32(00000027), ref: 00417F5A
GetKeyState.USER32(0000002D), ref: 00417F62
GetKeyState.USER32(0000000D), ref: 00417F6A
GetKeyState.USER32(00000027), ref: 00417F72
GetKeyState.USER32(0000002D), ref: 00417F7A
GetKeyState.USER32(0000000D), ref: 00417F82
GetKeyState.USER32(00000027), ref: 00417F8A
GetKeyState.USER32(0000002D), ref: 00417F92
GetKeyState.USER32(0000000D), ref: 00417F9A
GetKeyState.USER32(00000027), ref: 00417FA2
GetKeyState.USER32(0000002D), ref: 00417FAA
GetKeyState.USER32(0000000D), ref: 00417FB2
GetKeyState.USER32(00000027), ref: 00417FBA
GetKeyState.USER32(0000002D), ref: 00417FC2
GetKeyState.USER32(0000000D), ref: 00417FCA
GetKeyState.USER32(00000027), ref: 00417FD2
GetKeyState.USER32(0000002D), ref: 00417FDA
GetKeyState.USER32(0000000D), ref: 00417FE2
GetKeyState.USER32(00000027), ref: 00417FEA
GetKeyState.USER32(0000002D), ref: 00417FF2
GetKeyState.USER32(0000000D), ref: 00417FFA
GetKeyState.USER32(00000027), ref: 00418002
GetKeyState.USER32(0000002D), ref: 0041800A
GetKeyState.USER32(0000000D), ref: 00418012
GetKeyState.USER32(00000027), ref: 0041801A
GetKeyState.USER32(0000002D), ref: 00418022
GetKeyState.USER32(0000000D), ref: 0041802A
GetKeyState.USER32(00000027), ref: 00418032
GetKeyState.USER32(0000002D), ref: 0041803A
GetKeyState.USER32(0000000D), ref: 00418042
GetKeyState.USER32(00000027), ref: 0041804A
GetKeyState.USER32(0000002D), ref: 00418052
GetKeyState.USER32(0000000D), ref: 0041805A
GetKeyState.USER32(00000027), ref: 00418062
GetKeyState.USER32(0000002D), ref: 0041806A
GetKeyState.USER32(0000000D), ref: 00418072
GetKeyState.USER32(00000027), ref: 0041807A
GetKeyState.USER32(0000002D), ref: 00418082
GetKeyState.USER32(0000000D), ref: 0041808A
GetKeyState.USER32(00000027), ref: 00418092
GetKeyState.USER32(0000002D), ref: 0041809A
GetKeyState.USER32(0000000D), ref: 004180A2
GetKeyState.USER32(00000027), ref: 004180AA
GetKeyState.USER32(0000002D), ref: 004180B2
GetKeyState.USER32(0000000D), ref: 004180BA
GetKeyState.USER32(00000027), ref: 004180C2
GetKeyState.USER32(0000002D), ref: 004180CA
GetKeyState.USER32(0000000D), ref: 004180D2
GetKeyState.USER32(00000027), ref: 004180DA
GetKeyState.USER32(0000002D), ref: 004180E2
GetKeyState.USER32(0000000D), ref: 004180EA
GetKeyState.USER32(00000027), ref: 004180F2
GetKeyState.USER32(0000002D), ref: 004180FA
GetKeyState.USER32(0000000D), ref: 00418102
GetKeyState.USER32(00000027), ref: 0041810A
GetKeyState.USER32(0000002D), ref: 00418112
GetKeyState.USER32(0000000D), ref: 0041811A
GetKeyState.USER32(00000027), ref: 00418122
GetKeyState.USER32(0000002D), ref: 0041812A
GetKeyState.USER32(0000000D), ref: 00418132
GetKeyState.USER32(00000027), ref: 0041813A
GetKeyState.USER32(0000002D), ref: 00418142
GetKeyState.USER32(0000000D), ref: 0041814A
GetKeyState.USER32(00000027), ref: 00418152
GetKeyState.USER32(0000002D), ref: 0041815A
GetKeyState.USER32(0000000D), ref: 00418162
GetKeyState.USER32(00000027), ref: 0041816A
GetKeyState.USER32(0000002D), ref: 00418172
GetKeyState.USER32(0000000D), ref: 0041817A
GetKeyState.USER32(00000027), ref: 00418182
GetKeyState.USER32(0000002D), ref: 0041818A
GetKeyState.USER32(0000000D), ref: 00418192
GetKeyState.USER32(00000027), ref: 0041819A
GetKeyState.USER32(0000002D), ref: 004181A2
GetKeyState.USER32(0000000D), ref: 004181AA
GetKeyState.USER32(00000027), ref: 004181B2
GetKeyState.USER32(0000002D), ref: 004181BA
GetKeyState.USER32(0000000D), ref: 004181C2
GetKeyState.USER32(00000027), ref: 004181CA
GetKeyState.USER32(0000002D), ref: 004181D2
GetKeyState.USER32(0000000D), ref: 004181DA
GetKeyState.USER32(00000027), ref: 004181E2
GetKeyState.USER32(0000002D), ref: 004181EA
GetKeyState.USER32(0000000D), ref: 004181F2
GetKeyState.USER32(00000027), ref: 004181FA
GetKeyState.USER32(0000002D), ref: 00418202
GetKeyState.USER32(0000000D), ref: 0041820A
GetKeyState.USER32(00000027), ref: 00418212
GetKeyState.USER32(0000002D), ref: 0041821A
GetKeyState.USER32(0000000D), ref: 00418222
GetKeyState.USER32(00000027), ref: 0041822A
GetKeyState.USER32(0000002D), ref: 00418232
GetKeyState.USER32(0000000D), ref: 0041823A
GetKeyState.USER32(00000027), ref: 00418242
GetKeyState.USER32(0000002D), ref: 0041824A
GetKeyState.USER32(0000000D), ref: 00418252
GetKeyState.USER32(00000027), ref: 0041825A
GetKeyState.USER32(0000002D), ref: 00418262
GetKeyState.USER32(0000000D), ref: 0041826A
GetKeyState.USER32(00000027), ref: 00418272
GetKeyState.USER32(0000002D), ref: 0041827A
GetKeyState.USER32(0000000D), ref: 00418282
GetKeyState.USER32(00000027), ref: 0041828A
GetKeyState.USER32(0000002D), ref: 00418292
GetKeyState.USER32(0000000D), ref: 0041829A
GetKeyState.USER32(00000027), ref: 004182A2
GetKeyState.USER32(0000002D), ref: 004182AA
GetKeyState.USER32(0000000D), ref: 004182B2
GetKeyState.USER32(00000027), ref: 004182BA
GetKeyState.USER32(0000002D), ref: 004182C2
GetKeyState.USER32(0000000D), ref: 004182CA
GetKeyState.USER32(00000027), ref: 004182D2
GetKeyState.USER32(0000002D), ref: 004182E3
GetKeyState.USER32(0000000D), ref: 004182EB
GetKeyState.USER32(00000027), ref: 004182F3
GetKeyState.USER32(0000002D), ref: 004182FB
GetKeyState.USER32(0000000D), ref: 00418303
GetKeyState.USER32(00000027), ref: 0041830B
GetKeyState.USER32(0000002D), ref: 00418313
GetKeyState.USER32(0000000D), ref: 0041831B
GetKeyState.USER32(00000027), ref: 00418323
GetKeyState.USER32(0000002D), ref: 0041832B
GetKeyState.USER32(0000000D), ref: 00418333
GetKeyState.USER32(00000027), ref: 0041833B
GetKeyState.USER32(0000002D), ref: 00418343
GetKeyState.USER32(0000000D), ref: 0041834B
GetKeyState.USER32(00000027), ref: 00418353
GetKeyState.USER32(0000002D), ref: 0041835B
GetKeyState.USER32(0000000D), ref: 00418363
GetKeyState.USER32(00000027), ref: 0041836B
GetKeyState.USER32(0000002D), ref: 00418373
GetKeyState.USER32(0000000D), ref: 0041837B
GetKeyState.USER32(00000027), ref: 00418383
GetKeyState.USER32(0000002D), ref: 0041838B
GetKeyState.USER32(0000000D), ref: 00418393
GetKeyState.USER32(00000027), ref: 0041839B
GetKeyState.USER32(0000002D), ref: 004183A3
GetKeyState.USER32(0000000D), ref: 004183AB
GetKeyState.USER32(00000027), ref: 004183B3
GetKeyState.USER32(0000002D), ref: 004183BB
GetKeyState.USER32(0000000D), ref: 004183C3
GetKeyState.USER32(00000027), ref: 004183CB
GetKeyState.USER32(0000002D), ref: 004183D3
GetKeyState.USER32(0000000D), ref: 004183DB
GetKeyState.USER32(00000027), ref: 004183E3
GetKeyState.USER32(0000002D), ref: 004183EB
GetKeyState.USER32(0000000D), ref: 004183F3
GetKeyState.USER32(00000027), ref: 004183FB
GetKeyState.USER32(0000002D), ref: 00418403
GetKeyState.USER32(0000000D), ref: 0041840B
GetKeyState.USER32(00000027), ref: 00418413
GetKeyState.USER32(0000002D), ref: 0041841B
GetKeyState.USER32(0000000D), ref: 00418423
GetKeyState.USER32(00000027), ref: 0041842B
GetKeyState.USER32(0000002D), ref: 00418433
GetKeyState.USER32(0000000D), ref: 0041843B
GetKeyState.USER32(00000027), ref: 00418443
GetKeyState.USER32(0000002D), ref: 0041844B
GetKeyState.USER32(0000000D), ref: 00418453
GetKeyState.USER32(00000027), ref: 0041845B
GetKeyState.USER32(0000002D), ref: 00418463
GetKeyState.USER32(0000000D), ref: 0041846B
GetKeyState.USER32(00000027), ref: 00418473
GetKeyState.USER32(0000002D), ref: 0041847B
GetKeyState.USER32(0000000D), ref: 00418483
GetKeyState.USER32(00000027), ref: 0041848B
GetKeyState.USER32(0000002D), ref: 00418493
GetKeyState.USER32(0000000D), ref: 0041849B
GetKeyState.USER32(00000027), ref: 004184A3
GetKeyState.USER32(0000002D), ref: 004184AB
GetKeyState.USER32(0000000D), ref: 004184B3
GetKeyState.USER32(00000027), ref: 004184BB
GetKeyState.USER32(0000002D), ref: 004184C3
GetKeyState.USER32(0000000D), ref: 004184CB
GetKeyState.USER32(00000027), ref: 004184D3
GetKeyState.USER32(0000002D), ref: 004184DB
GetKeyState.USER32(0000000D), ref: 004184E3
GetKeyState.USER32(00000027), ref: 004184EB
GetKeyState.USER32(0000002D), ref: 004184F3
GetKeyState.USER32(0000000D), ref: 004184FB
GetKeyState.USER32(00000027), ref: 00418503
GetKeyState.USER32(0000002D), ref: 0041850B
GetKeyState.USER32(0000000D), ref: 00418513
GetKeyState.USER32(00000027), ref: 0041851B
GetKeyState.USER32(0000002D), ref: 00418523
GetKeyState.USER32(0000000D), ref: 0041852B
GetKeyState.USER32(00000027), ref: 00418533
GetKeyState.USER32(0000002D), ref: 0041853B
GetKeyState.USER32(0000000D), ref: 00418543
GetKeyState.USER32(00000027), ref: 0041854B
GetKeyState.USER32(0000002D), ref: 00418553
GetKeyState.USER32(0000000D), ref: 0041855B
GetKeyState.USER32(00000027), ref: 00418563
GetKeyState.USER32(0000002D), ref: 0041856B
GetKeyState.USER32(0000000D), ref: 00418573
GetKeyState.USER32(00000027), ref: 0041857B
GetKeyState.USER32(0000002D), ref: 00418583
GetKeyState.USER32(0000000D), ref: 0041858B
GetKeyState.USER32(00000027), ref: 00418593
GetKeyState.USER32(0000002D), ref: 0041859B
GetKeyState.USER32(0000000D), ref: 004185A3
GetKeyState.USER32(00000027), ref: 004185AB
GetKeyState.USER32(0000002D), ref: 004185B3
GetKeyState.USER32(0000000D), ref: 004185BB
GetKeyState.USER32(00000027), ref: 004185C3
GetKeyState.USER32(0000002D), ref: 004185CB
GetKeyState.USER32(0000000D), ref: 004185D3
GetKeyState.USER32(00000027), ref: 004185DB
GetKeyState.USER32(0000002D), ref: 004185E3
GetKeyState.USER32(0000000D), ref: 004185EB
GetKeyState.USER32(00000027), ref: 004185F3
GetKeyState.USER32(0000002D), ref: 004185FB
GetKeyState.USER32(0000000D), ref: 00418603
GetKeyState.USER32(00000027), ref: 0041860B
GetKeyState.USER32(0000002D), ref: 00418613
GetKeyState.USER32(0000000D), ref: 0041861B
GetKeyState.USER32(00000027), ref: 00418623
GetKeyState.USER32(0000002D), ref: 0041862B
GetKeyState.USER32(0000000D), ref: 00418633
GetKeyState.USER32(00000027), ref: 0041863B
GetKeyState.USER32(0000002D), ref: 00418643
GetKeyState.USER32(0000000D), ref: 0041864B
GetKeyState.USER32(00000027), ref: 00418653
GetKeyState.USER32(0000002D), ref: 0041865B
GetKeyState.USER32(0000000D), ref: 00418663
GetKeyState.USER32(00000027), ref: 0041866B
GetKeyState.USER32(0000002D), ref: 00418673
GetKeyState.USER32(0000000D), ref: 0041867B
GetKeyState.USER32(00000027), ref: 00418683
GetKeyState.USER32(0000002D), ref: 0041868B
GetKeyState.USER32(0000000D), ref: 00418693
GetKeyState.USER32(00000027), ref: 0041869B
GetKeyState.USER32(0000002D), ref: 004186A3
GetKeyState.USER32(0000000D), ref: 004186AB
GetKeyState.USER32(00000027), ref: 004186B3
GetKeyState.USER32(0000002D), ref: 004186BB
GetKeyState.USER32(0000000D), ref: 004186C3
GetKeyState.USER32(00000027), ref: 004186CB
GetKeyState.USER32(0000002D), ref: 004186D3
GetKeyState.USER32(0000000D), ref: 004186DB
GetKeyState.USER32(00000027), ref: 004186E3
GetKeyState.USER32(0000002D), ref: 004186EB
GetKeyState.USER32(0000000D), ref: 004186F3
GetKeyState.USER32(00000027), ref: 004186FB
GetKeyState.USER32(0000002D), ref: 00418703
GetKeyState.USER32(0000000D), ref: 0041870B
GetKeyState.USER32(00000027), ref: 00418713
GetKeyState.USER32(0000002D), ref: 0041871B
GetKeyState.USER32(0000000D), ref: 00418723
GetKeyState.USER32(00000027), ref: 0041872B
GetKeyState.USER32(0000002D), ref: 00418733
GetKeyState.USER32(0000000D), ref: 0041873B
GetKeyState.USER32(00000027), ref: 00418743
GetKeyState.USER32(0000002D), ref: 0041874B
GetKeyState.USER32(0000000D), ref: 00418753
GetKeyState.USER32(00000027), ref: 0041875B
GetKeyState.USER32(0000002D), ref: 00418763
GetKeyState.USER32(0000000D), ref: 0041876B
GetKeyState.USER32(00000027), ref: 00418773
GetKeyState.USER32(0000002D), ref: 0041877B
GetKeyState.USER32(0000000D), ref: 00418783
GetKeyState.USER32(00000027), ref: 0041878B
GetKeyState.USER32(0000002D), ref: 00418793
GetKeyState.USER32(0000000D), ref: 0041879B
GetKeyState.USER32(00000027), ref: 004187A3
GetKeyState.USER32(0000002D), ref: 004187AB
GetKeyState.USER32(0000000D), ref: 004187B3
GetKeyState.USER32(00000027), ref: 004187BB
GetKeyState.USER32(0000002D), ref: 004187C3
GetKeyState.USER32(0000000D), ref: 004187CB
GetKeyState.USER32(00000027), ref: 004187D3
GetKeyState.USER32(0000002D), ref: 004187DB
GetKeyState.USER32(0000000D), ref: 004187E3
GetKeyState.USER32(00000027), ref: 004187EB
GetKeyState.USER32(0000002D), ref: 004187F3
GetKeyState.USER32(0000000D), ref: 004187FB
GetKeyState.USER32(00000027), ref: 00418803
GetKeyState.USER32(0000002D), ref: 0041880B
GetKeyState.USER32(0000000D), ref: 00418813
GetKeyState.USER32(00000027), ref: 0041881B
GetKeyState.USER32(0000002D), ref: 00418823
GetKeyState.USER32(0000000D), ref: 0041882B
GetKeyState.USER32(00000027), ref: 00418833
GetKeyState.USER32(0000002D), ref: 0041883B
GetKeyState.USER32(0000000D), ref: 00418843
GetKeyState.USER32(00000027), ref: 0041884B
GetKeyState.USER32(0000002D), ref: 00418853
GetKeyState.USER32(0000000D), ref: 0041885B
GetKeyState.USER32(00000027), ref: 00418863
GetKeyState.USER32(0000002D), ref: 0041886B
GetKeyState.USER32(0000000D), ref: 00418873
GetKeyState.USER32(00000027), ref: 0041887B
GetKeyState.USER32(0000002D), ref: 00418883
GetKeyState.USER32(0000000D), ref: 0041888B
GetKeyState.USER32(00000027), ref: 00418893
GetKeyState.USER32(0000002D), ref: 0041889B
GetKeyState.USER32(0000000D), ref: 004188A3
GetKeyState.USER32(00000027), ref: 004188AB
GetKeyState.USER32(0000002D), ref: 004188B3
GetKeyState.USER32(0000000D), ref: 004188BB
GetKeyState.USER32(00000027), ref: 004188C3
GetKeyState.USER32(0000002D), ref: 004188CB
GetKeyState.USER32(0000000D), ref: 004188D3
GetKeyState.USER32(00000027), ref: 004188DB
GetKeyState.USER32(0000002D), ref: 004188E3
GetKeyState.USER32(0000000D), ref: 004188EB
GetKeyState.USER32(00000027), ref: 004188F3
GetKeyState.USER32(0000002D), ref: 004188FB
GetKeyState.USER32(0000000D), ref: 00418903
GetKeyState.USER32(00000027), ref: 0041890B
GetKeyState.USER32(0000002D), ref: 00418913
GetKeyState.USER32(0000000D), ref: 0041891B
GetKeyState.USER32(00000027), ref: 00418923
GetKeyState.USER32(0000002D), ref: 0041892B
GetKeyState.USER32(0000000D), ref: 00418933
GetKeyState.USER32(00000027), ref: 0041893B
GetKeyState.USER32(0000002D), ref: 00418943
GetKeyState.USER32(0000000D), ref: 0041894B
GetKeyState.USER32(00000027), ref: 00418953
GetKeyState.USER32(0000002D), ref: 0041895B
GetKeyState.USER32(0000000D), ref: 00418963
GetKeyState.USER32(00000027), ref: 0041896B
GetKeyState.USER32(0000002D), ref: 00418973
GetKeyState.USER32(0000000D), ref: 0041897B
GetKeyState.USER32(00000027), ref: 00418983
GetKeyState.USER32(0000002D), ref: 0041898B
GetKeyState.USER32(0000000D), ref: 00418993
GetKeyState.USER32(00000027), ref: 0041899B
GetKeyState.USER32(0000002D), ref: 004189A3
GetKeyState.USER32(0000000D), ref: 004189AB
GetKeyState.USER32(00000027), ref: 004189B3
GetKeyState.USER32(0000002D), ref: 004189BB
GetKeyState.USER32(0000000D), ref: 004189C3
GetKeyState.USER32(00000027), ref: 004189CB
GetKeyState.USER32(0000002D), ref: 004189D3
GetKeyState.USER32(0000000D), ref: 004189DB
GetKeyState.USER32(00000027), ref: 004189E3
GetKeyState.USER32(0000002D), ref: 004189EB
GetKeyState.USER32(0000000D), ref: 004189F3
GetKeyState.USER32(00000027), ref: 004189FB
GetKeyState.USER32(0000002D), ref: 00418A03
GetKeyState.USER32(0000000D), ref: 00418A0B
GetKeyState.USER32(00000027), ref: 00418A13
GetKeyState.USER32(0000002D), ref: 00418A1B
GetKeyState.USER32(0000000D), ref: 00418A23
GetKeyState.USER32(00000027), ref: 00418A2B
GetKeyState.USER32(0000002D), ref: 00418A33
GetKeyState.USER32(0000000D), ref: 00418A3B
GetKeyState.USER32(00000027), ref: 00418A43
GetKeyState.USER32(0000002D), ref: 00418A4B
GetKeyState.USER32(0000000D), ref: 00418A53
GetKeyState.USER32(00000027), ref: 00418A5B
GetKeyState.USER32(0000002D), ref: 00418A63
GetKeyState.USER32(0000000D), ref: 00418A6B
GetKeyState.USER32(00000027), ref: 00418A73
GetKeyState.USER32(0000002D), ref: 00418A7B
GetKeyState.USER32(0000000D), ref: 00418A83
GetKeyState.USER32(00000027), ref: 00418A8B
GetKeyState.USER32(0000002D), ref: 00418A93
GetKeyState.USER32(0000000D), ref: 00418A9B
GetKeyState.USER32(00000027), ref: 00418AA3
GetKeyState.USER32(0000002D), ref: 00418AAB
GetKeyState.USER32(0000000D), ref: 00418AB3
GetKeyState.USER32(00000027), ref: 00418ABB
GetKeyState.USER32(0000002D), ref: 00418AC3
GetKeyState.USER32(0000000D), ref: 00418ACB
GetKeyState.USER32(00000027), ref: 00418AD3
GetKeyState.USER32(0000002D), ref: 00418ADB
GetKeyState.USER32(0000000D), ref: 00418AE3
GetKeyState.USER32(00000027), ref: 00418AEB
GetKeyState.USER32(0000002D), ref: 00418AF3
GetKeyState.USER32(0000000D), ref: 00418AFB
GetKeyState.USER32(00000027), ref: 00418B03
GetKeyState.USER32(0000002D), ref: 00418B0B
GetKeyState.USER32(0000000D), ref: 00418B13
GetKeyState.USER32(00000027), ref: 00418B1B
GetKeyState.USER32(0000002D), ref: 00418B23
GetKeyState.USER32(0000000D), ref: 00418B2B
GetKeyState.USER32(00000027), ref: 00418B33
GetKeyState.USER32(0000002D), ref: 00418B3B
GetKeyState.USER32(0000000D), ref: 00418B43
GetKeyState.USER32(00000027), ref: 00418B4B
GetKeyState.USER32(0000002D), ref: 00418B53
GetKeyState.USER32(0000000D), ref: 00418B5B
GetKeyState.USER32(00000027), ref: 00418B63
GetKeyState.USER32(0000002D), ref: 00418B6B
GetKeyState.USER32(0000000D), ref: 00418B73
GetKeyState.USER32(00000027), ref: 00418B7B
GetKeyState.USER32(0000002D), ref: 00418B83
GetKeyState.USER32(0000000D), ref: 00418B8B
GetKeyState.USER32(00000027), ref: 00418B93
GetKeyState.USER32(0000002D), ref: 00418B9B
GetKeyState.USER32(0000000D), ref: 00418BA3
GetKeyState.USER32(00000027), ref: 00418BAB
GetKeyState.USER32(0000002D), ref: 00418BB3
GetKeyState.USER32(0000000D), ref: 00418BBB
GetKeyState.USER32(00000027), ref: 00418BC3
GetKeyState.USER32(0000002D), ref: 00418BCB
GetKeyState.USER32(0000000D), ref: 00418BD3
GetKeyState.USER32(00000027), ref: 00418BDB
GetKeyState.USER32(0000002D), ref: 00418BE3
GetKeyState.USER32(0000000D), ref: 00418BEB
GetKeyState.USER32(00000027), ref: 00418BF3
GetKeyState.USER32(0000002D), ref: 00418BFB
GetKeyState.USER32(0000000D), ref: 00418C03
GetKeyState.USER32(00000027), ref: 00418C0B
GetKeyState.USER32(0000002D), ref: 00418C13
GetKeyState.USER32(0000000D), ref: 00418C1B
GetKeyState.USER32(00000027), ref: 00418C23
GetKeyState.USER32(0000002D), ref: 00418C2B
GetKeyState.USER32(0000000D), ref: 00418C33
GetKeyState.USER32(00000027), ref: 00418C3B
GetKeyState.USER32(0000002D), ref: 00418C43
GetKeyState.USER32(0000000D), ref: 00418C4B
GetKeyState.USER32(00000027), ref: 00418C53
GetKeyState.USER32(0000002D), ref: 00418C5B
GetKeyState.USER32(0000000D), ref: 00418C63
GetKeyState.USER32(00000027), ref: 00418C6B
GetKeyState.USER32(0000002D), ref: 00418C73
GetKeyState.USER32(0000000D), ref: 00418C7B
GetKeyState.USER32(00000027), ref: 00418C83
GetKeyState.USER32(0000002D), ref: 00418C8B
GetKeyState.USER32(0000000D), ref: 00418C93
GetKeyState.USER32(00000027), ref: 00418C9B
GetKeyState.USER32(0000002D), ref: 00418CA3
GetKeyState.USER32(0000000D), ref: 00418CAB
GetKeyState.USER32(00000027), ref: 00418CB3
GetKeyState.USER32(0000002D), ref: 00418CBB
GetKeyState.USER32(0000000D), ref: 00418CC3
GetKeyState.USER32(00000027), ref: 00418CCB
GetKeyState.USER32(0000002D), ref: 00418CD3
GetKeyState.USER32(0000000D), ref: 00418CDB
GetKeyState.USER32(00000027), ref: 00418CE3
GetKeyState.USER32(0000002D), ref: 00418CEB
GetKeyState.USER32(0000000D), ref: 00418CF3
GetKeyState.USER32(00000027), ref: 00418CFB
GetKeyState.USER32(0000002D), ref: 00418D03
GetKeyState.USER32(0000000D), ref: 00418D0B
GetKeyState.USER32(00000027), ref: 00418D13
GetKeyState.USER32(0000002D), ref: 00418D1B
GetKeyState.USER32(0000000D), ref: 00418D23
GetKeyState.USER32(00000027), ref: 00418D2B
GetKeyState.USER32(0000002D), ref: 00418D33
GetKeyState.USER32(0000000D), ref: 00418D3B
GetKeyState.USER32(00000027), ref: 00418D43
GetKeyState.USER32(0000002D), ref: 00418D4B
GetKeyState.USER32(0000000D), ref: 00418D53
GetKeyState.USER32(00000027), ref: 00418D5B
GetKeyState.USER32(0000002D), ref: 00418D63
GetKeyState.USER32(0000000D), ref: 00418D6B
GetKeyState.USER32(00000027), ref: 00418D73
GetKeyState.USER32(0000002D), ref: 00418D7B
GetKeyState.USER32(0000000D), ref: 00418D83
GetKeyState.USER32(00000027), ref: 00418D8B
GetKeyState.USER32(0000002D), ref: 00418D93
GetKeyState.USER32(0000000D), ref: 00418D9B
GetKeyState.USER32(00000027), ref: 00418DA3
GetKeyState.USER32(0000002D), ref: 00418DAB
GetKeyState.USER32(0000000D), ref: 00418DB3
GetKeyState.USER32(00000027), ref: 00418DBB
GetKeyState.USER32(0000002D), ref: 00418DC3
GetKeyState.USER32(0000000D), ref: 00418DCB
GetKeyState.USER32(00000027), ref: 00418DD3
GetKeyState.USER32(0000002D), ref: 00418DDB
GetKeyState.USER32(0000000D), ref: 00418DE3
GetKeyState.USER32(00000027), ref: 00418DEB
GetKeyState.USER32(0000002D), ref: 00418DF3
GetKeyState.USER32(0000000D), ref: 00418DFB
GetKeyState.USER32(00000027), ref: 00418E03
GetKeyState.USER32(0000002D), ref: 00418E0B
GetKeyState.USER32(0000000D), ref: 00418E13
GetKeyState.USER32(00000027), ref: 00418E1B
GetKeyState.USER32(0000002D), ref: 00418E23
GetKeyState.USER32(0000000D), ref: 00418E2B
GetKeyState.USER32(00000027), ref: 00418E33
GetKeyState.USER32(0000002D), ref: 00418E3B
GetKeyState.USER32(0000000D), ref: 00418E43
GetKeyState.USER32(00000027), ref: 00418E4B
GetKeyState.USER32(0000002D), ref: 00418E53
GetKeyState.USER32(0000000D), ref: 00418E5B
GetKeyState.USER32(00000027), ref: 00418E63
GetKeyState.USER32(0000002D), ref: 00418E6B
GetKeyState.USER32(0000000D), ref: 00418E73
GetKeyState.USER32(00000027), ref: 00418E7B
GetKeyState.USER32(0000002D), ref: 00418E83
GetKeyState.USER32(0000000D), ref: 00418E8B
GetKeyState.USER32(00000027), ref: 00418E93
GetKeyState.USER32(0000002D), ref: 00418E9B
GetKeyState.USER32(0000000D), ref: 00418EA3
GetKeyState.USER32(00000027), ref: 00418EAB
GetKeyState.USER32(0000002D), ref: 00418EB3
GetKeyState.USER32(0000000D), ref: 00418EBB
GetKeyState.USER32(00000027), ref: 00418EC3
GetKeyState.USER32(0000002D), ref: 00418ECB
GetKeyState.USER32(0000000D), ref: 00418ED3
GetKeyState.USER32(00000027), ref: 00418EDB
GetKeyState.USER32(0000002D), ref: 00418EE3
GetKeyState.USER32(0000000D), ref: 00418EEB
GetKeyState.USER32(00000027), ref: 00418EF3
GetKeyState.USER32(0000002D), ref: 00418EFB
GetKeyState.USER32(0000000D), ref: 00418F03
GetKeyState.USER32(00000027), ref: 00418F0B
GetKeyState.USER32(0000002D), ref: 00418F13
GetKeyState.USER32(0000000D), ref: 00418F1B
GetKeyState.USER32(00000027), ref: 00418F23
GetKeyState.USER32(0000002D), ref: 00418F2B
GetKeyState.USER32(0000000D), ref: 00418F33
GetKeyState.USER32(00000027), ref: 00418F3B
GetKeyState.USER32(0000002D), ref: 00418F43
GetKeyState.USER32(0000000D), ref: 00418F4B
GetKeyState.USER32(00000027), ref: 00418F53
GetKeyState.USER32(0000002D), ref: 00418F5B
GetKeyState.USER32(0000000D), ref: 00418F63
GetKeyState.USER32(00000027), ref: 00418F6B
GetKeyState.USER32(0000002D), ref: 00418F73
GetKeyState.USER32(0000000D), ref: 00418F7B
GetKeyState.USER32(00000027), ref: 00418F83
GetKeyState.USER32(0000002D), ref: 00418F8B
GetKeyState.USER32(0000000D), ref: 00418F93
GetKeyState.USER32(00000027), ref: 00418F9B
GetKeyState.USER32(0000002D), ref: 00418FA3
GetKeyState.USER32(0000000D), ref: 00418FAB
GetKeyState.USER32(00000027), ref: 00418FB3
GetKeyState.USER32(0000002D), ref: 00418FBB
GetKeyState.USER32(0000000D), ref: 00418FC3
GetKeyState.USER32(00000027), ref: 00418FCB
GetKeyState.USER32(0000002D), ref: 00418FD3
GetKeyState.USER32(0000000D), ref: 00418FDB
GetKeyState.USER32(00000027), ref: 00418FE3
GetKeyState.USER32(0000002D), ref: 00418FEB
GetKeyState.USER32(0000000D), ref: 00418FF3
GetKeyState.USER32(00000027), ref: 00418FFB
GetKeyState.USER32(0000002D), ref: 00419003
GetKeyState.USER32(0000000D), ref: 0041900B
GetKeyState.USER32(00000027), ref: 00419013
GetKeyState.USER32(0000002D), ref: 0041901B
GetKeyState.USER32(0000000D), ref: 00419023
GetKeyState.USER32(00000027), ref: 0041902B
GetKeyState.USER32(0000002D), ref: 00419033
GetKeyState.USER32(0000000D), ref: 0041903B
GetKeyState.USER32(00000027), ref: 00419043
GetKeyState.USER32(0000002D), ref: 0041904B
GetKeyState.USER32(0000000D), ref: 00419053
GetKeyState.USER32(00000027), ref: 0041905B
GetKeyState.USER32(0000002D), ref: 00419063
GetKeyState.USER32(0000000D), ref: 0041906B
GetKeyState.USER32(00000027), ref: 00419073
GetKeyState.USER32(0000002D), ref: 0041907B
GetKeyState.USER32(0000000D), ref: 00419083
GetKeyState.USER32(00000027), ref: 0041908B
GetKeyState.USER32(0000002D), ref: 00419093
GetKeyState.USER32(0000000D), ref: 0041909B
GetKeyState.USER32(00000027), ref: 004190A3
GetKeyState.USER32(0000002D), ref: 004190AB
GetKeyState.USER32(0000000D), ref: 004190B3
GetKeyState.USER32(00000027), ref: 004190BB
GetKeyState.USER32(0000002D), ref: 004190C3
GetKeyState.USER32(0000000D), ref: 004190CB
GetKeyState.USER32(00000027), ref: 004190D3
GetKeyState.USER32(0000002D), ref: 004190DB
GetKeyState.USER32(0000000D), ref: 004190E3
GetKeyState.USER32(00000027), ref: 004190EB
GetKeyState.USER32(0000002D), ref: 004190F3
GetKeyState.USER32(0000000D), ref: 004190FB
GetKeyState.USER32(00000027), ref: 00419103
GetKeyState.USER32(0000002D), ref: 0041910B
GetKeyState.USER32(0000000D), ref: 00419113
GetKeyState.USER32(00000027), ref: 0041911B
GetKeyState.USER32(0000002D), ref: 00419123
GetKeyState.USER32(0000000D), ref: 0041912B
GetKeyState.USER32(00000027), ref: 00419133
GetKeyState.USER32(0000002D), ref: 0041913B
GetKeyState.USER32(0000000D), ref: 00419143
GetKeyState.USER32(00000027), ref: 0041914B
GetKeyState.USER32(0000002D), ref: 00419153
GetKeyState.USER32(0000000D), ref: 0041915B
GetKeyState.USER32(00000027), ref: 00419163
GetKeyState.USER32(0000002D), ref: 0041916B
GetKeyState.USER32(0000000D), ref: 00419173
GetKeyState.USER32(00000027), ref: 0041917B
GetKeyState.USER32(0000002D), ref: 00419183
GetKeyState.USER32(0000000D), ref: 0041918B
GetKeyState.USER32(00000027), ref: 00419193
GetKeyState.USER32(0000002D), ref: 0041919B
GetKeyState.USER32(0000000D), ref: 004191A3
GetKeyState.USER32(00000027), ref: 004191AB
GetKeyState.USER32(0000002D), ref: 004191B3
GetKeyState.USER32(0000000D), ref: 004191BB
GetKeyState.USER32(00000027), ref: 004191C3
GetKeyState.USER32(0000002D), ref: 004191CB
GetKeyState.USER32(0000000D), ref: 004191D3
GetKeyState.USER32(00000027), ref: 004191DB
GetKeyState.USER32(0000002D), ref: 004191E3
GetKeyState.USER32(0000000D), ref: 004191EB
GetKeyState.USER32(00000027), ref: 004191F3
GetKeyState.USER32(0000002D), ref: 004191FB
GetKeyState.USER32(0000000D), ref: 00419203
GetKeyState.USER32(00000027), ref: 0041920B
GetKeyState.USER32(0000002D), ref: 00419213
GetKeyState.USER32(0000000D), ref: 0041921B
GetKeyState.USER32(00000027), ref: 00419223
GetKeyState.USER32(0000002D), ref: 0041922B
GetKeyState.USER32(0000000D), ref: 00419233
GetKeyState.USER32(00000027), ref: 0041923B
GetKeyState.USER32(0000002D), ref: 00419243
GetKeyState.USER32(0000000D), ref: 0041924B
GetKeyState.USER32(00000027), ref: 00419253
GetKeyState.USER32(0000002D), ref: 0041925B
GetKeyState.USER32(0000000D), ref: 00419263
GetKeyState.USER32(00000027), ref: 0041926B
GetKeyState.USER32(0000002D), ref: 00419273
GetKeyState.USER32(0000000D), ref: 0041927B
GetKeyState.USER32(00000027), ref: 00419283
GetKeyState.USER32(0000002D), ref: 0041928B
GetKeyState.USER32(0000000D), ref: 00419293
GetKeyState.USER32(00000027), ref: 0041929B
GetKeyState.USER32(0000002D), ref: 004192A3
GetKeyState.USER32(0000000D), ref: 004192AB
GetKeyState.USER32(00000027), ref: 004192B3
GetKeyState.USER32(0000002D), ref: 004192BB
GetKeyState.USER32(0000000D), ref: 004192C3
GetKeyState.USER32(00000027), ref: 004192CB
GetKeyState.USER32(0000002D), ref: 004192D3
GetKeyState.USER32(0000000D), ref: 004192DB
GetKeyState.USER32(00000027), ref: 004192E3
GetKeyState.USER32(0000002D), ref: 004192EB
GetKeyState.USER32(0000000D), ref: 004192F3
GetKeyState.USER32(00000027), ref: 004192FB
GetKeyState.USER32(0000002D), ref: 00419303
GetKeyState.USER32(0000000D), ref: 0041930B
GetKeyState.USER32(00000027), ref: 00419313
GetKeyState.USER32(0000002D), ref: 0041931B
GetKeyState.USER32(0000000D), ref: 00419323
GetKeyState.USER32(00000027), ref: 0041932B
GetKeyState.USER32(0000002D), ref: 00419333
GetKeyState.USER32(0000000D), ref: 0041933B
GetKeyState.USER32(00000027), ref: 00419343
GetKeyState.USER32(0000002D), ref: 0041934B
GetKeyState.USER32(0000000D), ref: 00419353
GetKeyState.USER32(00000027), ref: 0041935B
GetKeyState.USER32(0000002D), ref: 00419363
GetKeyState.USER32(0000000D), ref: 0041936B
GetKeyState.USER32(00000027), ref: 00419373
GetKeyState.USER32(0000002D), ref: 0041937B
GetKeyState.USER32(0000000D), ref: 00419383
GetKeyState.USER32(00000027), ref: 0041938B
GetKeyState.USER32(0000002D), ref: 00419393
GetKeyState.USER32(0000000D), ref: 0041939B
GetKeyState.USER32(00000027), ref: 004193A3
GetKeyState.USER32(0000002D), ref: 004193AB
GetKeyState.USER32(0000000D), ref: 004193B3
GetKeyState.USER32(00000027), ref: 004193BB
GetKeyState.USER32(0000002D), ref: 004193C3
GetKeyState.USER32(0000000D), ref: 004193CB
GetKeyState.USER32(00000027), ref: 004193D3
GetKeyState.USER32(0000002D), ref: 004193DB
GetKeyState.USER32(0000000D), ref: 004193E3
GetKeyState.USER32(00000027), ref: 004193EB
GetKeyState.USER32(0000002D), ref: 004193F3
GetKeyState.USER32(0000000D), ref: 004193FB
GetKeyState.USER32(00000027), ref: 00419403
GetKeyState.USER32(0000002D), ref: 0041940B
GetKeyState.USER32(0000000D), ref: 00419413
GetKeyState.USER32(00000027), ref: 0041941B
GetKeyState.USER32(0000002D), ref: 00419423
GetKeyState.USER32(0000000D), ref: 0041942B
GetKeyState.USER32(00000027), ref: 00419433
GetKeyState.USER32(0000002D), ref: 0041943B
GetKeyState.USER32(0000000D), ref: 00419443
GetKeyState.USER32(00000027), ref: 0041944B
GetKeyState.USER32(0000002D), ref: 00419453
GetKeyState.USER32(0000000D), ref: 0041945B
GetKeyState.USER32(00000027), ref: 00419463
GetKeyState.USER32(0000002D), ref: 0041946B
GetKeyState.USER32(0000000D), ref: 00419473
GetKeyState.USER32(00000027), ref: 0041947B
GetKeyState.USER32(0000002D), ref: 00419483
GetKeyState.USER32(0000000D), ref: 0041948B
GetKeyState.USER32(00000027), ref: 00419493
GetKeyState.USER32(0000002D), ref: 0041949B
GetKeyState.USER32(0000000D), ref: 004194A3
GetKeyState.USER32(00000027), ref: 004194AB
GetKeyState.USER32(0000002D), ref: 004194B3
GetKeyState.USER32(0000000D), ref: 004194BB
GetKeyState.USER32(00000027), ref: 004194C3
GetKeyState.USER32(0000002D), ref: 004194CB
GetKeyState.USER32(0000000D), ref: 004194D3
GetKeyState.USER32(00000027), ref: 004194DB
GetKeyState.USER32(0000002D), ref: 004194E3
GetKeyState.USER32(0000000D), ref: 004194EB
GetKeyState.USER32(00000027), ref: 004194F3
GetKeyState.USER32(0000002D), ref: 004194FB
GetKeyState.USER32(0000000D), ref: 00419503
GetKeyState.USER32(00000027), ref: 0041950B
GetKeyState.USER32(0000002D), ref: 00419513
GetKeyState.USER32(0000000D), ref: 0041951B
GetKeyState.USER32(00000027), ref: 00419523
GetKeyState.USER32(0000002D), ref: 0041952B
GetKeyState.USER32(0000000D), ref: 00419533
GetKeyState.USER32(00000027), ref: 0041953B
GetKeyState.USER32(0000002D), ref: 00419543
GetKeyState.USER32(0000000D), ref: 0041954B
GetKeyState.USER32(00000027), ref: 00419553
GetKeyState.USER32(0000002D), ref: 0041955B
GetKeyState.USER32(0000000D), ref: 00419563
GetKeyState.USER32(00000027), ref: 0041956B
GetKeyState.USER32(0000002D), ref: 00419573
GetKeyState.USER32(0000000D), ref: 0041957B
GetKeyState.USER32(00000027), ref: 00419583
GetKeyState.USER32(0000002D), ref: 0041958B
GetKeyState.USER32(0000000D), ref: 00419593
GetKeyState.USER32(00000027), ref: 0041959B
GetKeyState.USER32(0000002D), ref: 004195A3
GetKeyState.USER32(0000000D), ref: 004195AB
GetKeyState.USER32(00000027), ref: 004195B3
GetKeyState.USER32(0000002D), ref: 004195BB
GetKeyState.USER32(0000000D), ref: 004195C3
GetKeyState.USER32(00000027), ref: 004195CB
GetKeyState.USER32(0000002D), ref: 004195D3
GetKeyState.USER32(0000000D), ref: 004195DB
GetKeyState.USER32(00000027), ref: 004195E3
GetKeyState.USER32(0000002D), ref: 004195EB
GetKeyState.USER32(0000000D), ref: 004195F3
GetKeyState.USER32(00000027), ref: 004195FB
GetKeyState.USER32(0000002D), ref: 00419603
GetKeyState.USER32(0000000D), ref: 0041960B
GetKeyState.USER32(00000027), ref: 00419613
GetKeyState.USER32(0000002D), ref: 0041961B
GetKeyState.USER32(0000000D), ref: 00419623
GetKeyState.USER32(00000027), ref: 0041962B
GetKeyState.USER32(0000002D), ref: 00419633
GetKeyState.USER32(0000000D), ref: 0041963B
GetKeyState.USER32(00000027), ref: 00419643
GetKeyState.USER32(0000002D), ref: 0041964B
GetKeyState.USER32(0000000D), ref: 00419653
GetKeyState.USER32(00000027), ref: 0041965B
GetKeyState.USER32(0000002D), ref: 00419663
GetKeyState.USER32(0000000D), ref: 0041966B
GetKeyState.USER32(00000027), ref: 00419673
GetKeyState.USER32(0000002D), ref: 0041967B
GetKeyState.USER32(0000000D), ref: 00419683
GetKeyState.USER32(00000027), ref: 0041968B
GetKeyState.USER32(0000002D), ref: 00419693
GetKeyState.USER32(0000000D), ref: 0041969B
GetKeyState.USER32(00000027), ref: 004196A3
GetKeyState.USER32(0000002D), ref: 004196AB
GetKeyState.USER32(0000000D), ref: 004196B3
GetKeyState.USER32(00000027), ref: 004196BB
GetKeyState.USER32(0000002D), ref: 004196C3
GetKeyState.USER32(0000000D), ref: 004196CB
GetKeyState.USER32(00000027), ref: 004196D3
GetKeyState.USER32(0000002D), ref: 004196DB
GetKeyState.USER32(0000000D), ref: 004196E3
GetKeyState.USER32(00000027), ref: 004196EB
GetKeyState.USER32(0000002D), ref: 004196F3
GetKeyState.USER32(0000000D), ref: 004196FB
GetKeyState.USER32(00000027), ref: 00419703
GetKeyState.USER32(0000002D), ref: 0041970B
GetKeyState.USER32(0000000D), ref: 00419713
GetKeyState.USER32(00000027), ref: 0041971B
GetKeyState.USER32(0000002D), ref: 00419723
GetKeyState.USER32(0000000D), ref: 0041972B
GetKeyState.USER32(00000027), ref: 00419733
GetKeyState.USER32(0000002D), ref: 0041973B
GetKeyState.USER32(0000000D), ref: 00419743
GetKeyState.USER32(00000027), ref: 0041974B
GetKeyState.USER32(0000002D), ref: 00419753
GetKeyState.USER32(0000000D), ref: 0041975B
GetKeyState.USER32(00000027), ref: 00419763
GetKeyState.USER32(0000002D), ref: 0041976B
GetKeyState.USER32(0000000D), ref: 00419773
GetKeyState.USER32(00000027), ref: 0041977B
GetKeyState.USER32(0000002D), ref: 00419783
GetKeyState.USER32(0000000D), ref: 0041978B
GetKeyState.USER32(00000027), ref: 00419793
GetKeyState.USER32(0000002D), ref: 0041979B
GetKeyState.USER32(0000000D), ref: 004197A3
GetKeyState.USER32(00000027), ref: 004197AB
GetKeyState.USER32(0000002D), ref: 004197B3
GetKeyState.USER32(0000000D), ref: 004197BB
GetKeyState.USER32(00000027), ref: 004197C3
GetKeyState.USER32(0000002D), ref: 004197CB
GetKeyState.USER32(0000000D), ref: 004197D3
GetKeyState.USER32(00000027), ref: 004197DB
GetKeyState.USER32(0000002D), ref: 004197E3
GetKeyState.USER32(0000000D), ref: 004197EB
GetKeyState.USER32(00000027), ref: 004197F3
GetKeyState.USER32(0000002D), ref: 004197FB
GetKeyState.USER32(0000000D), ref: 00419803
GetKeyState.USER32(00000027), ref: 0041980B
GetKeyState.USER32(0000002D), ref: 00419813
GetKeyState.USER32(0000000D), ref: 0041981B
GetKeyState.USER32(00000027), ref: 00419823
GetKeyState.USER32(0000002D), ref: 0041982B
GetKeyState.USER32(0000000D), ref: 00419833
GetKeyState.USER32(00000027), ref: 0041983B
GetKeyState.USER32(0000002D), ref: 00419843
GetKeyState.USER32(0000000D), ref: 0041984B
GetKeyState.USER32(00000027), ref: 00419853
GetKeyState.USER32(0000002D), ref: 0041985B
GetKeyState.USER32(0000000D), ref: 00419863
GetKeyState.USER32(00000027), ref: 0041986B
GetKeyState.USER32(0000002D), ref: 00419873
GetKeyState.USER32(0000000D), ref: 0041987B
GetKeyState.USER32(00000027), ref: 00419883
GetKeyState.USER32(0000002D), ref: 0041988B
GetKeyState.USER32(0000000D), ref: 00419893
GetKeyState.USER32(00000027), ref: 0041989B
GetKeyState.USER32(0000002D), ref: 004198A3
GetKeyState.USER32(0000000D), ref: 004198AB
GetKeyState.USER32(00000027), ref: 004198B3
GetKeyState.USER32(0000002D), ref: 004198BB
GetKeyState.USER32(0000000D), ref: 004198C3
GetKeyState.USER32(00000027), ref: 004198CB
GetKeyState.USER32(0000002D), ref: 004198D3
GetKeyState.USER32(0000000D), ref: 004198DB
GetKeyState.USER32(00000027), ref: 004198E3
GetKeyState.USER32(0000002D), ref: 004198EB
GetKeyState.USER32(0000000D), ref: 004198F3
GetKeyState.USER32(00000027), ref: 004198FB
GetKeyState.USER32(0000002D), ref: 00419903
GetKeyState.USER32(0000000D), ref: 0041990B
GetKeyState.USER32(00000027), ref: 00419913
GetKeyState.USER32(0000002D), ref: 0041991B
GetKeyState.USER32(0000000D), ref: 00419923
GetKeyState.USER32(00000027), ref: 0041992B
GetKeyState.USER32(0000002D), ref: 00419933
GetKeyState.USER32(0000000D), ref: 0041993B
GetKeyState.USER32(00000027), ref: 00419943
GetKeyState.USER32(0000002D), ref: 0041994B
GetKeyState.USER32(0000000D), ref: 00419953
GetKeyState.USER32(00000027), ref: 0041995B
GetKeyState.USER32(0000002D), ref: 00419963
GetKeyState.USER32(0000000D), ref: 0041996B
GetKeyState.USER32(00000027), ref: 00419973
GetKeyState.USER32(0000002D), ref: 0041997B
GetKeyState.USER32(0000000D), ref: 00419983
GetKeyState.USER32(00000027), ref: 0041998B
GetKeyState.USER32(0000002D), ref: 00419993
GetKeyState.USER32(0000000D), ref: 0041999B
GetKeyState.USER32(00000027), ref: 004199A3
GetKeyState.USER32(0000002D), ref: 004199AB
GetKeyState.USER32(0000000D), ref: 004199B3
GetKeyState.USER32(00000027), ref: 004199BB
GetKeyState.USER32(0000002D), ref: 004199C3
GetKeyState.USER32(0000000D), ref: 004199CB
GetKeyState.USER32(00000027), ref: 004199D3
GetKeyState.USER32(0000002D), ref: 004199DB
GetKeyState.USER32(0000000D), ref: 004199E3
GetKeyState.USER32(00000027), ref: 004199EB
GetKeyState.USER32(0000002D), ref: 004199F3
GetKeyState.USER32(0000000D), ref: 004199FB
GetKeyState.USER32(00000027), ref: 00419A03
GetKeyState.USER32(0000002D), ref: 00419A0B
GetKeyState.USER32(0000000D), ref: 00419A13
GetKeyState.USER32(00000027), ref: 00419A1B
GetKeyState.USER32(0000002D), ref: 00419A23
GetKeyState.USER32(0000000D), ref: 00419A2B
GetKeyState.USER32(00000027), ref: 00419A33
GetKeyState.USER32(0000002D), ref: 00419A3B
GetKeyState.USER32(0000000D), ref: 00419A43
GetKeyState.USER32(00000027), ref: 00419A4B
GetKeyState.USER32(0000002D), ref: 00419A53
GetKeyState.USER32(0000000D), ref: 00419A5B
GetKeyState.USER32(00000027), ref: 00419A63
GetKeyState.USER32(0000002D), ref: 00419A6B
GetKeyState.USER32(0000000D), ref: 00419A73
GetKeyState.USER32(00000027), ref: 00419A7B
GetKeyState.USER32(0000002D), ref: 00419A83
GetKeyState.USER32(0000000D), ref: 00419A8B
GetKeyState.USER32(00000027), ref: 00419A93
GetKeyState.USER32(0000002D), ref: 00419A9B
GetKeyState.USER32(0000000D), ref: 00419AA3
GetKeyState.USER32(00000027), ref: 00419AAB
GetKeyState.USER32(0000002D), ref: 00419AB3
GetKeyState.USER32(0000000D), ref: 00419ABB
GetKeyState.USER32(00000027), ref: 00419AC3
GetKeyState.USER32(0000002D), ref: 00419ACB
GetKeyState.USER32(0000000D), ref: 00419AD3
GetKeyState.USER32(00000027), ref: 00419ADB
GetKeyState.USER32(0000002D), ref: 00419AE3
GetKeyState.USER32(0000000D), ref: 00419AEB
GetKeyState.USER32(00000027), ref: 00419AF3
GetKeyState.USER32(0000002D), ref: 00419AFB
GetKeyState.USER32(0000000D), ref: 00419B03
GetKeyState.USER32(00000027), ref: 00419B0B
GetKeyState.USER32(0000002D), ref: 00419B13
GetKeyState.USER32(0000000D), ref: 00419B1B
GetKeyState.USER32(00000027), ref: 00419B23
GetKeyState.USER32(0000002D), ref: 00419B2B
GetKeyState.USER32(0000000D), ref: 00419B33
GetKeyState.USER32(00000027), ref: 00419B3B
GetKeyState.USER32(0000002D), ref: 00419B43
GetKeyState.USER32(0000000D), ref: 00419B4B
GetKeyState.USER32(00000027), ref: 00419B53
GetKeyState.USER32(0000002D), ref: 00419B5B
GetKeyState.USER32(0000000D), ref: 00419B63
GetKeyState.USER32(00000027), ref: 00419B6B
GetKeyState.USER32(0000002D), ref: 00419B73
GetKeyState.USER32(0000000D), ref: 00419B7B
GetKeyState.USER32(00000027), ref: 00419B83
GetKeyState.USER32(0000002D), ref: 00419B8B
GetKeyState.USER32(0000000D), ref: 00419B93
GetKeyState.USER32(00000027), ref: 00419B9B
GetKeyState.USER32(0000002D), ref: 00419BA3
GetKeyState.USER32(0000000D), ref: 00419BAB
GetKeyState.USER32(00000027), ref: 00419BB3
GetKeyState.USER32(0000002D), ref: 00419BBB
GetKeyState.USER32(0000000D), ref: 00419BC3
GetKeyState.USER32(00000027), ref: 00419BCB
GetKeyState.USER32(0000002D), ref: 00419BD3
GetKeyState.USER32(0000000D), ref: 00419BDB
GetKeyState.USER32(00000027), ref: 00419BE3
GetKeyState.USER32(0000002D), ref: 00419BEB
GetKeyState.USER32(0000000D), ref: 00419BF3
GetKeyState.USER32(00000027), ref: 00419BFB
GetKeyState.USER32(0000002D), ref: 00419C03
GetKeyState.USER32(0000000D), ref: 00419C0B
GetKeyState.USER32(00000027), ref: 00419C13
GetKeyState.USER32(0000002D), ref: 00419C1B
GetKeyState.USER32(0000000D), ref: 00419C23
GetKeyState.USER32(00000027), ref: 00419C2B
GetKeyState.USER32(0000002D), ref: 00419C33
GetKeyState.USER32(0000000D), ref: 00419C3B
GetKeyState.USER32(00000027), ref: 00419C43
GetKeyState.USER32(0000002D), ref: 00419C4B
GetKeyState.USER32(0000000D), ref: 00419C53
GetKeyState.USER32(00000027), ref: 00419C5B
GetKeyState.USER32(0000002D), ref: 00419C6C
GetKeyState.USER32(0000000D), ref: 00419C74
GetKeyState.USER32(00000027), ref: 00419C7C
GetKeyState.USER32(0000002D), ref: 00419C84
GetKeyState.USER32(0000000D), ref: 00419C8C
GetKeyState.USER32(00000027), ref: 00419C94
GetKeyState.USER32(0000002D), ref: 00419C9C
GetKeyState.USER32(0000000D), ref: 00419CA4
GetKeyState.USER32(00000027), ref: 00419CAC
GetKeyState.USER32(0000002D), ref: 00419CB4
GetKeyState.USER32(0000000D), ref: 00419CBC
GetKeyState.USER32(00000027), ref: 00419CC4
GetKeyState.USER32(0000002D), ref: 00419CCC
GetKeyState.USER32(0000000D), ref: 00419CD4
GetKeyState.USER32(00000027), ref: 00419CDC
GetKeyState.USER32(0000002D), ref: 00419CE4
GetKeyState.USER32(0000000D), ref: 00419CEC
GetKeyState.USER32(00000027), ref: 00419CF4
GetKeyState.USER32(0000002D), ref: 00419CFC
GetKeyState.USER32(0000000D), ref: 00419D04
GetKeyState.USER32(00000027), ref: 00419D0C
GetKeyState.USER32(0000002D), ref: 00419D14
GetKeyState.USER32(0000000D), ref: 00419D1C
GetKeyState.USER32(00000027), ref: 00419D24
GetKeyState.USER32(0000002D), ref: 00419D2C
GetKeyState.USER32(0000000D), ref: 00419D34
GetKeyState.USER32(00000027), ref: 00419D3C
GetKeyState.USER32(0000002D), ref: 00419D44
GetKeyState.USER32(0000000D), ref: 00419D4C
GetKeyState.USER32(00000027), ref: 00419D54
GetKeyState.USER32(0000002D), ref: 00419D5C
GetKeyState.USER32(0000000D), ref: 00419D64
GetKeyState.USER32(00000027), ref: 00419D6C
GetKeyState.USER32(0000002D), ref: 00419D74
GetKeyState.USER32(0000000D), ref: 00419D7C
GetKeyState.USER32(00000027), ref: 00419D84
GetKeyState.USER32(0000002D), ref: 00419D8C
GetKeyState.USER32(0000000D), ref: 00419D94
GetKeyState.USER32(00000027), ref: 00419D9C
GetKeyState.USER32(0000002D), ref: 00419DA4
GetKeyState.USER32(0000000D), ref: 00419DAC
GetKeyState.USER32(00000027), ref: 00419DB4
GetKeyState.USER32(0000002D), ref: 00419DBC
GetKeyState.USER32(0000000D), ref: 00419DC4
GetKeyState.USER32(00000027), ref: 00419DCC
GetKeyState.USER32(0000002D), ref: 00419DD4
GetKeyState.USER32(0000000D), ref: 00419DDC
GetKeyState.USER32(00000027), ref: 00419DE4
GetKeyState.USER32(0000002D), ref: 00419DEC
GetKeyState.USER32(0000000D), ref: 00419DF4
GetKeyState.USER32(00000027), ref: 00419DFC
GetKeyState.USER32(0000002D), ref: 00419E04
GetKeyState.USER32(0000000D), ref: 00419E0C
GetKeyState.USER32(00000027), ref: 00419E14
GetKeyState.USER32(0000002D), ref: 00419E1C
GetKeyState.USER32(0000000D), ref: 00419E24
GetKeyState.USER32(00000027), ref: 00419E2C
GetKeyState.USER32(0000002D), ref: 00419E34
GetKeyState.USER32(0000000D), ref: 00419E3C
GetKeyState.USER32(00000027), ref: 00419E44
GetKeyState.USER32(0000002D), ref: 00419E4C
GetKeyState.USER32(0000000D), ref: 00419E54
GetKeyState.USER32(00000027), ref: 00419E5C
GetKeyState.USER32(0000002D), ref: 00419E64
GetKeyState.USER32(0000000D), ref: 00419E6C
GetKeyState.USER32(00000027), ref: 00419E74
GetKeyState.USER32(0000002D), ref: 00419E7C
GetKeyState.USER32(0000000D), ref: 00419E84
GetKeyState.USER32(00000027), ref: 00419E8C
GetKeyState.USER32(0000002D), ref: 00419E94
GetKeyState.USER32(0000000D), ref: 00419E9C
GetKeyState.USER32(00000027), ref: 00419EA4
GetKeyState.USER32(0000002D), ref: 00419EAC
GetKeyState.USER32(0000000D), ref: 00419EB4
GetKeyState.USER32(00000027), ref: 00419EBC
GetKeyState.USER32(0000002D), ref: 00419EC4
GetKeyState.USER32(0000000D), ref: 00419ECC
GetKeyState.USER32(00000027), ref: 00419ED4
GetKeyState.USER32(0000002D), ref: 00419EDC
GetKeyState.USER32(0000000D), ref: 00419EE4
GetKeyState.USER32(00000027), ref: 00419EEC
GetKeyState.USER32(0000002D), ref: 00419EF4
GetKeyState.USER32(0000000D), ref: 00419EFC
GetKeyState.USER32(00000027), ref: 00419F04
GetKeyState.USER32(0000002D), ref: 00419F0C
GetKeyState.USER32(0000000D), ref: 00419F14
GetKeyState.USER32(00000027), ref: 00419F1C
GetKeyState.USER32(0000002D), ref: 00419F24
GetKeyState.USER32(0000000D), ref: 00419F2C
GetKeyState.USER32(00000027), ref: 00419F34
GetKeyState.USER32(0000002D), ref: 00419F3C
GetKeyState.USER32(0000000D), ref: 00419F44
GetKeyState.USER32(00000027), ref: 00419F4C
GetKeyState.USER32(0000002D), ref: 00419F54
GetKeyState.USER32(0000000D), ref: 00419F5C
GetKeyState.USER32(00000027), ref: 00419F64
GetKeyState.USER32(0000002D), ref: 00419F6C
GetKeyState.USER32(0000000D), ref: 00419F74
GetKeyState.USER32(00000027), ref: 00419F7C
GetKeyState.USER32(0000002D), ref: 00419F84
GetKeyState.USER32(0000000D), ref: 00419F8C
GetKeyState.USER32(00000027), ref: 00419F94
GetKeyState.USER32(0000002D), ref: 00419F9C
GetKeyState.USER32(0000000D), ref: 00419FA4
GetKeyState.USER32(00000027), ref: 00419FAC
GetKeyState.USER32(0000002D), ref: 00419FB4
GetKeyState.USER32(0000000D), ref: 00419FBC
GetKeyState.USER32(00000027), ref: 00419FC4
GetKeyState.USER32(0000002D), ref: 00419FCC
GetKeyState.USER32(0000000D), ref: 00419FD4
GetKeyState.USER32(00000027), ref: 00419FDC
GetKeyState.USER32(0000002D), ref: 00419FE4
GetKeyState.USER32(0000000D), ref: 00419FEC
GetKeyState.USER32(00000027), ref: 00419FF4
GetKeyState.USER32(0000002D), ref: 00419FFC
GetKeyState.USER32(0000000D), ref: 0041A004
GetKeyState.USER32(00000027), ref: 0041A00C
GetKeyState.USER32(0000002D), ref: 0041A014
GetKeyState.USER32(0000000D), ref: 0041A01C
GetKeyState.USER32(00000027), ref: 0041A024
GetKeyState.USER32(0000002D), ref: 0041A02C
GetKeyState.USER32(0000000D), ref: 0041A034
GetKeyState.USER32(00000027), ref: 0041A03C
GetKeyState.USER32(0000002D), ref: 0041A044
GetKeyState.USER32(0000000D), ref: 0041A04C
GetKeyState.USER32(00000027), ref: 0041A054
GetKeyState.USER32(0000002D), ref: 0041A05C
GetKeyState.USER32(0000000D), ref: 0041A064
GetKeyState.USER32(00000027), ref: 0041A06C
GetKeyState.USER32(0000002D), ref: 0041A074
GetKeyState.USER32(0000000D), ref: 0041A07C
GetKeyState.USER32(00000027), ref: 0041A084
GetKeyState.USER32(0000002D), ref: 0041A08C
GetKeyState.USER32(0000000D), ref: 0041A094
GetKeyState.USER32(00000027), ref: 0041A09C
GetKeyState.USER32(0000002D), ref: 0041A0A4
GetKeyState.USER32(0000000D), ref: 0041A0AC
GetKeyState.USER32(00000027), ref: 0041A0B4
GetKeyState.USER32(0000002D), ref: 0041A0BC
GetKeyState.USER32(0000000D), ref: 0041A0C4
GetKeyState.USER32(00000027), ref: 0041A0CC
GetKeyState.USER32(0000002D), ref: 0041A0D4
GetKeyState.USER32(0000000D), ref: 0041A0DC
GetKeyState.USER32(00000027), ref: 0041A0E4
GetKeyState.USER32(0000002D), ref: 0041A0EC
GetKeyState.USER32(0000000D), ref: 0041A0F4
GetKeyState.USER32(00000027), ref: 0041A0FC
GetKeyState.USER32(0000002D), ref: 0041A104
GetKeyState.USER32(0000000D), ref: 0041A10C
GetKeyState.USER32(00000027), ref: 0041A114
GetKeyState.USER32(0000002D), ref: 0041A11C
GetKeyState.USER32(0000000D), ref: 0041A124
GetKeyState.USER32(00000027), ref: 0041A12C
GetKeyState.USER32(0000002D), ref: 0041A134
GetKeyState.USER32(0000000D), ref: 0041A13C
GetKeyState.USER32(00000027), ref: 0041A144
GetKeyState.USER32(0000002D), ref: 0041A14C
GetKeyState.USER32(0000000D), ref: 0041A154
GetKeyState.USER32(00000027), ref: 0041A15C
GetKeyState.USER32(0000002D), ref: 0041A164
GetKeyState.USER32(0000000D), ref: 0041A16C
GetKeyState.USER32(00000027), ref: 0041A174
GetKeyState.USER32(0000002D), ref: 0041A17C
GetKeyState.USER32(0000000D), ref: 0041A184
GetKeyState.USER32(00000027), ref: 0041A18C
GetKeyState.USER32(0000002D), ref: 0041A194
GetKeyState.USER32(0000000D), ref: 0041A19C
GetKeyState.USER32(00000027), ref: 0041A1A4
GetKeyState.USER32(0000002D), ref: 0041A1AC
GetKeyState.USER32(0000000D), ref: 0041A1B4
GetKeyState.USER32(00000027), ref: 0041A1BC
GetKeyState.USER32(0000002D), ref: 0041A1C4
GetKeyState.USER32(0000000D), ref: 0041A1CC
GetKeyState.USER32(00000027), ref: 0041A1D4
GetKeyState.USER32(0000002D), ref: 0041A1DC
GetKeyState.USER32(0000000D), ref: 0041A1E4
GetKeyState.USER32(00000027), ref: 0041A1EC
GetKeyState.USER32(0000002D), ref: 0041A1F4
GetKeyState.USER32(0000000D), ref: 0041A1FC
GetKeyState.USER32(00000027), ref: 0041A204
GetKeyState.USER32(0000002D), ref: 0041A20C
GetKeyState.USER32(0000000D), ref: 0041A214
GetKeyState.USER32(00000027), ref: 0041A21C
GetKeyState.USER32(0000002D), ref: 0041A224
GetKeyState.USER32(0000000D), ref: 0041A22C
GetKeyState.USER32(00000027), ref: 0041A234
GetKeyState.USER32(0000002D), ref: 0041A23C
GetKeyState.USER32(0000000D), ref: 0041A244
GetKeyState.USER32(00000027), ref: 0041A24C
GetKeyState.USER32(0000002D), ref: 0041A254
GetKeyState.USER32(0000000D), ref: 0041A25C
GetKeyState.USER32(00000027), ref: 0041A264
GetKeyState.USER32(0000002D), ref: 0041A26C
GetKeyState.USER32(0000000D), ref: 0041A274
GetKeyState.USER32(00000027), ref: 0041A27C
GetKeyState.USER32(0000002D), ref: 0041A284
GetKeyState.USER32(0000000D), ref: 0041A28C
GetKeyState.USER32(00000027), ref: 0041A294
GetKeyState.USER32(0000002D), ref: 0041A29C
GetKeyState.USER32(0000000D), ref: 0041A2A4
GetKeyState.USER32(00000027), ref: 0041A2AC
GetKeyState.USER32(0000002D), ref: 0041A2B4
GetKeyState.USER32(0000000D), ref: 0041A2BC
GetKeyState.USER32(00000027), ref: 0041A2C4
GetKeyState.USER32(0000002D), ref: 0041A2CC
GetKeyState.USER32(0000000D), ref: 0041A2D4
GetKeyState.USER32(00000027), ref: 0041A2DC
GetKeyState.USER32(0000002D), ref: 0041A2E4
GetKeyState.USER32(0000000D), ref: 0041A2EC
GetKeyState.USER32(00000027), ref: 0041A2F4
GetKeyState.USER32(0000002D), ref: 0041A2FC
GetKeyState.USER32(0000000D), ref: 0041A304
GetKeyState.USER32(00000027), ref: 0041A30C
GetKeyState.USER32(0000002D), ref: 0041A314
GetKeyState.USER32(0000000D), ref: 0041A31C
GetKeyState.USER32(00000027), ref: 0041A324
GetKeyState.USER32(0000002D), ref: 0041A32C
GetKeyState.USER32(0000000D), ref: 0041A334
GetKeyState.USER32(00000027), ref: 0041A33C
GetKeyState.USER32(0000002D), ref: 0041A344
GetKeyState.USER32(0000000D), ref: 0041A34C
GetKeyState.USER32(00000027), ref: 0041A354
GetKeyState.USER32(0000002D), ref: 0041A35C
GetKeyState.USER32(0000000D), ref: 0041A364
GetKeyState.USER32(00000027), ref: 0041A36C
GetKeyState.USER32(0000002D), ref: 0041A374
GetKeyState.USER32(0000000D), ref: 0041A37C
GetKeyState.USER32(00000027), ref: 0041A384
GetKeyState.USER32(0000002D), ref: 0041A38C
GetKeyState.USER32(0000000D), ref: 0041A394
GetKeyState.USER32(00000027), ref: 0041A39C
GetKeyState.USER32(0000002D), ref: 0041A3A4
GetKeyState.USER32(0000000D), ref: 0041A3AC
GetKeyState.USER32(00000027), ref: 0041A3B4
GetKeyState.USER32(0000002D), ref: 0041A3BC
GetKeyState.USER32(0000000D), ref: 0041A3C4
GetKeyState.USER32(00000027), ref: 0041A3CC
GetKeyState.USER32(0000002D), ref: 0041A3D4
GetKeyState.USER32(0000000D), ref: 0041A3DC
GetKeyState.USER32(00000027), ref: 0041A3E4
GetKeyState.USER32(0000002D), ref: 0041A3EC
GetKeyState.USER32(0000000D), ref: 0041A3F4
GetKeyState.USER32(00000027), ref: 0041A3FC
GetKeyState.USER32(0000002D), ref: 0041A404
GetKeyState.USER32(0000000D), ref: 0041A40C
GetKeyState.USER32(00000027), ref: 0041A414
GetKeyState.USER32(0000002D), ref: 0041A41C
GetKeyState.USER32(0000000D), ref: 0041A424
GetKeyState.USER32(00000027), ref: 0041A42C
GetKeyState.USER32(0000002D), ref: 0041A434
GetKeyState.USER32(0000000D), ref: 0041A43C
GetKeyState.USER32(00000027), ref: 0041A444
GetKeyState.USER32(0000002D), ref: 0041A44C
GetKeyState.USER32(0000000D), ref: 0041A454
GetKeyState.USER32(00000027), ref: 0041A45C
GetKeyState.USER32(0000002D), ref: 0041A464
GetKeyState.USER32(0000000D), ref: 0041A46C
GetKeyState.USER32(00000027), ref: 0041A474
GetKeyState.USER32(0000002D), ref: 0041A47C
GetKeyState.USER32(0000000D), ref: 0041A484
GetKeyState.USER32(00000027), ref: 0041A48C
GetKeyState.USER32(0000002D), ref: 0041A494
GetKeyState.USER32(0000000D), ref: 0041A49C
GetKeyState.USER32(00000027), ref: 0041A4A4
GetKeyState.USER32(0000002D), ref: 0041A4AC
GetKeyState.USER32(0000000D), ref: 0041A4B4
GetKeyState.USER32(00000027), ref: 0041A4BC
GetKeyState.USER32(0000002D), ref: 0041A4C4
GetKeyState.USER32(0000000D), ref: 0041A4CC
GetKeyState.USER32(00000027), ref: 0041A4D4
GetKeyState.USER32(0000002D), ref: 0041A4DC
GetKeyState.USER32(0000000D), ref: 0041A4E4
GetKeyState.USER32(00000027), ref: 0041A4EC
GetKeyState.USER32(0000002D), ref: 0041A4F4
GetKeyState.USER32(0000000D), ref: 0041A4FC
GetKeyState.USER32(00000027), ref: 0041A504
GetKeyState.USER32(0000002D), ref: 0041A50C
GetKeyState.USER32(0000000D), ref: 0041A514
GetKeyState.USER32(00000027), ref: 0041A51C
GetKeyState.USER32(0000002D), ref: 0041A524
GetKeyState.USER32(0000000D), ref: 0041A52C
GetKeyState.USER32(00000027), ref: 0041A534
GetKeyState.USER32(0000002D), ref: 0041A53C
GetKeyState.USER32(0000000D), ref: 0041A544
GetKeyState.USER32(00000027), ref: 0041A54C
GetKeyState.USER32(0000002D), ref: 0041A554
GetKeyState.USER32(0000000D), ref: 0041A55C
GetKeyState.USER32(00000027), ref: 0041A564
GetKeyState.USER32(0000002D), ref: 0041A56C
GetKeyState.USER32(0000000D), ref: 0041A574
GetKeyState.USER32(00000027), ref: 0041A57C
GetKeyState.USER32(0000002D), ref: 0041A584
GetKeyState.USER32(0000000D), ref: 0041A58C
GetKeyState.USER32(00000027), ref: 0041A594
GetKeyState.USER32(0000002D), ref: 0041A59C
GetKeyState.USER32(0000000D), ref: 0041A5A4
GetKeyState.USER32(00000027), ref: 0041A5AC
GetKeyState.USER32(0000002D), ref: 0041A5B4
GetKeyState.USER32(0000000D), ref: 0041A5BC
GetKeyState.USER32(00000027), ref: 0041A5C4
GetKeyState.USER32(0000002D), ref: 0041A5CC
GetKeyState.USER32(0000000D), ref: 0041A5D4
GetKeyState.USER32(00000027), ref: 0041A5DC
GetKeyState.USER32(0000002D), ref: 0041A5E4
GetKeyState.USER32(0000000D), ref: 0041A5EC
GetKeyState.USER32(00000027), ref: 0041A5F4
GetKeyState.USER32(0000002D), ref: 0041A5FC
GetKeyState.USER32(0000000D), ref: 0041A604
GetKeyState.USER32(00000027), ref: 0041A60C
GetKeyState.USER32(0000002D), ref: 0041A614
GetKeyState.USER32(0000000D), ref: 0041A61C
GetKeyState.USER32(00000027), ref: 0041A624
GetKeyState.USER32(0000002D), ref: 0041A62C
GetKeyState.USER32(0000000D), ref: 0041A634
GetKeyState.USER32(00000027), ref: 0041A63C
GetKeyState.USER32(0000002D), ref: 0041A644
GetKeyState.USER32(0000000D), ref: 0041A64C
GetKeyState.USER32(00000027), ref: 0041A654
GetKeyState.USER32(0000002D), ref: 0041A65C
GetKeyState.USER32(0000000D), ref: 0041A664
GetKeyState.USER32(00000027), ref: 0041A66C
GetKeyState.USER32(0000002D), ref: 0041A674
GetKeyState.USER32(0000000D), ref: 0041A67C
GetKeyState.USER32(00000027), ref: 0041A684
GetKeyState.USER32(0000002D), ref: 0041A68C
GetKeyState.USER32(0000000D), ref: 0041A694
GetKeyState.USER32(00000027), ref: 0041A69C
GetKeyState.USER32(0000002D), ref: 0041A6A4
GetKeyState.USER32(0000000D), ref: 0041A6AC
GetKeyState.USER32(00000027), ref: 0041A6B4
GetKeyState.USER32(0000002D), ref: 0041A6BC
GetKeyState.USER32(0000000D), ref: 0041A6C4
GetKeyState.USER32(00000027), ref: 0041A6CC
GetKeyState.USER32(0000002D), ref: 0041A6D4
GetKeyState.USER32(0000000D), ref: 0041A6DC
GetKeyState.USER32(00000027), ref: 0041A6E4
GetKeyState.USER32(0000002D), ref: 0041A6EC
GetKeyState.USER32(0000000D), ref: 0041A6F4
GetKeyState.USER32(00000027), ref: 0041A6FC
GetKeyState.USER32(0000002D), ref: 0041A704
GetKeyState.USER32(0000000D), ref: 0041A70C
GetKeyState.USER32(00000027), ref: 0041A714
GetKeyState.USER32(0000002D), ref: 0041A71C
GetKeyState.USER32(0000000D), ref: 0041A724
GetKeyState.USER32(00000027), ref: 0041A72C
GetKeyState.USER32(0000002D), ref: 0041A734
GetKeyState.USER32(0000000D), ref: 0041A73C
GetKeyState.USER32(00000027), ref: 0041A744
GetKeyState.USER32(0000002D), ref: 0041A74C
GetKeyState.USER32(0000000D), ref: 0041A754
GetKeyState.USER32(00000027), ref: 0041A75C
GetKeyState.USER32(0000002D), ref: 0041A764
GetKeyState.USER32(0000000D), ref: 0041A76C
GetKeyState.USER32(00000027), ref: 0041A774
GetKeyState.USER32(0000002D), ref: 0041A77C
GetKeyState.USER32(0000000D), ref: 0041A784
GetKeyState.USER32(00000027), ref: 0041A78C
GetKeyState.USER32(0000002D), ref: 0041A794
GetKeyState.USER32(0000000D), ref: 0041A79C
GetKeyState.USER32(00000027), ref: 0041A7A4
GetKeyState.USER32(0000002D), ref: 0041A7AC
GetKeyState.USER32(0000000D), ref: 0041A7B4
GetKeyState.USER32(00000027), ref: 0041A7BC
GetKeyState.USER32(0000002D), ref: 0041A7C4
GetKeyState.USER32(0000000D), ref: 0041A7CC
GetKeyState.USER32(00000027), ref: 0041A7D4
GetKeyState.USER32(0000002D), ref: 0041A7DC
GetKeyState.USER32(0000000D), ref: 0041A7E4
GetKeyState.USER32(00000027), ref: 0041A7EC
GetKeyState.USER32(0000002D), ref: 0041A7F4
GetKeyState.USER32(0000000D), ref: 0041A7FC
GetKeyState.USER32(00000027), ref: 0041A804
GetKeyState.USER32(0000002D), ref: 0041A80C
GetKeyState.USER32(0000000D), ref: 0041A814
GetKeyState.USER32(00000027), ref: 0041A81C
GetKeyState.USER32(0000002D), ref: 0041A824
GetKeyState.USER32(0000000D), ref: 0041A82C
GetKeyState.USER32(00000027), ref: 0041A834
GetKeyState.USER32(0000002D), ref: 0041A83C
GetKeyState.USER32(0000000D), ref: 0041A844
GetKeyState.USER32(00000027), ref: 0041A84C
GetKeyState.USER32(0000002D), ref: 0041A854
GetKeyState.USER32(0000000D), ref: 0041A85C
GetKeyState.USER32(00000027), ref: 0041A864
GetKeyState.USER32(0000002D), ref: 0041A86C
GetKeyState.USER32(0000000D), ref: 0041A874
GetKeyState.USER32(00000027), ref: 0041A87C
GetKeyState.USER32(0000002D), ref: 0041A884
GetKeyState.USER32(0000000D), ref: 0041A88C
GetKeyState.USER32(00000027), ref: 0041A894
GetKeyState.USER32(0000002D), ref: 0041A89C
GetKeyState.USER32(0000000D), ref: 0041A8A4
GetKeyState.USER32(00000027), ref: 0041A8AC
GetKeyState.USER32(0000002D), ref: 0041A8B4
GetKeyState.USER32(0000000D), ref: 0041A8BC
GetKeyState.USER32(00000027), ref: 0041A8C4
GetKeyState.USER32(0000002D), ref: 0041A8CC
GetKeyState.USER32(0000000D), ref: 0041A8D4
GetKeyState.USER32(00000027), ref: 0041A8DC
GetKeyState.USER32(0000002D), ref: 0041A8E4
GetKeyState.USER32(0000000D), ref: 0041A8EC
GetKeyState.USER32(00000027), ref: 0041A8F4
GetKeyState.USER32(0000002D), ref: 0041A8FC
GetKeyState.USER32(0000000D), ref: 0041A904
GetKeyState.USER32(00000027), ref: 0041A90C
GetKeyState.USER32(0000002D), ref: 0041A914
GetKeyState.USER32(0000000D), ref: 0041A91C
GetKeyState.USER32(00000027), ref: 0041A924
GetKeyState.USER32(0000002D), ref: 0041A92C
GetKeyState.USER32(0000000D), ref: 0041A934
GetKeyState.USER32(00000027), ref: 0041A93C
GetKeyState.USER32(0000002D), ref: 0041A944
GetKeyState.USER32(0000000D), ref: 0041A94C
GetKeyState.USER32(00000027), ref: 0041A954
GetKeyState.USER32(0000002D), ref: 0041A95C
GetKeyState.USER32(0000000D), ref: 0041A964
GetKeyState.USER32(00000027), ref: 0041A96C
GetKeyState.USER32(0000002D), ref: 0041A974
GetKeyState.USER32(0000000D), ref: 0041A97C
GetKeyState.USER32(00000027), ref: 0041A984
GetKeyState.USER32(0000002D), ref: 0041A98C
GetKeyState.USER32(0000000D), ref: 0041A994
GetKeyState.USER32(00000027), ref: 0041A99C
GetKeyState.USER32(0000002D), ref: 0041A9A4
GetKeyState.USER32(0000000D), ref: 0041A9AC
GetKeyState.USER32(00000027), ref: 0041A9B4
GetKeyState.USER32(0000002D), ref: 0041A9BC
GetKeyState.USER32(0000000D), ref: 0041A9C4
GetKeyState.USER32(00000027), ref: 0041A9CC
GetKeyState.USER32(0000002D), ref: 0041A9D4
GetKeyState.USER32(0000000D), ref: 0041A9DC
GetKeyState.USER32(00000027), ref: 0041A9E4
GetKeyState.USER32(0000002D), ref: 0041A9EC
GetKeyState.USER32(0000000D), ref: 0041A9F4
GetKeyState.USER32(00000027), ref: 0041A9FC
GetKeyState.USER32(0000002D), ref: 0041AA04
GetKeyState.USER32(0000000D), ref: 0041AA0C
GetKeyState.USER32(00000027), ref: 0041AA14
GetKeyState.USER32(0000002D), ref: 0041AA1C
GetKeyState.USER32(0000000D), ref: 0041AA24
GetKeyState.USER32(00000027), ref: 0041AA2C
GetKeyState.USER32(0000002D), ref: 0041AA34
GetKeyState.USER32(0000000D), ref: 0041AA3C
GetKeyState.USER32(00000027), ref: 0041AA44
GetKeyState.USER32(0000002D), ref: 0041AA4C
GetKeyState.USER32(0000000D), ref: 0041AA54
GetKeyState.USER32(00000027), ref: 0041AA5C
GetKeyState.USER32(0000002D), ref: 0041AA64
GetKeyState.USER32(0000000D), ref: 0041AA6C
GetKeyState.USER32(00000027), ref: 0041AA74
GetKeyState.USER32(0000002D), ref: 0041AA7C
GetKeyState.USER32(0000000D), ref: 0041AA84
GetKeyState.USER32(00000027), ref: 0041AA8C
GetKeyState.USER32(0000002D), ref: 0041AA94
GetKeyState.USER32(0000000D), ref: 0041AA9C
GetKeyState.USER32(00000027), ref: 0041AAA4
GetKeyState.USER32(0000002D), ref: 0041AAAC
GetKeyState.USER32(0000000D), ref: 0041AAB4
GetKeyState.USER32(00000027), ref: 0041AABC
GetKeyState.USER32(0000002D), ref: 0041AAC4
GetKeyState.USER32(0000000D), ref: 0041AACC
GetKeyState.USER32(00000027), ref: 0041AAD4
GetKeyState.USER32(0000002D), ref: 0041AADC
GetKeyState.USER32(0000000D), ref: 0041AAE4
GetKeyState.USER32(00000027), ref: 0041AAEC
GetKeyState.USER32(0000002D), ref: 0041AAF4
GetKeyState.USER32(0000000D), ref: 0041AAFC
GetKeyState.USER32(00000027), ref: 0041AB04
GetKeyState.USER32(0000002D), ref: 0041AB0C
GetKeyState.USER32(0000000D), ref: 0041AB14
GetKeyState.USER32(00000027), ref: 0041AB1C
GetKeyState.USER32(0000002D), ref: 0041AB24
GetKeyState.USER32(0000000D), ref: 0041AB2C
GetKeyState.USER32(00000027), ref: 0041AB34
GetKeyState.USER32(0000002D), ref: 0041AB3C
GetKeyState.USER32(0000000D), ref: 0041AB44
GetKeyState.USER32(00000027), ref: 0041AB4C
GetKeyState.USER32(0000002D), ref: 0041AB54
GetKeyState.USER32(0000000D), ref: 0041AB5C
GetKeyState.USER32(00000027), ref: 0041AB64
GetKeyState.USER32(0000002D), ref: 0041AB6C
GetKeyState.USER32(0000000D), ref: 0041AB74
GetKeyState.USER32(00000027), ref: 0041AB7C
GetKeyState.USER32(0000002D), ref: 0041AB84
GetKeyState.USER32(0000000D), ref: 0041AB8C
GetKeyState.USER32(00000027), ref: 0041AB94
GetKeyState.USER32(0000002D), ref: 0041AB9C
GetKeyState.USER32(0000000D), ref: 0041ABA4
GetKeyState.USER32(00000027), ref: 0041ABAC
GetKeyState.USER32(0000002D), ref: 0041ABB4
GetKeyState.USER32(0000000D), ref: 0041ABBC
GetKeyState.USER32(00000027), ref: 0041ABC4
GetKeyState.USER32(0000002D), ref: 0041ABCC
GetKeyState.USER32(0000000D), ref: 0041ABD4
GetKeyState.USER32(00000027), ref: 0041ABDC
GetKeyState.USER32(0000002D), ref: 0041ABE4
GetKeyState.USER32(0000000D), ref: 0041ABEC
GetKeyState.USER32(00000027), ref: 0041ABF4
GetKeyState.USER32(0000002D), ref: 0041ABFC
GetKeyState.USER32(0000000D), ref: 0041AC04
GetKeyState.USER32(00000027), ref: 0041AC0C
GetKeyState.USER32(0000002D), ref: 0041AC14
GetKeyState.USER32(0000000D), ref: 0041AC1C
GetKeyState.USER32(00000027), ref: 0041AC24
GetKeyState.USER32(0000002D), ref: 0041AC2C
GetKeyState.USER32(0000000D), ref: 0041AC34
GetKeyState.USER32(00000027), ref: 0041AC3C
GetKeyState.USER32(0000002D), ref: 0041AC44
GetKeyState.USER32(0000000D), ref: 0041AC4C
GetKeyState.USER32(00000027), ref: 0041AC54
GetKeyState.USER32(0000002D), ref: 0041AC5C
GetKeyState.USER32(0000000D), ref: 0041AC64
GetKeyState.USER32(00000027), ref: 0041AC6C
GetKeyState.USER32(0000002D), ref: 0041AC74
GetKeyState.USER32(0000000D), ref: 0041AC7C
GetKeyState.USER32(00000027), ref: 0041AC84
GetKeyState.USER32(0000002D), ref: 0041AC8C
GetKeyState.USER32(0000000D), ref: 0041AC94
GetKeyState.USER32(00000027), ref: 0041AC9C
GetKeyState.USER32(0000002D), ref: 0041ACA4
GetKeyState.USER32(0000000D), ref: 0041ACAC
GetKeyState.USER32(00000027), ref: 0041ACB4
GetKeyState.USER32(0000002D), ref: 0041ACBC
GetKeyState.USER32(0000000D), ref: 0041ACC4
GetKeyState.USER32(00000027), ref: 0041ACCC
GetKeyState.USER32(0000002D), ref: 0041ACD4
GetKeyState.USER32(0000000D), ref: 0041ACDC
GetKeyState.USER32(00000027), ref: 0041ACE4
GetKeyState.USER32(0000002D), ref: 0041ACEC
GetKeyState.USER32(0000000D), ref: 0041ACF4
GetKeyState.USER32(00000027), ref: 0041ACFC
GetKeyState.USER32(0000002D), ref: 0041AD04
GetKeyState.USER32(0000000D), ref: 0041AD0C
GetKeyState.USER32(00000027), ref: 0041AD14
GetKeyState.USER32(0000002D), ref: 0041AD1C
GetKeyState.USER32(0000000D), ref: 0041AD24
GetKeyState.USER32(00000027), ref: 0041AD2C
GetKeyState.USER32(0000002D), ref: 0041AD34
GetKeyState.USER32(0000000D), ref: 0041AD3C
GetKeyState.USER32(00000027), ref: 0041AD44
GetKeyState.USER32(0000002D), ref: 0041AD4C
GetKeyState.USER32(0000000D), ref: 0041AD54
GetKeyState.USER32(00000027), ref: 0041AD5C
GetKeyState.USER32(0000002D), ref: 0041AD64
GetKeyState.USER32(0000000D), ref: 0041AD6C
GetKeyState.USER32(00000027), ref: 0041AD74
GetKeyState.USER32(0000002D), ref: 0041AD7C
GetKeyState.USER32(0000000D), ref: 0041AD84
GetKeyState.USER32(00000027), ref: 0041AD8C
GetKeyState.USER32(0000002D), ref: 0041AD94
GetKeyState.USER32(0000000D), ref: 0041AD9C
GetKeyState.USER32(00000027), ref: 0041ADA4
GetKeyState.USER32(0000002D), ref: 0041ADAC
GetKeyState.USER32(0000000D), ref: 0041ADB4
GetKeyState.USER32(00000027), ref: 0041ADBC
GetKeyState.USER32(0000002D), ref: 0041ADC4
GetKeyState.USER32(0000000D), ref: 0041ADCC
GetKeyState.USER32(00000027), ref: 0041ADD4
GetKeyState.USER32(0000002D), ref: 0041ADDC
GetKeyState.USER32(0000000D), ref: 0041ADE4
GetKeyState.USER32(00000027), ref: 0041ADEC
GetKeyState.USER32(0000002D), ref: 0041ADF4
GetKeyState.USER32(0000000D), ref: 0041ADFC
GetKeyState.USER32(00000027), ref: 0041AE04
GetKeyState.USER32(0000002D), ref: 0041AE0C
GetKeyState.USER32(0000000D), ref: 0041AE14
GetKeyState.USER32(00000027), ref: 0041AE1C
GetKeyState.USER32(0000002D), ref: 0041AE24
GetKeyState.USER32(0000000D), ref: 0041AE2C
GetKeyState.USER32(00000027), ref: 0041AE34
GetKeyState.USER32(0000002D), ref: 0041AE3C
GetKeyState.USER32(0000000D), ref: 0041AE44
GetKeyState.USER32(00000027), ref: 0041AE4C
GetKeyState.USER32(0000002D), ref: 0041AE54
GetKeyState.USER32(0000000D), ref: 0041AE5C
GetKeyState.USER32(00000027), ref: 0041AE64
GetKeyState.USER32(0000002D), ref: 0041AE6C
GetKeyState.USER32(0000000D), ref: 0041AE74
GetKeyState.USER32(00000027), ref: 0041AE7C
GetKeyState.USER32(0000002D), ref: 0041AE84
GetKeyState.USER32(0000000D), ref: 0041AE8C
GetKeyState.USER32(00000027), ref: 0041AE94
GetKeyState.USER32(0000002D), ref: 0041AE9C
GetKeyState.USER32(0000000D), ref: 0041AEA4
GetKeyState.USER32(00000027), ref: 0041AEAC
GetKeyState.USER32(0000002D), ref: 0041AEB4
GetKeyState.USER32(0000000D), ref: 0041AEBC
GetKeyState.USER32(00000027), ref: 0041AEC4
GetKeyState.USER32(0000002D), ref: 0041AECC
GetKeyState.USER32(0000000D), ref: 0041AED4
GetKeyState.USER32(00000027), ref: 0041AEDC
GetKeyState.USER32(0000002D), ref: 0041AEE4
GetKeyState.USER32(0000000D), ref: 0041AEEC
GetKeyState.USER32(00000027), ref: 0041AEF4
GetKeyState.USER32(0000002D), ref: 0041AEFC
GetKeyState.USER32(0000000D), ref: 0041AF04
GetKeyState.USER32(00000027), ref: 0041AF0C
GetKeyState.USER32(0000002D), ref: 0041AF14
GetKeyState.USER32(0000000D), ref: 0041AF1C
GetKeyState.USER32(00000027), ref: 0041AF24
GetKeyState.USER32(0000002D), ref: 0041AF2C
GetKeyState.USER32(0000000D), ref: 0041AF34
GetKeyState.USER32(00000027), ref: 0041AF3C
GetKeyState.USER32(0000002D), ref: 0041AF44
GetKeyState.USER32(0000000D), ref: 0041AF4C
GetKeyState.USER32(00000027), ref: 0041AF54
GetKeyState.USER32(0000002D), ref: 0041AF5C
GetKeyState.USER32(0000000D), ref: 0041AF64
GetKeyState.USER32(00000027), ref: 0041AF6C
GetKeyState.USER32(0000002D), ref: 0041AF74
GetKeyState.USER32(0000000D), ref: 0041AF7C
GetKeyState.USER32(00000027), ref: 0041AF84
GetKeyState.USER32(0000002D), ref: 0041AF8C
GetKeyState.USER32(0000000D), ref: 0041AF94
GetKeyState.USER32(00000027), ref: 0041AF9C
GetKeyState.USER32(0000002D), ref: 0041AFA4
GetKeyState.USER32(0000000D), ref: 0041AFAC
GetKeyState.USER32(00000027), ref: 0041AFB4
GetKeyState.USER32(0000002D), ref: 0041AFBC
GetKeyState.USER32(0000000D), ref: 0041AFC4
GetKeyState.USER32(00000027), ref: 0041AFCC
GetKeyState.USER32(0000002D), ref: 0041AFD4
GetKeyState.USER32(0000000D), ref: 0041AFDC
GetKeyState.USER32(00000027), ref: 0041AFE4
GetKeyState.USER32(0000002D), ref: 0041AFEC
GetKeyState.USER32(0000000D), ref: 0041AFF4
GetKeyState.USER32(00000027), ref: 0041AFFC
GetKeyState.USER32(0000002D), ref: 0041B004
GetKeyState.USER32(0000000D), ref: 0041B00C
GetKeyState.USER32(00000027), ref: 0041B014
GetKeyState.USER32(0000002D), ref: 0041B01C
GetKeyState.USER32(0000000D), ref: 0041B024
GetKeyState.USER32(00000027), ref: 0041B02C
GetKeyState.USER32(0000002D), ref: 0041B034
GetKeyState.USER32(0000000D), ref: 0041B03C
GetKeyState.USER32(00000027), ref: 0041B044
GetKeyState.USER32(0000002D), ref: 0041B04C
GetKeyState.USER32(0000000D), ref: 0041B054
GetKeyState.USER32(00000027), ref: 0041B05C
GetKeyState.USER32(0000002D), ref: 0041B064
GetKeyState.USER32(0000000D), ref: 0041B06C
GetKeyState.USER32(00000027), ref: 0041B074
GetKeyState.USER32(0000002D), ref: 0041B07C
GetKeyState.USER32(0000000D), ref: 0041B084
GetKeyState.USER32(00000027), ref: 0041B08C
GetKeyState.USER32(0000002D), ref: 0041B094
GetKeyState.USER32(0000000D), ref: 0041B09C
GetKeyState.USER32(00000027), ref: 0041B0A4
GetKeyState.USER32(0000002D), ref: 0041B0AC
GetKeyState.USER32(0000000D), ref: 0041B0B4
GetKeyState.USER32(00000027), ref: 0041B0BC
GetKeyState.USER32(0000002D), ref: 0041B0C4
GetKeyState.USER32(0000000D), ref: 0041B0CC
GetKeyState.USER32(00000027), ref: 0041B0D4
GetKeyState.USER32(0000002D), ref: 0041B0DC
GetKeyState.USER32(0000000D), ref: 0041B0E4
GetKeyState.USER32(00000027), ref: 0041B0EC
GetKeyState.USER32(0000002D), ref: 0041B0F4
GetKeyState.USER32(0000000D), ref: 0041B0FC
GetKeyState.USER32(00000027), ref: 0041B104
GetKeyState.USER32(0000002D), ref: 0041B10C
GetKeyState.USER32(0000000D), ref: 0041B114
GetKeyState.USER32(00000027), ref: 0041B11C
GetKeyState.USER32(0000002D), ref: 0041B124
GetKeyState.USER32(0000000D), ref: 0041B12C
GetKeyState.USER32(00000027), ref: 0041B134
GetKeyState.USER32(0000002D), ref: 0041B13C
GetKeyState.USER32(0000000D), ref: 0041B144
GetKeyState.USER32(00000027), ref: 0041B14C
GetKeyState.USER32(0000002D), ref: 0041B154
GetKeyState.USER32(0000000D), ref: 0041B15C
GetKeyState.USER32(00000027), ref: 0041B164
GetKeyState.USER32(0000002D), ref: 0041B16C
GetKeyState.USER32(0000000D), ref: 0041B174
GetKeyState.USER32(00000027), ref: 0041B17C
GetKeyState.USER32(0000002D), ref: 0041B184
GetKeyState.USER32(0000000D), ref: 0041B18C
GetKeyState.USER32(00000027), ref: 0041B194
GetKeyState.USER32(0000002D), ref: 0041B19C
GetKeyState.USER32(0000000D), ref: 0041B1A4
GetKeyState.USER32(00000027), ref: 0041B1AC
GetKeyState.USER32(0000002D), ref: 0041B1B4
GetKeyState.USER32(0000000D), ref: 0041B1BC
GetKeyState.USER32(00000027), ref: 0041B1C4
GetKeyState.USER32(0000002D), ref: 0041B1CC
GetKeyState.USER32(0000000D), ref: 0041B1D4
GetKeyState.USER32(00000027), ref: 0041B1DC
GetKeyState.USER32(0000002D), ref: 0041B1E4
GetKeyState.USER32(0000000D), ref: 0041B1EC
GetKeyState.USER32(00000027), ref: 0041B1F4
GetKeyState.USER32(0000002D), ref: 0041B1FC
GetKeyState.USER32(0000000D), ref: 0041B204
GetKeyState.USER32(00000027), ref: 0041B20C
GetKeyState.USER32(0000002D), ref: 0041B214
GetKeyState.USER32(0000000D), ref: 0041B21C
GetKeyState.USER32(00000027), ref: 0041B224
GetKeyState.USER32(0000002D), ref: 0041B22C
GetKeyState.USER32(0000000D), ref: 0041B234
GetKeyState.USER32(00000027), ref: 0041B23C
GetKeyState.USER32(0000002D), ref: 0041B244
GetKeyState.USER32(0000000D), ref: 0041B24C
GetKeyState.USER32(00000027), ref: 0041B254
GetKeyState.USER32(0000002D), ref: 0041B25C
GetKeyState.USER32(0000000D), ref: 0041B264
GetKeyState.USER32(00000027), ref: 0041B26C
GetKeyState.USER32(0000002D), ref: 0041B274
GetKeyState.USER32(0000000D), ref: 0041B27C
GetKeyState.USER32(00000027), ref: 0041B284
GetKeyState.USER32(0000002D), ref: 0041B28C
GetKeyState.USER32(0000000D), ref: 0041B294
GetKeyState.USER32(00000027), ref: 0041B29C
GetKeyState.USER32(0000002D), ref: 0041B2A4
GetKeyState.USER32(0000000D), ref: 0041B2AC
GetKeyState.USER32(00000027), ref: 0041B2B4
GetKeyState.USER32(0000002D), ref: 0041B2BC
GetKeyState.USER32(0000000D), ref: 0041B2C4
GetKeyState.USER32(00000027), ref: 0041B2CC
GetKeyState.USER32(0000002D), ref: 0041B2D4
GetKeyState.USER32(0000000D), ref: 0041B2DC
GetKeyState.USER32(00000027), ref: 0041B2E4
GetKeyState.USER32(0000002D), ref: 0041B2EC
GetKeyState.USER32(0000000D), ref: 0041B2F4
GetKeyState.USER32(00000027), ref: 0041B2FC
GetKeyState.USER32(0000002D), ref: 0041B304
GetKeyState.USER32(0000000D), ref: 0041B30C
GetKeyState.USER32(00000027), ref: 0041B314
GetKeyState.USER32(0000002D), ref: 0041B31C
GetKeyState.USER32(0000000D), ref: 0041B324
GetKeyState.USER32(00000027), ref: 0041B32C
GetKeyState.USER32(0000002D), ref: 0041B334
GetKeyState.USER32(0000000D), ref: 0041B33C
GetKeyState.USER32(00000027), ref: 0041B344
GetKeyState.USER32(0000002D), ref: 0041B34C
GetKeyState.USER32(0000000D), ref: 0041B354
GetKeyState.USER32(00000027), ref: 0041B35C
GetKeyState.USER32(0000002D), ref: 0041B364
GetKeyState.USER32(0000000D), ref: 0041B36C
GetKeyState.USER32(00000027), ref: 0041B374
GetKeyState.USER32(0000002D), ref: 0041B37C
GetKeyState.USER32(0000000D), ref: 0041B384
GetKeyState.USER32(00000027), ref: 0041B38C
GetKeyState.USER32(0000002D), ref: 0041B394
GetKeyState.USER32(0000000D), ref: 0041B39C
GetKeyState.USER32(00000027), ref: 0041B3A4
GetKeyState.USER32(0000002D), ref: 0041B3AC
GetKeyState.USER32(0000000D), ref: 0041B3B4
GetKeyState.USER32(00000027), ref: 0041B3BC
GetKeyState.USER32(0000002D), ref: 0041B3C4
GetKeyState.USER32(0000000D), ref: 0041B3CC
GetKeyState.USER32(00000027), ref: 0041B3D4
GetKeyState.USER32(0000002D), ref: 0041B3DC
GetKeyState.USER32(0000000D), ref: 0041B3E4
GetKeyState.USER32(00000027), ref: 0041B3EC
GetKeyState.USER32(0000002D), ref: 0041B3F4
GetKeyState.USER32(0000000D), ref: 0041B3FC
GetKeyState.USER32(00000027), ref: 0041B404
GetKeyState.USER32(0000002D), ref: 0041B40C
GetKeyState.USER32(0000000D), ref: 0041B414
GetKeyState.USER32(00000027), ref: 0041B41C
GetKeyState.USER32(0000002D), ref: 0041B424
GetKeyState.USER32(0000000D), ref: 0041B42C
GetKeyState.USER32(00000027), ref: 0041B434
GetKeyState.USER32(0000002D), ref: 0041B43C
GetKeyState.USER32(0000000D), ref: 0041B444
GetKeyState.USER32(00000027), ref: 0041B44C
GetKeyState.USER32(0000002D), ref: 0041B454
GetKeyState.USER32(0000000D), ref: 0041B45C
GetKeyState.USER32(00000027), ref: 0041B464
GetKeyState.USER32(0000002D), ref: 0041B46C
GetKeyState.USER32(0000000D), ref: 0041B474
GetKeyState.USER32(00000027), ref: 0041B47C
GetKeyState.USER32(0000002D), ref: 0041B484
GetKeyState.USER32(0000000D), ref: 0041B48C
GetKeyState.USER32(00000027), ref: 0041B494
GetKeyState.USER32(0000002D), ref: 0041B49C
GetKeyState.USER32(0000000D), ref: 0041B4A4
GetKeyState.USER32(00000027), ref: 0041B4AC
GetKeyState.USER32(0000002D), ref: 0041B4B4
GetKeyState.USER32(0000000D), ref: 0041B4BC
GetKeyState.USER32(00000027), ref: 0041B4C4
GetKeyState.USER32(0000002D), ref: 0041B4CC
GetKeyState.USER32(0000000D), ref: 0041B4D4
GetKeyState.USER32(00000027), ref: 0041B4DC
GetKeyState.USER32(0000002D), ref: 0041B4E4
GetKeyState.USER32(0000000D), ref: 0041B4EC
GetKeyState.USER32(00000027), ref: 0041B4F4
GetKeyState.USER32(0000002D), ref: 0041B4FC
GetKeyState.USER32(0000000D), ref: 0041B504
GetKeyState.USER32(00000027), ref: 0041B50C
GetKeyState.USER32(0000002D), ref: 0041B514
GetKeyState.USER32(0000000D), ref: 0041B51C
GetKeyState.USER32(00000027), ref: 0041B524
GetKeyState.USER32(0000002D), ref: 0041B52C
GetKeyState.USER32(0000000D), ref: 0041B534
GetKeyState.USER32(00000027), ref: 0041B53C
GetKeyState.USER32(0000002D), ref: 0041B544
GetKeyState.USER32(0000000D), ref: 0041B54C
GetKeyState.USER32(00000027), ref: 0041B554
GetKeyState.USER32(0000002D), ref: 0041B55C
GetKeyState.USER32(0000000D), ref: 0041B564
GetKeyState.USER32(00000027), ref: 0041B56C
GetKeyState.USER32(0000002D), ref: 0041B574
GetKeyState.USER32(0000000D), ref: 0041B57C
GetKeyState.USER32(00000027), ref: 0041B584
GetKeyState.USER32(0000002D), ref: 0041B58C
GetKeyState.USER32(0000000D), ref: 0041B594
GetKeyState.USER32(00000027), ref: 0041B59C
GetKeyState.USER32(0000002D), ref: 0041B5A4
GetKeyState.USER32(0000000D), ref: 0041B5AC
GetKeyState.USER32(00000027), ref: 0041B5B4
GetKeyState.USER32(0000002D), ref: 0041B5BC
GetKeyState.USER32(0000000D), ref: 0041B5C4
GetKeyState.USER32(00000027), ref: 0041B5CC
GetKeyState.USER32(0000002D), ref: 0041B5D4
GetKeyState.USER32(0000000D), ref: 0041B5DC
GetKeyState.USER32(00000027), ref: 0041B5E4
GetKeyState.USER32(0000002D), ref: 0041B5EC
GetKeyState.USER32(0000000D), ref: 0041B5F4
GetKeyState.USER32(00000027), ref: 0041B5FC
GetKeyState.USER32(0000002D), ref: 0041B604
GetKeyState.USER32(0000000D), ref: 0041B60C
GetKeyState.USER32(00000027), ref: 0041B614
GetKeyState.USER32(0000002D), ref: 0041B61C
GetKeyState.USER32(0000000D), ref: 0041B624
GetKeyState.USER32(00000027), ref: 0041B62C
GetKeyState.USER32(0000002D), ref: 0041B634
GetKeyState.USER32(0000000D), ref: 0041B63C
GetKeyState.USER32(00000027), ref: 0041B644
GetKeyState.USER32(0000002D), ref: 0041B64C
GetKeyState.USER32(0000000D), ref: 0041B654
GetKeyState.USER32(00000027), ref: 0041B65C
GetKeyState.USER32(0000002D), ref: 0041B664
GetKeyState.USER32(0000000D), ref: 0041B66C
GetKeyState.USER32(00000027), ref: 0041B674
GetKeyState.USER32(0000002D), ref: 0041B67C
GetKeyState.USER32(0000000D), ref: 0041B684
GetKeyState.USER32(00000027), ref: 0041B68C
GetKeyState.USER32(0000002D), ref: 0041B694
GetKeyState.USER32(0000000D), ref: 0041B69C
GetKeyState.USER32(00000027), ref: 0041B6A4
GetKeyState.USER32(0000002D), ref: 0041B6AC
GetKeyState.USER32(0000000D), ref: 0041B6B4
GetKeyState.USER32(00000027), ref: 0041B6BC
GetKeyState.USER32(0000002D), ref: 0041B6C4
GetKeyState.USER32(0000000D), ref: 0041B6CC
GetKeyState.USER32(00000027), ref: 0041B6D4
GetKeyState.USER32(0000002D), ref: 0041B6DC
GetKeyState.USER32(0000000D), ref: 0041B6E4
GetKeyState.USER32(00000027), ref: 0041B6EC
GetKeyState.USER32(0000002D), ref: 0041B6F4
GetKeyState.USER32(0000000D), ref: 0041B6FC
GetKeyState.USER32(00000027), ref: 0041B704
GetKeyState.USER32(0000002D), ref: 0041B70C
GetKeyState.USER32(0000000D), ref: 0041B714
GetKeyState.USER32(00000027), ref: 0041B71C
GetKeyState.USER32(0000002D), ref: 0041B724
GetKeyState.USER32(0000000D), ref: 0041B72C
GetKeyState.USER32(00000027), ref: 0041B734
GetKeyState.USER32(0000002D), ref: 0041B73C
GetKeyState.USER32(0000000D), ref: 0041B744
GetKeyState.USER32(00000027), ref: 0041B74C
GetKeyState.USER32(0000002D), ref: 0041B754
GetKeyState.USER32(0000000D), ref: 0041B75C
GetKeyState.USER32(00000027), ref: 0041B764
GetKeyState.USER32(0000002D), ref: 0041B76C
GetKeyState.USER32(0000000D), ref: 0041B774
GetKeyState.USER32(00000027), ref: 0041B77C
GetKeyState.USER32(0000002D), ref: 0041B784
GetKeyState.USER32(0000000D), ref: 0041B78C
GetKeyState.USER32(00000027), ref: 0041B794
GetKeyState.USER32(0000002D), ref: 0041B79C
GetKeyState.USER32(0000000D), ref: 0041B7A4
GetKeyState.USER32(00000027), ref: 0041B7AC
GetKeyState.USER32(0000002D), ref: 0041B7B4
GetKeyState.USER32(0000000D), ref: 0041B7BC
GetKeyState.USER32(00000027), ref: 0041B7C4
GetKeyState.USER32(0000002D), ref: 0041B7CC
GetKeyState.USER32(0000000D), ref: 0041B7D4
GetKeyState.USER32(00000027), ref: 0041B7DC
GetKeyState.USER32(0000002D), ref: 0041B7E4
GetKeyState.USER32(0000000D), ref: 0041B7EC
GetKeyState.USER32(00000027), ref: 0041B7F4
GetKeyState.USER32(0000002D), ref: 0041B7FC
GetKeyState.USER32(0000000D), ref: 0041B804
GetKeyState.USER32(00000027), ref: 0041B80C
GetKeyState.USER32(0000002D), ref: 0041B814
GetKeyState.USER32(0000000D), ref: 0041B81C
GetKeyState.USER32(00000027), ref: 0041B824
GetKeyState.USER32(0000002D), ref: 0041B82C
GetKeyState.USER32(0000000D), ref: 0041B834
GetKeyState.USER32(00000027), ref: 0041B83C
GetKeyState.USER32(0000002D), ref: 0041B844
GetKeyState.USER32(0000000D), ref: 0041B84C
GetKeyState.USER32(00000027), ref: 0041B854
GetKeyState.USER32(0000002D), ref: 0041B85C
GetKeyState.USER32(0000000D), ref: 0041B864
GetKeyState.USER32(00000027), ref: 0041B86C
GetKeyState.USER32(0000002D), ref: 0041B874
GetKeyState.USER32(0000000D), ref: 0041B87C
GetKeyState.USER32(00000027), ref: 0041B884
GetKeyState.USER32(0000002D), ref: 0041B88C
GetKeyState.USER32(0000000D), ref: 0041B894
GetKeyState.USER32(00000027), ref: 0041B89C
GetKeyState.USER32(0000002D), ref: 0041B8A4
GetKeyState.USER32(0000000D), ref: 0041B8AC
GetKeyState.USER32(00000027), ref: 0041B8B4
GetKeyState.USER32(0000002D), ref: 0041B8BC
GetKeyState.USER32(0000000D), ref: 0041B8C4
GetKeyState.USER32(00000027), ref: 0041B8CC
GetKeyState.USER32(0000002D), ref: 0041B8D4
GetKeyState.USER32(0000000D), ref: 0041B8DC
GetKeyState.USER32(00000027), ref: 0041B8E4
GetKeyState.USER32(0000002D), ref: 0041B8EC
GetKeyState.USER32(0000000D), ref: 0041B8F4
GetKeyState.USER32(00000027), ref: 0041B8FC
GetKeyState.USER32(0000002D), ref: 0041B904
GetKeyState.USER32(0000000D), ref: 0041B90C
GetKeyState.USER32(00000027), ref: 0041B914
GetKeyState.USER32(0000002D), ref: 0041B91C
GetKeyState.USER32(0000000D), ref: 0041B924
GetKeyState.USER32(00000027), ref: 0041B92C
GetKeyState.USER32(0000002D), ref: 0041B934
GetKeyState.USER32(0000000D), ref: 0041B93C
GetKeyState.USER32(00000027), ref: 0041B944
GetKeyState.USER32(0000002D), ref: 0041B94C
GetKeyState.USER32(0000000D), ref: 0041B954
GetKeyState.USER32(00000027), ref: 0041B95C
GetKeyState.USER32(0000002D), ref: 0041B964
GetKeyState.USER32(0000000D), ref: 0041B96C
GetKeyState.USER32(00000027), ref: 0041B974
GetKeyState.USER32(0000002D), ref: 0041B97C
GetKeyState.USER32(0000000D), ref: 0041B984
GetKeyState.USER32(00000027), ref: 0041B98C
GetKeyState.USER32(0000002D), ref: 0041B994
GetKeyState.USER32(0000000D), ref: 0041B99C
GetKeyState.USER32(00000027), ref: 0041B9A4
GetKeyState.USER32(0000002D), ref: 0041B9AC
GetKeyState.USER32(0000000D), ref: 0041B9B4
GetKeyState.USER32(00000027), ref: 0041B9BC
GetKeyState.USER32(0000002D), ref: 0041B9C4
GetKeyState.USER32(0000000D), ref: 0041B9CC
GetKeyState.USER32(00000027), ref: 0041B9D4
GetKeyState.USER32(0000002D), ref: 0041B9DC
GetKeyState.USER32(0000000D), ref: 0041B9E4
GetKeyState.USER32(00000027), ref: 0041B9EC
GetKeyState.USER32(0000002D), ref: 0041B9F4
GetKeyState.USER32(0000000D), ref: 0041B9FC
GetKeyState.USER32(00000027), ref: 0041BA04
GetKeyState.USER32(0000002D), ref: 0041BA0C
GetKeyState.USER32(0000000D), ref: 0041BA14
GetKeyState.USER32(00000027), ref: 0041BA1C
GetKeyState.USER32(0000002D), ref: 0041BA24
GetKeyState.USER32(0000000D), ref: 0041BA2C
GetKeyState.USER32(00000027), ref: 0041BA34
GetKeyState.USER32(0000002D), ref: 0041BA3C
GetKeyState.USER32(0000000D), ref: 0041BA44
GetKeyState.USER32(00000027), ref: 0041BA4C
GetKeyState.USER32(0000002D), ref: 0041BA54
GetKeyState.USER32(0000000D), ref: 0041BA5C
GetKeyState.USER32(00000027), ref: 0041BA64
GetKeyState.USER32(0000002D), ref: 0041BA6C
GetKeyState.USER32(0000000D), ref: 0041BA74
GetKeyState.USER32(00000027), ref: 0041BA7C
GetKeyState.USER32(0000002D), ref: 0041BA84
GetKeyState.USER32(0000000D), ref: 0041BA8C
GetKeyState.USER32(00000027), ref: 0041BA94
GetKeyState.USER32(0000002D), ref: 0041BA9C
GetKeyState.USER32(0000000D), ref: 0041BAA4
GetKeyState.USER32(00000027), ref: 0041BAAC
GetKeyState.USER32(0000002D), ref: 0041BAB4
GetKeyState.USER32(0000000D), ref: 0041BABC
GetKeyState.USER32(00000027), ref: 0041BAC4
GetKeyState.USER32(0000002D), ref: 0041BACC
GetKeyState.USER32(0000000D), ref: 0041BAD4
GetKeyState.USER32(00000027), ref: 0041BADC
GetKeyState.USER32(0000002D), ref: 0041BAE4
GetKeyState.USER32(0000000D), ref: 0041BAEC
GetKeyState.USER32(00000027), ref: 0041BAF4
GetKeyState.USER32(0000002D), ref: 0041BAFC
GetKeyState.USER32(0000000D), ref: 0041BB04
GetKeyState.USER32(00000027), ref: 0041BB0C
GetKeyState.USER32(0000002D), ref: 0041BB14
GetKeyState.USER32(0000000D), ref: 0041BB1C
GetKeyState.USER32(00000027), ref: 0041BB24
GetKeyState.USER32(0000002D), ref: 0041BB2C
GetKeyState.USER32(0000000D), ref: 0041BB34
GetKeyState.USER32(00000027), ref: 0041BB3C
GetKeyState.USER32(0000002D), ref: 0041BB44
GetKeyState.USER32(0000000D), ref: 0041BB4C
GetKeyState.USER32(00000027), ref: 0041BB54
GetKeyState.USER32(0000002D), ref: 0041BB5C
GetKeyState.USER32(0000000D), ref: 0041BB64
GetKeyState.USER32(00000027), ref: 0041BB6C
GetKeyState.USER32(0000002D), ref: 0041BB74
GetKeyState.USER32(0000000D), ref: 0041BB7C
GetKeyState.USER32(00000027), ref: 0041BB84
GetKeyState.USER32(0000002D), ref: 0041BB8C
GetKeyState.USER32(0000000D), ref: 0041BB94
GetKeyState.USER32(00000027), ref: 0041BB9C
GetKeyState.USER32(0000002D), ref: 0041BBA4
GetKeyState.USER32(0000000D), ref: 0041BBAC
GetKeyState.USER32(00000027), ref: 0041BBB4
GetKeyState.USER32(0000002D), ref: 0041BBBC
GetKeyState.USER32(0000000D), ref: 0041BBC4
GetKeyState.USER32(00000027), ref: 0041BBCC
GetKeyState.USER32(0000002D), ref: 0041BBD4
GetKeyState.USER32(0000000D), ref: 0041BBDC
GetKeyState.USER32(00000027), ref: 0041BBE4
GetKeyState.USER32(0000002D), ref: 0041BBEC
GetKeyState.USER32(0000000D), ref: 0041BBF4
GetKeyState.USER32(00000027), ref: 0041BBFC
GetKeyState.USER32(0000002D), ref: 0041BC04
GetKeyState.USER32(0000000D), ref: 0041BC0C
GetKeyState.USER32(00000027), ref: 0041BC14
GetKeyState.USER32(0000002D), ref: 0041BC1C
GetKeyState.USER32(0000000D), ref: 0041BC24
GetKeyState.USER32(00000027), ref: 0041BC2C
GetKeyState.USER32(0000002D), ref: 0041BC34
GetKeyState.USER32(0000000D), ref: 0041BC3C
GetKeyState.USER32(00000027), ref: 0041BC44
GetKeyState.USER32(0000002D), ref: 0041BC4C
GetKeyState.USER32(0000000D), ref: 0041BC54
GetKeyState.USER32(00000027), ref: 0041BC5C
GetKeyState.USER32(0000002D), ref: 0041BC64
GetKeyState.USER32(0000000D), ref: 0041BC6C
GetKeyState.USER32(00000027), ref: 0041BC74
GetKeyState.USER32(0000002D), ref: 0041BC7C
GetKeyState.USER32(0000000D), ref: 0041BC84
GetKeyState.USER32(00000027), ref: 0041BC8C
GetKeyState.USER32(0000002D), ref: 0041BC94
GetKeyState.USER32(0000000D), ref: 0041BC9C
GetKeyState.USER32(00000027), ref: 0041BCA4
GetKeyState.USER32(0000002D), ref: 0041BCAC
GetKeyState.USER32(0000000D), ref: 0041BCB4
GetKeyState.USER32(00000027), ref: 0041BCBC
GetKeyState.USER32(0000002D), ref: 0041BCC4
GetKeyState.USER32(0000000D), ref: 0041BCCC
GetKeyState.USER32(00000027), ref: 0041BCD4
GetKeyState.USER32(0000002D), ref: 0041BCDC
GetKeyState.USER32(0000000D), ref: 0041BCE4
GetKeyState.USER32(00000027), ref: 0041BCEC
GetKeyState.USER32(0000002D), ref: 0041BCF4
GetKeyState.USER32(0000000D), ref: 0041BCFC
GetKeyState.USER32(00000027), ref: 0041BD04
GetKeyState.USER32(0000002D), ref: 0041BD0C
GetKeyState.USER32(0000000D), ref: 0041BD14
GetKeyState.USER32(00000027), ref: 0041BD1C
GetKeyState.USER32(0000002D), ref: 0041BD24
GetKeyState.USER32(0000000D), ref: 0041BD2C
GetKeyState.USER32(00000027), ref: 0041BD34
GetKeyState.USER32(0000002D), ref: 0041BD3C
GetKeyState.USER32(0000000D), ref: 0041BD44
GetKeyState.USER32(00000027), ref: 0041BD4C
GetKeyState.USER32(0000002D), ref: 0041BD54
GetKeyState.USER32(0000000D), ref: 0041BD5C
GetKeyState.USER32(00000027), ref: 0041BD64
GetKeyState.USER32(0000002D), ref: 0041BD6C
GetKeyState.USER32(0000000D), ref: 0041BD74
GetKeyState.USER32(00000027), ref: 0041BD7C
GetKeyState.USER32(0000002D), ref: 0041BD84
GetKeyState.USER32(0000000D), ref: 0041BD8C
GetKeyState.USER32(00000027), ref: 0041BD94
GetKeyState.USER32(0000002D), ref: 0041BD9C
GetKeyState.USER32(0000000D), ref: 0041BDA4
GetKeyState.USER32(00000027), ref: 0041BDAC
GetKeyState.USER32(0000002D), ref: 0041BDB4
GetKeyState.USER32(0000000D), ref: 0041BDBC
GetKeyState.USER32(00000027), ref: 0041BDC4
GetKeyState.USER32(0000002D), ref: 0041BDCC
GetKeyState.USER32(0000000D), ref: 0041BDD4
GetKeyState.USER32(00000027), ref: 0041BDDC
GetKeyState.USER32(0000002D), ref: 0041BDE4
GetKeyState.USER32(0000000D), ref: 0041BDEC
GetKeyState.USER32(00000027), ref: 0041BDF4
GetKeyState.USER32(0000002D), ref: 0041BDFC
GetKeyState.USER32(0000000D), ref: 0041BE04
GetKeyState.USER32(00000027), ref: 0041BE0C
GetKeyState.USER32(0000002D), ref: 0041BE14
GetKeyState.USER32(0000000D), ref: 0041BE1C
GetKeyState.USER32(00000027), ref: 0041BE24
GetKeyState.USER32(0000002D), ref: 0041BE2C
GetKeyState.USER32(0000000D), ref: 0041BE34
GetKeyState.USER32(00000027), ref: 0041BE3C
GetKeyState.USER32(0000002D), ref: 0041BE44
GetKeyState.USER32(0000000D), ref: 0041BE4C
GetKeyState.USER32(00000027), ref: 0041BE54
GetKeyState.USER32(0000002D), ref: 0041BE5C
GetKeyState.USER32(0000000D), ref: 0041BE64
GetKeyState.USER32(00000027), ref: 0041BE6C
GetKeyState.USER32(0000002D), ref: 0041BE74
GetKeyState.USER32(0000000D), ref: 0041BE7C
GetKeyState.USER32(00000027), ref: 0041BE84
GetKeyState.USER32(0000002D), ref: 0041BE8C
GetKeyState.USER32(0000000D), ref: 0041BE94
GetKeyState.USER32(00000027), ref: 0041BE9C
GetKeyState.USER32(0000002D), ref: 0041BEA4
GetKeyState.USER32(0000000D), ref: 0041BEAC
GetKeyState.USER32(00000027), ref: 0041BEB4
GetKeyState.USER32(0000002D), ref: 0041BEBC
GetKeyState.USER32(0000000D), ref: 0041BEC4
GetKeyState.USER32(00000027), ref: 0041BECC
GetKeyState.USER32(0000002D), ref: 0041BED4
GetKeyState.USER32(0000000D), ref: 0041BEDC
GetKeyState.USER32(00000027), ref: 0041BEE4
GetKeyState.USER32(0000002D), ref: 0041BEEC
GetKeyState.USER32(0000000D), ref: 0041BEF4
GetKeyState.USER32(00000027), ref: 0041BEFC
GetKeyState.USER32(0000002D), ref: 0041BF04
GetKeyState.USER32(0000000D), ref: 0041BF0C
GetKeyState.USER32(00000027), ref: 0041BF14
GetKeyState.USER32(0000002D), ref: 0041BF1C
GetKeyState.USER32(0000000D), ref: 0041BF24
GetKeyState.USER32(00000027), ref: 0041BF2C
GetKeyState.USER32(0000002D), ref: 0041BF34
GetKeyState.USER32(0000000D), ref: 0041BF3C
GetKeyState.USER32(00000027), ref: 0041BF44
GetKeyState.USER32(0000002D), ref: 0041BF4C
GetKeyState.USER32(0000000D), ref: 0041BF54
GetKeyState.USER32(00000027), ref: 0041BF5C
GetKeyState.USER32(0000002D), ref: 0041BF64
GetKeyState.USER32(0000000D), ref: 0041BF6C
GetKeyState.USER32(00000027), ref: 0041BF74
GetKeyState.USER32(0000002D), ref: 0041BF7C
GetKeyState.USER32(0000000D), ref: 0041BF84
GetKeyState.USER32(00000027), ref: 0041BF8C
GetKeyState.USER32(0000002D), ref: 0041BF94
GetKeyState.USER32(0000000D), ref: 0041BF9C
GetKeyState.USER32(00000027), ref: 0041BFA4
GetKeyState.USER32(0000002D), ref: 0041BFAC
GetKeyState.USER32(0000000D), ref: 0041BFB4
GetKeyState.USER32(00000027), ref: 0041BFBC
GetKeyState.USER32(0000002D), ref: 0041BFC4
GetKeyState.USER32(0000000D), ref: 0041BFCC
GetKeyState.USER32(00000027), ref: 0041BFD4
GetKeyState.USER32(0000002D), ref: 0041BFDC
GetKeyState.USER32(0000000D), ref: 0041BFE4
GetKeyState.USER32(00000027), ref: 0041BFEC
GetKeyState.USER32(0000002D), ref: 0041BFF4
GetKeyState.USER32(0000000D), ref: 0041BFFC
GetKeyState.USER32(00000027), ref: 0041C004
GetKeyState.USER32(0000002D), ref: 0041C00C
GetKeyState.USER32(0000000D), ref: 0041C014
GetKeyState.USER32(00000027), ref: 0041C01C
GetKeyState.USER32(0000002D), ref: 0041C024
GetKeyState.USER32(0000000D), ref: 0041C02C
GetKeyState.USER32(00000027), ref: 0041C034
GetKeyState.USER32(0000002D), ref: 0041C03C
GetKeyState.USER32(0000000D), ref: 0041C044
GetKeyState.USER32(00000027), ref: 0041C04C
GetKeyState.USER32(0000002D), ref: 0041C054
GetKeyState.USER32(0000000D), ref: 0041C05C
GetKeyState.USER32(00000027), ref: 0041C064
GetKeyState.USER32(0000002D), ref: 0041C06C
GetKeyState.USER32(0000000D), ref: 0041C074
GetKeyState.USER32(00000027), ref: 0041C07C
GetKeyState.USER32(0000002D), ref: 0041C084
GetKeyState.USER32(0000000D), ref: 0041C08C
GetKeyState.USER32(00000027), ref: 0041C094
GetKeyState.USER32(0000002D), ref: 0041C09C
GetKeyState.USER32(0000000D), ref: 0041C0A4
GetKeyState.USER32(00000027), ref: 0041C0AC
GetKeyState.USER32(0000002D), ref: 0041C0B4
GetKeyState.USER32(0000000D), ref: 0041C0BC
GetKeyState.USER32(00000027), ref: 0041C0C4
GetKeyState.USER32(0000002D), ref: 0041C0CC
GetKeyState.USER32(0000000D), ref: 0041C0D4
GetKeyState.USER32(00000027), ref: 0041C0DC
GetKeyState.USER32(0000002D), ref: 0041C0E4
GetKeyState.USER32(0000000D), ref: 0041C0EC
GetKeyState.USER32(00000027), ref: 0041C0F4
GetKeyState.USER32(0000002D), ref: 0041C0FC
GetKeyState.USER32(0000000D), ref: 0041C104
GetKeyState.USER32(00000027), ref: 0041C10C
GetKeyState.USER32(0000002D), ref: 0041C114
GetKeyState.USER32(0000000D), ref: 0041C11C
GetKeyState.USER32(00000027), ref: 0041C124
GetKeyState.USER32(0000002D), ref: 0041C12C
GetKeyState.USER32(0000000D), ref: 0041C134
GetKeyState.USER32(00000027), ref: 0041C13C
GetKeyState.USER32(0000002D), ref: 0041C144
GetKeyState.USER32(0000000D), ref: 0041C14C
GetKeyState.USER32(00000027), ref: 0041C154
GetKeyState.USER32(0000002D), ref: 0041C15C
GetKeyState.USER32(0000000D), ref: 0041C164
GetKeyState.USER32(00000027), ref: 0041C16C
GetKeyState.USER32(0000002D), ref: 0041C174
GetKeyState.USER32(0000000D), ref: 0041C17C
GetKeyState.USER32(00000027), ref: 0041C184
GetKeyState.USER32(0000002D), ref: 0041C18C
GetKeyState.USER32(0000000D), ref: 0041C194
GetKeyState.USER32(00000027), ref: 0041C19C
GetKeyState.USER32(0000002D), ref: 0041C1A4
GetKeyState.USER32(0000000D), ref: 0041C1AC
GetKeyState.USER32(00000027), ref: 0041C1B4
GetKeyState.USER32(0000002D), ref: 0041C1BC
GetKeyState.USER32(0000000D), ref: 0041C1C4
GetKeyState.USER32(00000027), ref: 0041C1CC
GetKeyState.USER32(0000002D), ref: 0041C1D4
GetKeyState.USER32(0000000D), ref: 0041C1DC
GetKeyState.USER32(00000027), ref: 0041C1E4
GetKeyState.USER32(0000002D), ref: 0041C1EC
GetKeyState.USER32(0000000D), ref: 0041C1F4
GetKeyState.USER32(00000027), ref: 0041C1FC
GetKeyState.USER32(0000002D), ref: 0041C204
GetKeyState.USER32(0000000D), ref: 0041C20C
GetKeyState.USER32(00000027), ref: 0041C214
GetKeyState.USER32(0000002D), ref: 0041C21C
GetKeyState.USER32(0000000D), ref: 0041C224
GetKeyState.USER32(00000027), ref: 0041C22C
GetKeyState.USER32(0000002D), ref: 0041C234
GetKeyState.USER32(0000000D), ref: 0041C23C
GetKeyState.USER32(00000027), ref: 0041C244
GetKeyState.USER32(0000002D), ref: 0041C24C
GetKeyState.USER32(0000000D), ref: 0041C254
GetKeyState.USER32(00000027), ref: 0041C25C
GetKeyState.USER32(0000002D), ref: 0041C264
GetKeyState.USER32(0000000D), ref: 0041C26C
GetKeyState.USER32(00000027), ref: 0041C274
GetKeyState.USER32(0000002D), ref: 0041C27C
GetKeyState.USER32(0000000D), ref: 0041C284
GetKeyState.USER32(00000027), ref: 0041C28C
GetKeyState.USER32(0000002D), ref: 0041C294
GetKeyState.USER32(0000000D), ref: 0041C29C
GetKeyState.USER32(00000027), ref: 0041C2A4
GetKeyState.USER32(0000002D), ref: 0041C2AC
GetKeyState.USER32(0000000D), ref: 0041C2B4
GetKeyState.USER32(00000027), ref: 0041C2BC
GetKeyState.USER32(0000002D), ref: 0041C2C4
GetKeyState.USER32(0000000D), ref: 0041C2CC
GetKeyState.USER32(00000027), ref: 0041C2D4
GetKeyState.USER32(0000002D), ref: 0041C2DC
GetKeyState.USER32(0000000D), ref: 0041C2E4
GetKeyState.USER32(00000027), ref: 0041C2EC
GetKeyState.USER32(0000002D), ref: 0041C2F4
GetKeyState.USER32(0000000D), ref: 0041C2FC
GetKeyState.USER32(00000027), ref: 0041C304
GetKeyState.USER32(0000002D), ref: 0041C30C
GetKeyState.USER32(0000000D), ref: 0041C314
GetKeyState.USER32(00000027), ref: 0041C31C
GetKeyState.USER32(0000002D), ref: 0041C324
GetKeyState.USER32(0000000D), ref: 0041C32C
GetKeyState.USER32(00000027), ref: 0041C334
GetKeyState.USER32(0000002D), ref: 0041C33C
GetKeyState.USER32(0000000D), ref: 0041C344
GetKeyState.USER32(00000027), ref: 0041C34C
GetKeyState.USER32(0000002D), ref: 0041C354
GetKeyState.USER32(0000000D), ref: 0041C35C
GetKeyState.USER32(00000027), ref: 0041C364
GetKeyState.USER32(0000002D), ref: 0041C36C
GetKeyState.USER32(0000000D), ref: 0041C374
GetKeyState.USER32(00000027), ref: 0041C37C
GetKeyState.USER32(0000002D), ref: 0041C384
GetKeyState.USER32(0000000D), ref: 0041C38C
GetKeyState.USER32(00000027), ref: 0041C394
GetKeyState.USER32(0000002D), ref: 0041C39C
GetKeyState.USER32(0000000D), ref: 0041C3A4
GetKeyState.USER32(00000027), ref: 0041C3AC
GetKeyState.USER32(0000002D), ref: 0041C3B4
GetKeyState.USER32(0000000D), ref: 0041C3BC
GetKeyState.USER32(00000027), ref: 0041C3C4
GetKeyState.USER32(0000002D), ref: 0041C3CC
GetKeyState.USER32(0000000D), ref: 0041C3D4
GetKeyState.USER32(00000027), ref: 0041C3DC
GetKeyState.USER32(0000002D), ref: 0041C3E4
GetKeyState.USER32(0000000D), ref: 0041C3EC
GetKeyState.USER32(00000027), ref: 0041C3F4
GetKeyState.USER32(0000002D), ref: 0041C3FC
GetKeyState.USER32(0000000D), ref: 0041C404
GetKeyState.USER32(00000027), ref: 0041C40C
GetKeyState.USER32(0000002D), ref: 0041C414
GetKeyState.USER32(0000000D), ref: 0041C41C
GetKeyState.USER32(00000027), ref: 0041C424
GetKeyState.USER32(0000002D), ref: 0041C42C
GetKeyState.USER32(0000000D), ref: 0041C434
GetKeyState.USER32(00000027), ref: 0041C43C
GetKeyState.USER32(0000002D), ref: 0041C444
GetKeyState.USER32(0000000D), ref: 0041C44C
GetKeyState.USER32(00000027), ref: 0041C454
GetKeyState.USER32(0000002D), ref: 0041C45C
GetKeyState.USER32(0000000D), ref: 0041C464
GetKeyState.USER32(00000027), ref: 0041C46C
GetKeyState.USER32(0000002D), ref: 0041C474
GetKeyState.USER32(0000000D), ref: 0041C47C
GetKeyState.USER32(00000027), ref: 0041C484
GetKeyState.USER32(0000002D), ref: 0041C48C
GetKeyState.USER32(0000000D), ref: 0041C494
GetKeyState.USER32(00000027), ref: 0041C49C
GetKeyState.USER32(0000002D), ref: 0041C4A4
GetKeyState.USER32(0000000D), ref: 0041C4AC
GetKeyState.USER32(00000027), ref: 0041C4B4
GetKeyState.USER32(0000002D), ref: 0041C4BC
GetKeyState.USER32(0000000D), ref: 0041C4C4
GetKeyState.USER32(00000027), ref: 0041C4CC
GetKeyState.USER32(0000002D), ref: 0041C4D4
GetKeyState.USER32(0000000D), ref: 0041C4DC
GetKeyState.USER32(00000027), ref: 0041C4E4
GetKeyState.USER32(0000002D), ref: 0041C4EC
GetKeyState.USER32(0000000D), ref: 0041C4F4
GetKeyState.USER32(00000027), ref: 0041C4FC
GetKeyState.USER32(0000002D), ref: 0041C504
GetKeyState.USER32(0000000D), ref: 0041C50C
GetKeyState.USER32(00000027), ref: 0041C514
GetKeyState.USER32(0000002D), ref: 0041C51C
GetKeyState.USER32(0000000D), ref: 0041C524
GetKeyState.USER32(00000027), ref: 0041C52C
GetKeyState.USER32(0000002D), ref: 0041C534
GetKeyState.USER32(0000000D), ref: 0041C53C
GetKeyState.USER32(00000027), ref: 0041C544
GetKeyState.USER32(0000002D), ref: 0041C54C
GetKeyState.USER32(0000000D), ref: 0041C554
GetKeyState.USER32(00000027), ref: 0041C55C
GetKeyState.USER32(0000002D), ref: 0041C564
GetKeyState.USER32(0000000D), ref: 0041C56C
GetKeyState.USER32(00000027), ref: 0041C574
GetKeyState.USER32(0000002D), ref: 0041C57C
GetKeyState.USER32(0000000D), ref: 0041C584
GetKeyState.USER32(00000027), ref: 0041C58C
GetKeyState.USER32(0000002D), ref: 0041C594
GetKeyState.USER32(0000000D), ref: 0041C59C
GetKeyState.USER32(00000027), ref: 0041C5A4
GetKeyState.USER32(0000002D), ref: 0041C5AC
GetKeyState.USER32(0000000D), ref: 0041C5B4
GetKeyState.USER32(00000027), ref: 0041C5BC
GetKeyState.USER32(0000002D), ref: 0041C5C4
GetKeyState.USER32(0000000D), ref: 0041C5CC
GetKeyState.USER32(00000027), ref: 0041C5D4
GetKeyState.USER32(0000002D), ref: 0041C5DC
GetKeyState.USER32(0000000D), ref: 0041C5E4
GetKeyState.USER32(00000027), ref: 0041C5EC
GetKeyState.USER32(0000002D), ref: 0041C5F4
GetKeyState.USER32(0000000D), ref: 0041C5FC
GetKeyState.USER32(00000027), ref: 0041C604
GetKeyState.USER32(0000002D), ref: 0041C60C
GetKeyState.USER32(0000000D), ref: 0041C614
GetKeyState.USER32(00000027), ref: 0041C61C
GetKeyState.USER32(0000002D), ref: 0041C624
GetKeyState.USER32(0000000D), ref: 0041C62C
GetKeyState.USER32(00000027), ref: 0041C634
GetKeyState.USER32(0000002D), ref: 0041C63C
GetKeyState.USER32(0000000D), ref: 0041C644
GetKeyState.USER32(00000027), ref: 0041C64C
GetKeyState.USER32(0000002D), ref: 0041C654
GetKeyState.USER32(0000000D), ref: 0041C65C
GetKeyState.USER32(00000027), ref: 0041C664
GetKeyState.USER32(0000002D), ref: 0041C66C
GetKeyState.USER32(0000000D), ref: 0041C674
GetKeyState.USER32(00000027), ref: 0041C67C
GetKeyState.USER32(0000002D), ref: 0041C684
GetKeyState.USER32(0000000D), ref: 0041C68C
GetKeyState.USER32(00000027), ref: 0041C694
GetKeyState.USER32(0000002D), ref: 0041C69C
GetKeyState.USER32(0000000D), ref: 0041C6A4
GetKeyState.USER32(00000027), ref: 0041C6AC
GetKeyState.USER32(0000002D), ref: 0041C6B4
GetKeyState.USER32(0000000D), ref: 0041C6BC
GetKeyState.USER32(00000027), ref: 0041C6C4
GetKeyState.USER32(0000002D), ref: 0041C6CC
GetKeyState.USER32(0000000D), ref: 0041C6D4
GetKeyState.USER32(00000027), ref: 0041C6DC
GetKeyState.USER32(0000002D), ref: 0041C6E4
GetKeyState.USER32(0000000D), ref: 0041C6EC
GetKeyState.USER32(00000027), ref: 0041C6F4
GetKeyState.USER32(0000002D), ref: 0041C6FC
GetKeyState.USER32(0000000D), ref: 0041C704
GetKeyState.USER32(00000027), ref: 0041C70C
GetKeyState.USER32(0000002D), ref: 0041C714
GetKeyState.USER32(0000000D), ref: 0041C71C
GetKeyState.USER32(00000027), ref: 0041C724
GetKeyState.USER32(0000002D), ref: 0041C72C
GetKeyState.USER32(0000000D), ref: 0041C734
GetKeyState.USER32(00000027), ref: 0041C73C
GetKeyState.USER32(0000002D), ref: 0041C744
GetKeyState.USER32(0000000D), ref: 0041C74C
GetKeyState.USER32(00000027), ref: 0041C754
GetKeyState.USER32(0000002D), ref: 0041C75C
GetKeyState.USER32(0000000D), ref: 0041C764
GetKeyState.USER32(00000027), ref: 0041C76C
GetKeyState.USER32(0000002D), ref: 0041C774
GetKeyState.USER32(0000000D), ref: 0041C77C
GetKeyState.USER32(00000027), ref: 0041C784
GetKeyState.USER32(0000002D), ref: 0041C78C
GetKeyState.USER32(0000000D), ref: 0041C794
GetKeyState.USER32(00000027), ref: 0041C79C
GetKeyState.USER32(0000002D), ref: 0041C7A4
GetKeyState.USER32(0000000D), ref: 0041C7AC
GetKeyState.USER32(00000027), ref: 0041C7B4
GetKeyState.USER32(0000002D), ref: 0041C7BC
GetKeyState.USER32(0000000D), ref: 0041C7C4
GetKeyState.USER32(00000027), ref: 0041C7CC
GetKeyState.USER32(0000002D), ref: 0041C7D4
GetKeyState.USER32(0000000D), ref: 0041C7DC
GetKeyState.USER32(00000027), ref: 0041C7E4
GetKeyState.USER32(0000002D), ref: 0041C7EC
GetKeyState.USER32(0000000D), ref: 0041C7F4
GetKeyState.USER32(00000027), ref: 0041C7FC
GetKeyState.USER32(0000002D), ref: 0041C804
GetKeyState.USER32(0000000D), ref: 0041C80C
GetKeyState.USER32(00000027), ref: 0041C814
GetKeyState.USER32(0000002D), ref: 0041C81C
GetKeyState.USER32(0000000D), ref: 0041C824
GetKeyState.USER32(00000027), ref: 0041C82C
GetKeyState.USER32(0000002D), ref: 0041C834
GetKeyState.USER32(0000000D), ref: 0041C83C
GetKeyState.USER32(00000027), ref: 0041C844
GetKeyState.USER32(0000002D), ref: 0041C84C
GetKeyState.USER32(0000000D), ref: 0041C854
GetKeyState.USER32(00000027), ref: 0041C85C
GetKeyState.USER32(0000002D), ref: 0041C864
GetKeyState.USER32(0000000D), ref: 0041C86C
GetKeyState.USER32(00000027), ref: 0041C874
GetKeyState.USER32(0000002D), ref: 0041C87C
GetKeyState.USER32(0000000D), ref: 0041C884
GetKeyState.USER32(00000027), ref: 0041C88C
GetKeyState.USER32(0000002D), ref: 0041C894
GetKeyState.USER32(0000000D), ref: 0041C89C
GetKeyState.USER32(00000027), ref: 0041C8A4
GetKeyState.USER32(0000002D), ref: 0041C8AC
GetKeyState.USER32(0000000D), ref: 0041C8B4
GetKeyState.USER32(00000027), ref: 0041C8BC
GetKeyState.USER32(0000002D), ref: 0041C8C4
GetKeyState.USER32(0000000D), ref: 0041C8CC
GetKeyState.USER32(00000027), ref: 0041C8D4
GetKeyState.USER32(0000002D), ref: 0041C8DC
GetKeyState.USER32(0000000D), ref: 0041C8E4
GetKeyState.USER32(00000027), ref: 0041C8EC
GetKeyState.USER32(0000002D), ref: 0041C8F4
GetKeyState.USER32(0000000D), ref: 0041C8FC
GetKeyState.USER32(00000027), ref: 0041C904
GetKeyState.USER32(0000002D), ref: 0041C90C
GetKeyState.USER32(0000000D), ref: 0041C914
GetKeyState.USER32(00000027), ref: 0041C91C
GetKeyState.USER32(0000002D), ref: 0041C924
GetKeyState.USER32(0000000D), ref: 0041C92C
GetKeyState.USER32(00000027), ref: 0041C934
GetKeyState.USER32(0000002D), ref: 0041C93C
GetKeyState.USER32(0000000D), ref: 0041C944
GetKeyState.USER32(00000027), ref: 0041C94C
GetKeyState.USER32(0000002D), ref: 0041C954
GetKeyState.USER32(0000000D), ref: 0041C95C
GetKeyState.USER32(00000027), ref: 0041C964
GetKeyState.USER32(0000002D), ref: 0041C96C
GetKeyState.USER32(0000000D), ref: 0041C974
GetKeyState.USER32(00000027), ref: 0041C97C
GetKeyState.USER32(0000002D), ref: 0041C984
GetKeyState.USER32(0000000D), ref: 0041C98C
GetKeyState.USER32(00000027), ref: 0041C994
GetKeyState.USER32(0000002D), ref: 0041C99C
GetKeyState.USER32(0000000D), ref: 0041C9A4
GetKeyState.USER32(00000027), ref: 0041C9AC
GetKeyState.USER32(0000002D), ref: 0041C9B4
GetKeyState.USER32(0000000D), ref: 0041C9BC
GetKeyState.USER32(00000027), ref: 0041C9C4
GetKeyState.USER32(0000002D), ref: 0041C9CC
GetKeyState.USER32(0000000D), ref: 0041C9D4
GetKeyState.USER32(00000027), ref: 0041C9DC
GetKeyState.USER32(0000002D), ref: 0041C9E4
GetKeyState.USER32(0000000D), ref: 0041C9EC
GetKeyState.USER32(00000027), ref: 0041C9F4
GetKeyState.USER32(0000002D), ref: 0041C9FC
GetKeyState.USER32(0000000D), ref: 0041CA04
GetKeyState.USER32(00000027), ref: 0041CA0C
GetKeyState.USER32(0000002D), ref: 0041CA14
GetKeyState.USER32(0000000D), ref: 0041CA1C
GetKeyState.USER32(00000027), ref: 0041CA24
GetKeyState.USER32(0000002D), ref: 0041CA2C
GetKeyState.USER32(0000000D), ref: 0041CA34
GetKeyState.USER32(00000027), ref: 0041CA3C
GetKeyState.USER32(0000002D), ref: 0041CA44
GetKeyState.USER32(0000000D), ref: 0041CA4C
GetKeyState.USER32(00000027), ref: 0041CA54
GetKeyState.USER32(0000002D), ref: 0041CA5C
GetKeyState.USER32(0000000D), ref: 0041CA64
GetKeyState.USER32(00000027), ref: 0041CA6C
GetKeyState.USER32(0000002D), ref: 0041CA74
GetKeyState.USER32(0000000D), ref: 0041CA7C
GetKeyState.USER32(00000027), ref: 0041CA84
GetKeyState.USER32(0000002D), ref: 0041CA8C
GetKeyState.USER32(0000000D), ref: 0041CA94
GetKeyState.USER32(00000027), ref: 0041CA9C
GetKeyState.USER32(0000002D), ref: 0041CAA4
GetKeyState.USER32(0000000D), ref: 0041CAAC
GetKeyState.USER32(00000027), ref: 0041CAB4
GetKeyState.USER32(0000002D), ref: 0041CABC
GetKeyState.USER32(0000000D), ref: 0041CAC4
GetKeyState.USER32(00000027), ref: 0041CACC
GetKeyState.USER32(0000002D), ref: 0041CAD4
GetKeyState.USER32(0000000D), ref: 0041CADC
GetKeyState.USER32(00000027), ref: 0041CAE4
GetKeyState.USER32(0000002D), ref: 0041CAEC
GetKeyState.USER32(0000000D), ref: 0041CAF4
GetKeyState.USER32(00000027), ref: 0041CAFC
GetKeyState.USER32(0000002D), ref: 0041CB04
GetKeyState.USER32(0000000D), ref: 0041CB0C
GetKeyState.USER32(00000027), ref: 0041CB14
GetKeyState.USER32(0000002D), ref: 0041CB1C
GetKeyState.USER32(0000000D), ref: 0041CB24
GetKeyState.USER32(00000027), ref: 0041CB2C
GetKeyState.USER32(0000002D), ref: 0041CB34
GetKeyState.USER32(0000000D), ref: 0041CB3C
GetKeyState.USER32(00000027), ref: 0041CB44
GetKeyState.USER32(0000002D), ref: 0041CB4C
GetKeyState.USER32(0000000D), ref: 0041CB54
GetKeyState.USER32(00000027), ref: 0041CB5C
GetKeyState.USER32(0000002D), ref: 0041CB64
GetKeyState.USER32(0000000D), ref: 0041CB6C
GetKeyState.USER32(00000027), ref: 0041CB74
GetKeyState.USER32(0000002D), ref: 0041CB7C
GetKeyState.USER32(0000000D), ref: 0041CB84
GetKeyState.USER32(00000027), ref: 0041CB8C
GetKeyState.USER32(0000002D), ref: 0041CB94
GetKeyState.USER32(0000000D), ref: 0041CB9C
GetKeyState.USER32(00000027), ref: 0041CBA4
GetKeyState.USER32(0000002D), ref: 0041CBAC
GetKeyState.USER32(0000000D), ref: 0041CBB4
GetKeyState.USER32(00000027), ref: 0041CBBC
GetKeyState.USER32(0000002D), ref: 0041CBC4
GetKeyState.USER32(0000000D), ref: 0041CBCC
GetKeyState.USER32(00000027), ref: 0041CBD4
GetKeyState.USER32(0000002D), ref: 0041CBDC
GetKeyState.USER32(0000000D), ref: 0041CBE4
GetKeyState.USER32(00000027), ref: 0041CBEC
GetKeyState.USER32(0000002D), ref: 0041CBF4
GetKeyState.USER32(0000000D), ref: 0041CBFC
GetKeyState.USER32(00000027), ref: 0041CC04
GetKeyState.USER32(0000002D), ref: 0041CC0C
GetKeyState.USER32(0000000D), ref: 0041CC14
GetKeyState.USER32(00000027), ref: 0041CC1C
GetKeyState.USER32(0000002D), ref: 0041CC24
GetKeyState.USER32(0000000D), ref: 0041CC2C
GetKeyState.USER32(00000027), ref: 0041CC34
GetKeyState.USER32(0000002D), ref: 0041CC3C
GetKeyState.USER32(0000000D), ref: 0041CC44
GetKeyState.USER32(00000027), ref: 0041CC4C
GetKeyState.USER32(0000002D), ref: 0041CC54
GetKeyState.USER32(0000000D), ref: 0041CC5C
GetKeyState.USER32(00000027), ref: 0041CC64
GetKeyState.USER32(0000002D), ref: 0041CC6C
GetKeyState.USER32(0000000D), ref: 0041CC74
GetKeyState.USER32(00000027), ref: 0041CC7C
GetKeyState.USER32(0000002D), ref: 0041CC84
GetKeyState.USER32(0000000D), ref: 0041CC8C
GetKeyState.USER32(00000027), ref: 0041CC94
GetKeyState.USER32(0000002D), ref: 0041CC9C
GetKeyState.USER32(0000000D), ref: 0041CCA4
GetKeyState.USER32(00000027), ref: 0041CCAC
GetKeyState.USER32(0000002D), ref: 0041CCB4
GetKeyState.USER32(0000000D), ref: 0041CCBC
GetKeyState.USER32(00000027), ref: 0041CCC4
GetKeyState.USER32(0000002D), ref: 0041CCCC
GetKeyState.USER32(0000000D), ref: 0041CCD4
GetKeyState.USER32(00000027), ref: 0041CCDC
GetKeyState.USER32(0000002D), ref: 0041CCE4
GetKeyState.USER32(0000000D), ref: 0041CCEC
GetKeyState.USER32(00000027), ref: 0041CCF4
GetKeyState.USER32(0000002D), ref: 0041CCFC
GetKeyState.USER32(0000000D), ref: 0041CD04
GetKeyState.USER32(00000027), ref: 0041CD0C
GetKeyState.USER32(0000002D), ref: 0041CD14
GetKeyState.USER32(0000000D), ref: 0041CD1C
GetKeyState.USER32(00000027), ref: 0041CD24
GetKeyState.USER32(0000002D), ref: 0041CD2C
GetKeyState.USER32(0000000D), ref: 0041CD34
GetKeyState.USER32(00000027), ref: 0041CD3C
GetKeyState.USER32(0000002D), ref: 0041CD44
GetKeyState.USER32(0000000D), ref: 0041CD4C
GetKeyState.USER32(00000027), ref: 0041CD54
GetKeyState.USER32(0000002D), ref: 0041CD5C
GetKeyState.USER32(0000000D), ref: 0041CD64
GetKeyState.USER32(00000027), ref: 0041CD6C
GetKeyState.USER32(0000002D), ref: 0041CD74
GetKeyState.USER32(0000000D), ref: 0041CD7C
GetKeyState.USER32(00000027), ref: 0041CD84
GetKeyState.USER32(0000002D), ref: 0041CD8C
GetKeyState.USER32(0000000D), ref: 0041CD94
GetKeyState.USER32(00000027), ref: 0041CD9C
GetKeyState.USER32(0000002D), ref: 0041CDA4
GetKeyState.USER32(0000000D), ref: 0041CDAC
GetKeyState.USER32(00000027), ref: 0041CDB4
GetKeyState.USER32(0000002D), ref: 0041CDBC
GetKeyState.USER32(0000000D), ref: 0041CDC4
GetKeyState.USER32(00000027), ref: 0041CDCC
GetKeyState.USER32(0000002D), ref: 0041CDD4
GetKeyState.USER32(0000000D), ref: 0041CDDC
GetKeyState.USER32(00000027), ref: 0041CDE4
GetKeyState.USER32(0000002D), ref: 0041CDEC
GetKeyState.USER32(0000000D), ref: 0041CDF4
GetKeyState.USER32(00000027), ref: 0041CDFC
GetKeyState.USER32(0000002D), ref: 0041CE04
GetKeyState.USER32(0000000D), ref: 0041CE0C
GetKeyState.USER32(00000027), ref: 0041CE14
GetKeyState.USER32(0000002D), ref: 0041CE1C
GetKeyState.USER32(0000000D), ref: 0041CE24
GetKeyState.USER32(00000027), ref: 0041CE2C
GetKeyState.USER32(0000002D), ref: 0041CE34
GetKeyState.USER32(0000000D), ref: 0041CE3C
GetKeyState.USER32(00000027), ref: 0041CE44
GetKeyState.USER32(0000002D), ref: 0041CE4C
GetKeyState.USER32(0000000D), ref: 0041CE54
GetKeyState.USER32(00000027), ref: 0041CE5C
GetKeyState.USER32(0000002D), ref: 0041CE64
GetKeyState.USER32(0000000D), ref: 0041CE6C
GetKeyState.USER32(00000027), ref: 0041CE74
GetKeyState.USER32(0000002D), ref: 0041CE7C
GetKeyState.USER32(0000000D), ref: 0041CE84
GetKeyState.USER32(00000027), ref: 0041CE8C
GetKeyState.USER32(0000002D), ref: 0041CE94
GetKeyState.USER32(0000000D), ref: 0041CE9C
GetKeyState.USER32(00000027), ref: 0041CEA4
GetKeyState.USER32(0000002D), ref: 0041CEAC
GetKeyState.USER32(0000000D), ref: 0041CEB4
GetKeyState.USER32(00000027), ref: 0041CEBC
GetKeyState.USER32(0000002D), ref: 0041CEC4
GetKeyState.USER32(0000000D), ref: 0041CECC
GetKeyState.USER32(00000027), ref: 0041CED4
GetKeyState.USER32(0000002D), ref: 0041CEDC
GetKeyState.USER32(0000000D), ref: 0041CEE4
GetKeyState.USER32(00000027), ref: 0041CEEC
GetKeyState.USER32(0000002D), ref: 0041CEF4
GetKeyState.USER32(0000000D), ref: 0041CEFC
GetKeyState.USER32(00000027), ref: 0041CF04
GetKeyState.USER32(0000002D), ref: 0041CF0C
GetKeyState.USER32(0000000D), ref: 0041CF14
GetKeyState.USER32(00000027), ref: 0041CF1C
GetKeyState.USER32(0000002D), ref: 0041CF24
GetKeyState.USER32(0000000D), ref: 0041CF2C
GetKeyState.USER32(00000027), ref: 0041CF34
GetKeyState.USER32(0000002D), ref: 0041CF3C
GetKeyState.USER32(0000000D), ref: 0041CF44
GetKeyState.USER32(00000027), ref: 0041CF4C
GetKeyState.USER32(0000002D), ref: 0041CF54
GetKeyState.USER32(0000000D), ref: 0041CF5C
GetKeyState.USER32(00000027), ref: 0041CF64
GetKeyState.USER32(0000002D), ref: 0041CF6C
GetKeyState.USER32(0000000D), ref: 0041CF74
GetKeyState.USER32(00000027), ref: 0041CF7C
GetKeyState.USER32(0000002D), ref: 0041CF84
GetKeyState.USER32(0000000D), ref: 0041CF8C
GetKeyState.USER32(00000027), ref: 0041CF94
GetKeyState.USER32(0000002D), ref: 0041CF9C
GetKeyState.USER32(0000000D), ref: 0041CFA4
GetKeyState.USER32(00000027), ref: 0041CFAC
GetKeyState.USER32(0000002D), ref: 0041CFB4
GetKeyState.USER32(0000000D), ref: 0041CFBC
GetKeyState.USER32(00000027), ref: 0041CFC4
GetKeyState.USER32(0000002D), ref: 0041CFCC
GetKeyState.USER32(0000000D), ref: 0041CFD4
GetKeyState.USER32(00000027), ref: 0041CFDC
GetKeyState.USER32(0000002D), ref: 0041CFE4
GetKeyState.USER32(0000000D), ref: 0041CFEC
GetKeyState.USER32(00000027), ref: 0041CFF4
GetKeyState.USER32(0000002D), ref: 0041CFFC
GetKeyState.USER32(0000000D), ref: 0041D004
GetKeyState.USER32(00000027), ref: 0041D00C
GetKeyState.USER32(0000002D), ref: 0041D014
GetKeyState.USER32(0000000D), ref: 0041D01C
GetKeyState.USER32(00000027), ref: 0041D024
GetKeyState.USER32(0000002D), ref: 0041D02C
GetKeyState.USER32(0000000D), ref: 0041D034
GetKeyState.USER32(00000027), ref: 0041D03C
GetKeyState.USER32(0000002D), ref: 0041D044
GetKeyState.USER32(0000000D), ref: 0041D04C
GetKeyState.USER32(00000027), ref: 0041D054
GetKeyState.USER32(0000002D), ref: 0041D05C
GetKeyState.USER32(0000000D), ref: 0041D064
GetKeyState.USER32(00000027), ref: 0041D06C
GetKeyState.USER32(0000002D), ref: 0041D074
GetKeyState.USER32(0000000D), ref: 0041D07C
GetKeyState.USER32(00000027), ref: 0041D084
GetKeyState.USER32(0000002D), ref: 0041D08C
GetKeyState.USER32(0000000D), ref: 0041D094
GetKeyState.USER32(00000027), ref: 0041D09C
GetKeyState.USER32(0000002D), ref: 0041D0A4
GetKeyState.USER32(0000000D), ref: 0041D0AC
GetKeyState.USER32(00000027), ref: 0041D0B4
GetKeyState.USER32(0000002D), ref: 0041D0BC
GetKeyState.USER32(0000000D), ref: 0041D0C4
GetKeyState.USER32(00000027), ref: 0041D0CC
GetKeyState.USER32(0000002D), ref: 0041D0D4
GetKeyState.USER32(0000000D), ref: 0041D0DC
GetKeyState.USER32(00000027), ref: 0041D0E4
GetKeyState.USER32(0000002D), ref: 0041D0EC
GetKeyState.USER32(0000000D), ref: 0041D0F4
GetKeyState.USER32(00000027), ref: 0041D0FC
GetKeyState.USER32(0000002D), ref: 0041D104
GetKeyState.USER32(0000000D), ref: 0041D10C
GetKeyState.USER32(00000027), ref: 0041D114
GetKeyState.USER32(0000002D), ref: 0041D11C
GetKeyState.USER32(0000000D), ref: 0041D124
GetKeyState.USER32(00000027), ref: 0041D12C
GetKeyState.USER32(0000002D), ref: 0041D134
GetKeyState.USER32(0000000D), ref: 0041D13C
GetKeyState.USER32(00000027), ref: 0041D144
GetKeyState.USER32(0000002D), ref: 0041D14C
GetKeyState.USER32(0000000D), ref: 0041D154
GetKeyState.USER32(00000027), ref: 0041D15C
GetKeyState.USER32(0000002D), ref: 0041D164
GetKeyState.USER32(0000000D), ref: 0041D16C
GetKeyState.USER32(00000027), ref: 0041D174
GetKeyState.USER32(0000002D), ref: 0041D17C
GetKeyState.USER32(0000000D), ref: 0041D184
GetKeyState.USER32(00000027), ref: 0041D18C
GetKeyState.USER32(0000002D), ref: 0041D194
GetKeyState.USER32(0000000D), ref: 0041D19C
GetKeyState.USER32(00000027), ref: 0041D1A4
GetKeyState.USER32(0000002D), ref: 0041D1AC
GetKeyState.USER32(0000000D), ref: 0041D1B4
GetKeyState.USER32(00000027), ref: 0041D1BC
GetKeyState.USER32(0000002D), ref: 0041D1C4
GetKeyState.USER32(0000000D), ref: 0041D1CC
GetKeyState.USER32(00000027), ref: 0041D1D4
GetKeyState.USER32(0000002D), ref: 0041D1DC
GetKeyState.USER32(0000000D), ref: 0041D1E4
GetKeyState.USER32(00000027), ref: 0041D1EC
GetKeyState.USER32(0000002D), ref: 0041D1F4
GetKeyState.USER32(0000000D), ref: 0041D1FC
GetKeyState.USER32(00000027), ref: 0041D204
GetKeyState.USER32(0000002D), ref: 0041D20C
GetKeyState.USER32(0000000D), ref: 0041D214
GetKeyState.USER32(00000027), ref: 0041D21C
GetKeyState.USER32(0000002D), ref: 0041D224
GetKeyState.USER32(0000000D), ref: 0041D22C
GetKeyState.USER32(00000027), ref: 0041D234
GetKeyState.USER32(0000002D), ref: 0041D23C
GetKeyState.USER32(0000000D), ref: 0041D244
GetKeyState.USER32(00000027), ref: 0041D24C
GetKeyState.USER32(0000002D), ref: 0041D254
GetKeyState.USER32(0000000D), ref: 0041D25C
GetKeyState.USER32(00000027), ref: 0041D264
GetKeyState.USER32(0000002D), ref: 0041D26C
GetKeyState.USER32(0000000D), ref: 0041D274
GetKeyState.USER32(00000027), ref: 0041D27C
GetKeyState.USER32(0000002D), ref: 0041D284
GetKeyState.USER32(0000000D), ref: 0041D28C
GetKeyState.USER32(00000027), ref: 0041D294
GetKeyState.USER32(0000002D), ref: 0041D29C
GetKeyState.USER32(0000000D), ref: 0041D2A4
GetKeyState.USER32(00000027), ref: 0041D2AC
GetKeyState.USER32(0000002D), ref: 0041D2B4
GetKeyState.USER32(0000000D), ref: 0041D2BC
GetKeyState.USER32(00000027), ref: 0041D2C4
GetKeyState.USER32(0000002D), ref: 0041D2CC
GetKeyState.USER32(0000000D), ref: 0041D2D4
GetKeyState.USER32(00000027), ref: 0041D2DC
GetKeyState.USER32(0000002D), ref: 0041D2E4
GetKeyState.USER32(0000000D), ref: 0041D2EC
GetKeyState.USER32(00000027), ref: 0041D2F4
GetKeyState.USER32(0000002D), ref: 0041D2FC
GetKeyState.USER32(0000000D), ref: 0041D304
GetKeyState.USER32(00000027), ref: 0041D30C
GetKeyState.USER32(0000002D), ref: 0041D314
GetKeyState.USER32(0000000D), ref: 0041D31C
GetKeyState.USER32(00000027), ref: 0041D324
GetKeyState.USER32(0000002D), ref: 0041D32C
GetKeyState.USER32(0000000D), ref: 0041D334
GetKeyState.USER32(00000027), ref: 0041D33C
GetKeyState.USER32(0000002D), ref: 0041D344
GetKeyState.USER32(0000000D), ref: 0041D34C
GetKeyState.USER32(00000027), ref: 0041D354
GetKeyState.USER32(0000002D), ref: 0041D35C
GetKeyState.USER32(0000000D), ref: 0041D364
GetKeyState.USER32(00000027), ref: 0041D36C
GetKeyState.USER32(0000002D), ref: 0041D374
GetKeyState.USER32(0000000D), ref: 0041D37C
GetKeyState.USER32(00000027), ref: 0041D384
GetKeyState.USER32(0000002D), ref: 0041D38C
GetKeyState.USER32(0000000D), ref: 0041D394
GetKeyState.USER32(00000027), ref: 0041D39C
GetKeyState.USER32(0000002D), ref: 0041D3A4
GetKeyState.USER32(0000000D), ref: 0041D3AC
GetKeyState.USER32(00000027), ref: 0041D3B4
GetKeyState.USER32(0000002D), ref: 0041D3BC
GetKeyState.USER32(0000000D), ref: 0041D3C4
GetKeyState.USER32(00000027), ref: 0041D3CC
GetKeyState.USER32(0000002D), ref: 0041D3D4
GetKeyState.USER32(0000000D), ref: 0041D3DC
GetKeyState.USER32(00000027), ref: 0041D3E4
GetKeyState.USER32(0000002D), ref: 0041D3EC
GetKeyState.USER32(0000000D), ref: 0041D3F4
GetKeyState.USER32(00000027), ref: 0041D3FC
GetKeyState.USER32(0000002D), ref: 0041D404
GetKeyState.USER32(0000000D), ref: 0041D40C
GetKeyState.USER32(00000027), ref: 0041D414
GetKeyState.USER32(0000002D), ref: 0041D41C
GetKeyState.USER32(0000000D), ref: 0041D424
GetKeyState.USER32(00000027), ref: 0041D42C
GetKeyState.USER32(0000002D), ref: 0041D434
GetKeyState.USER32(0000000D), ref: 0041D43C
GetKeyState.USER32(00000027), ref: 0041D444
GetKeyState.USER32(0000002D), ref: 0041D44C
GetKeyState.USER32(0000000D), ref: 0041D454
GetKeyState.USER32(00000027), ref: 0041D45C
GetKeyState.USER32(0000002D), ref: 0041D464
GetKeyState.USER32(0000000D), ref: 0041D46C
GetKeyState.USER32(00000027), ref: 0041D474
GetKeyState.USER32(0000002D), ref: 0041D47C
GetKeyState.USER32(0000000D), ref: 0041D484
GetKeyState.USER32(00000027), ref: 0041D48C
GetKeyState.USER32(0000002D), ref: 0041D494
GetKeyState.USER32(0000000D), ref: 0041D49C
GetKeyState.USER32(00000027), ref: 0041D4A4
GetKeyState.USER32(0000002D), ref: 0041D4AC
GetKeyState.USER32(0000000D), ref: 0041D4B4
GetKeyState.USER32(00000027), ref: 0041D4BC
GetKeyState.USER32(0000002D), ref: 0041D4C4
GetKeyState.USER32(0000000D), ref: 0041D4CC
GetKeyState.USER32(00000027), ref: 0041D4D4
GetKeyState.USER32(0000002D), ref: 0041D4DC
GetKeyState.USER32(0000000D), ref: 0041D4E4
GetKeyState.USER32(00000027), ref: 0041D4EC
GetKeyState.USER32(0000002D), ref: 0041D4F4
GetKeyState.USER32(0000000D), ref: 0041D4FC
GetKeyState.USER32(00000027), ref: 0041D504
GetKeyState.USER32(0000002D), ref: 0041D50C
GetKeyState.USER32(0000000D), ref: 0041D514
GetKeyState.USER32(00000027), ref: 0041D51C
GetKeyState.USER32(0000002D), ref: 0041D524
GetKeyState.USER32(0000000D), ref: 0041D52C
GetKeyState.USER32(00000027), ref: 0041D534
GetKeyState.USER32(0000002D), ref: 0041D53C
GetKeyState.USER32(0000000D), ref: 0041D544
GetKeyState.USER32(00000027), ref: 0041D54C
GetKeyState.USER32(0000002D), ref: 0041D554
GetKeyState.USER32(0000000D), ref: 0041D55C
GetKeyState.USER32(00000027), ref: 0041D564
GetKeyState.USER32(0000002D), ref: 0041D56C
GetKeyState.USER32(0000000D), ref: 0041D574
GetKeyState.USER32(00000027), ref: 0041D57C
GetKeyState.USER32(0000002D), ref: 0041D584
GetKeyState.USER32(0000000D), ref: 0041D58C
GetKeyState.USER32(00000027), ref: 0041D594
GetKeyState.USER32(0000002D), ref: 0041D59C
GetKeyState.USER32(0000000D), ref: 0041D5A4
GetKeyState.USER32(00000027), ref: 0041D5AC
GetKeyState.USER32(0000002D), ref: 0041D5B4
GetKeyState.USER32(0000000D), ref: 0041D5BC
GetKeyState.USER32(00000027), ref: 0041D5C4
GetKeyState.USER32(0000002D), ref: 0041D5CC
GetKeyState.USER32(0000000D), ref: 0041D5D4
GetKeyState.USER32(00000027), ref: 0041D5DC
GetKeyState.USER32(0000002D), ref: 0041D5E4
GetKeyState.USER32(0000000D), ref: 0041D5EC
GetKeyState.USER32(00000027), ref: 0041D5F4
GetKeyState.USER32(0000002D), ref: 0041D5FC
GetKeyState.USER32(0000000D), ref: 0041D604
GetKeyState.USER32(00000027), ref: 0041D60C
GetKeyState.USER32(0000002D), ref: 0041D614
GetKeyState.USER32(0000000D), ref: 0041D61C
GetKeyState.USER32(00000027), ref: 0041D624
GetKeyState.USER32(0000002D), ref: 0041D62C
GetKeyState.USER32(0000000D), ref: 0041D634
GetKeyState.USER32(00000027), ref: 0041D63C
GetKeyState.USER32(0000002D), ref: 0041D644
GetKeyState.USER32(0000000D), ref: 0041D64C
GetKeyState.USER32(00000027), ref: 0041D654
GetKeyState.USER32(0000002D), ref: 0041D65C
GetKeyState.USER32(0000000D), ref: 0041D664
GetKeyState.USER32(00000027), ref: 0041D66C
GetKeyState.USER32(0000002D), ref: 0041D674
GetKeyState.USER32(0000000D), ref: 0041D67C
GetKeyState.USER32(00000027), ref: 0041D684
GetKeyState.USER32(0000002D), ref: 0041D68C
GetKeyState.USER32(0000000D), ref: 0041D694
GetKeyState.USER32(00000027), ref: 0041D69C
GetKeyState.USER32(0000002D), ref: 0041D6A4
GetKeyState.USER32(0000000D), ref: 0041D6AC
GetKeyState.USER32(00000027), ref: 0041D6B4
GetKeyState.USER32(0000002D), ref: 0041D6BC
GetKeyState.USER32(0000000D), ref: 0041D6C4
GetKeyState.USER32(00000027), ref: 0041D6CC
GetKeyState.USER32(0000002D), ref: 0041D6D4
GetKeyState.USER32(0000000D), ref: 0041D6DC
GetKeyState.USER32(00000027), ref: 0041D6E4
GetKeyState.USER32(0000002D), ref: 0041D6EC
GetKeyState.USER32(0000000D), ref: 0041D6F4
GetKeyState.USER32(00000027), ref: 0041D6FC
GetKeyState.USER32(0000002D), ref: 0041D704
GetKeyState.USER32(0000000D), ref: 0041D70C
GetKeyState.USER32(00000027), ref: 0041D714
GetKeyState.USER32(0000002D), ref: 0041D71C
GetKeyState.USER32(0000000D), ref: 0041D724
GetKeyState.USER32(00000027), ref: 0041D72C
GetKeyState.USER32(0000002D), ref: 0041D734
GetKeyState.USER32(0000000D), ref: 0041D73C
GetKeyState.USER32(00000027), ref: 0041D744
GetKeyState.USER32(0000002D), ref: 0041D74C
GetKeyState.USER32(0000000D), ref: 0041D754
GetKeyState.USER32(00000027), ref: 0041D75C
GetKeyState.USER32(0000002D), ref: 0041D764
GetKeyState.USER32(0000000D), ref: 0041D76C
GetKeyState.USER32(00000027), ref: 0041D774
GetKeyState.USER32(0000002D), ref: 0041D77C
GetKeyState.USER32(0000000D), ref: 0041D784
GetKeyState.USER32(00000027), ref: 0041D78C
GetKeyState.USER32(0000002D), ref: 0041D794
GetKeyState.USER32(0000000D), ref: 0041D79C
GetKeyState.USER32(00000027), ref: 0041D7A4
GetKeyState.USER32(0000002D), ref: 0041D7AC
GetKeyState.USER32(0000000D), ref: 0041D7B4
GetKeyState.USER32(00000027), ref: 0041D7BC
GetKeyState.USER32(0000002D), ref: 0041D7C4
GetKeyState.USER32(0000000D), ref: 0041D7CC
GetKeyState.USER32(00000027), ref: 0041D7D4
GetKeyState.USER32(0000002D), ref: 0041D7DC
GetKeyState.USER32(0000000D), ref: 0041D7E4
GetKeyState.USER32(00000027), ref: 0041D7EC
GetKeyState.USER32(0000002D), ref: 0041D7F4
GetKeyState.USER32(0000000D), ref: 0041D7FC
GetKeyState.USER32(00000027), ref: 0041D804
GetKeyState.USER32(0000002D), ref: 0041D80C
GetKeyState.USER32(0000000D), ref: 0041D814
GetKeyState.USER32(00000027), ref: 0041D81C
GetKeyState.USER32(0000002D), ref: 0041D824
GetKeyState.USER32(0000000D), ref: 0041D82C
GetKeyState.USER32(00000027), ref: 0041D834
GetKeyState.USER32(0000002D), ref: 0041D83C
GetKeyState.USER32(0000000D), ref: 0041D844
GetKeyState.USER32(00000027), ref: 0041D84C
GetKeyState.USER32(0000002D), ref: 0041D854
GetKeyState.USER32(0000000D), ref: 0041D85C
GetKeyState.USER32(00000027), ref: 0041D864
GetKeyState.USER32(0000002D), ref: 0041D86C
GetKeyState.USER32(0000000D), ref: 0041D874
GetKeyState.USER32(00000027), ref: 0041D87C
GetKeyState.USER32(0000002D), ref: 0041D884
GetKeyState.USER32(0000000D), ref: 0041D88C
GetKeyState.USER32(00000027), ref: 0041D894
GetKeyState.USER32(0000002D), ref: 0041D89C
GetKeyState.USER32(0000000D), ref: 0041D8A4
GetKeyState.USER32(00000027), ref: 0041D8AC
GetKeyState.USER32(0000002D), ref: 0041D8B4
GetKeyState.USER32(0000000D), ref: 0041D8BC
GetKeyState.USER32(00000027), ref: 0041D8C4
GetKeyState.USER32(0000002D), ref: 0041D8CC
GetKeyState.USER32(0000000D), ref: 0041D8D4
GetKeyState.USER32(00000027), ref: 0041D8DC
GetKeyState.USER32(0000002D), ref: 0041D8E4
GetKeyState.USER32(0000000D), ref: 0041D8EC
GetKeyState.USER32(00000027), ref: 0041D8F4
GetKeyState.USER32(0000002D), ref: 0041D8FC
GetKeyState.USER32(0000000D), ref: 0041D904
GetKeyState.USER32(00000027), ref: 0041D90C
GetKeyState.USER32(0000002D), ref: 0041D914
GetKeyState.USER32(0000000D), ref: 0041D91C
GetKeyState.USER32(00000027), ref: 0041D924
GetKeyState.USER32(0000002D), ref: 0041D92C
GetKeyState.USER32(0000000D), ref: 0041D934
GetKeyState.USER32(00000027), ref: 0041D93C
GetKeyState.USER32(0000002D), ref: 0041D944
GetKeyState.USER32(0000000D), ref: 0041D94C
GetKeyState.USER32(00000027), ref: 0041D954
GetKeyState.USER32(0000002D), ref: 0041D95C
GetKeyState.USER32(0000000D), ref: 0041D964
GetKeyState.USER32(00000027), ref: 0041D96C
GetKeyState.USER32(0000002D), ref: 0041D974
GetKeyState.USER32(0000000D), ref: 0041D97C
GetKeyState.USER32(00000027), ref: 0041D984
GetKeyState.USER32(0000002D), ref: 0041D98C
GetKeyState.USER32(0000000D), ref: 0041D994
GetKeyState.USER32(00000027), ref: 0041D99C
GetKeyState.USER32(0000002D), ref: 0041D9A4
GetKeyState.USER32(0000000D), ref: 0041D9AC
GetKeyState.USER32(00000027), ref: 0041D9B4
GetKeyState.USER32(0000002D), ref: 0041D9BC
GetKeyState.USER32(0000000D), ref: 0041D9C4
GetKeyState.USER32(00000027), ref: 0041D9CC
GetKeyState.USER32(0000002D), ref: 0041D9D4
GetKeyState.USER32(0000000D), ref: 0041D9DC
GetKeyState.USER32(00000027), ref: 0041D9E4
GetKeyState.USER32(0000002D), ref: 0041D9EC
GetKeyState.USER32(0000000D), ref: 0041D9F4
GetKeyState.USER32(00000027), ref: 0041D9FC
GetKeyState.USER32(0000002D), ref: 0041DA04
GetKeyState.USER32(0000000D), ref: 0041DA0C
GetKeyState.USER32(00000027), ref: 0041DA14
GetKeyState.USER32(0000002D), ref: 0041DA1C
GetKeyState.USER32(0000000D), ref: 0041DA24
GetKeyState.USER32(00000027), ref: 0041DA2C
GetKeyState.USER32(0000002D), ref: 0041DA34
GetKeyState.USER32(0000000D), ref: 0041DA3C
GetKeyState.USER32(00000027), ref: 0041DA44
GetKeyState.USER32(0000002D), ref: 0041DA4C
GetKeyState.USER32(0000000D), ref: 0041DA54
GetKeyState.USER32(00000027), ref: 0041DA5C
GetKeyState.USER32(0000002D), ref: 0041DA64
GetKeyState.USER32(0000000D), ref: 0041DA6C
GetKeyState.USER32(00000027), ref: 0041DA74
GetKeyState.USER32(0000002D), ref: 0041DA7C
GetKeyState.USER32(0000000D), ref: 0041DA84
GetKeyState.USER32(00000027), ref: 0041DA8C
GetKeyState.USER32(0000002D), ref: 0041DA94
GetKeyState.USER32(0000000D), ref: 0041DA9C
GetKeyState.USER32(00000027), ref: 0041DAA4
GetKeyState.USER32(0000002D), ref: 0041DAAC
GetKeyState.USER32(0000000D), ref: 0041DAB4
GetKeyState.USER32(00000027), ref: 0041DABC
GetKeyState.USER32(0000002D), ref: 0041DAC4
GetKeyState.USER32(0000000D), ref: 0041DACC
GetKeyState.USER32(00000027), ref: 0041DAD4
GetKeyState.USER32(0000002D), ref: 0041DADC
GetKeyState.USER32(0000000D), ref: 0041DAE4
GetKeyState.USER32(00000027), ref: 0041DAEC
GetKeyState.USER32(0000002D), ref: 0041DAF4
GetKeyState.USER32(0000000D), ref: 0041DAFC
GetKeyState.USER32(00000027), ref: 0041DB04
GetKeyState.USER32(0000002D), ref: 0041DB0C
GetKeyState.USER32(0000000D), ref: 0041DB14
GetKeyState.USER32(00000027), ref: 0041DB1C
GetKeyState.USER32(0000002D), ref: 0041DB24
GetKeyState.USER32(0000000D), ref: 0041DB2C
GetKeyState.USER32(00000027), ref: 0041DB34
GetKeyState.USER32(0000002D), ref: 0041DB3C
GetKeyState.USER32(0000000D), ref: 0041DB44
GetKeyState.USER32(00000027), ref: 0041DB4C
GetKeyState.USER32(0000002D), ref: 0041DB54
GetKeyState.USER32(0000000D), ref: 0041DB5C
GetKeyState.USER32(00000027), ref: 0041DB64
GetKeyState.USER32(0000002D), ref: 0041DB6C
GetKeyState.USER32(0000000D), ref: 0041DB74
GetKeyState.USER32(00000027), ref: 0041DB7C
GetKeyState.USER32(0000002D), ref: 0041DB84
GetKeyState.USER32(0000000D), ref: 0041DB8C
GetKeyState.USER32(00000027), ref: 0041DB94
GetKeyState.USER32(0000002D), ref: 0041DB9C
GetKeyState.USER32(0000000D), ref: 0041DBA4
GetKeyState.USER32(00000027), ref: 0041DBAC
GetKeyState.USER32(0000002D), ref: 0041DBB4
GetKeyState.USER32(0000000D), ref: 0041DBBC
GetKeyState.USER32(00000027), ref: 0041DBC4
GetKeyState.USER32(0000002D), ref: 0041DBCC
GetKeyState.USER32(0000000D), ref: 0041DBD4
GetKeyState.USER32(00000027), ref: 0041DBDC
GetKeyState.USER32(0000002D), ref: 0041DBE4
GetKeyState.USER32(0000000D), ref: 0041DBEC
GetKeyState.USER32(00000027), ref: 0041DBF4
GetKeyState.USER32(0000002D), ref: 0041DBFC
GetKeyState.USER32(0000000D), ref: 0041DC04
GetKeyState.USER32(00000027), ref: 0041DC0C
GetKeyState.USER32(0000002D), ref: 0041DC14
GetKeyState.USER32(0000000D), ref: 0041DC1C
GetKeyState.USER32(00000027), ref: 0041DC24
GetKeyState.USER32(0000002D), ref: 0041DC2C
GetKeyState.USER32(0000000D), ref: 0041DC34
GetKeyState.USER32(00000027), ref: 0041DC3C
GetKeyState.USER32(0000002D), ref: 0041DC44
GetKeyState.USER32(0000000D), ref: 0041DC4C
GetKeyState.USER32(00000027), ref: 0041DC54
GetKeyState.USER32(0000002D), ref: 0041DC5C
GetKeyState.USER32(0000000D), ref: 0041DC64
GetKeyState.USER32(00000027), ref: 0041DC6C
GetKeyState.USER32(0000002D), ref: 0041DC74
GetKeyState.USER32(0000000D), ref: 0041DC7C
GetKeyState.USER32(00000027), ref: 0041DC84
GetKeyState.USER32(0000002D), ref: 0041DC8C
GetKeyState.USER32(0000000D), ref: 0041DC94
GetKeyState.USER32(00000027), ref: 0041DC9C
GetKeyState.USER32(0000002D), ref: 0041DCA4
GetKeyState.USER32(0000000D), ref: 0041DCAC
GetKeyState.USER32(00000027), ref: 0041DCB4
GetKeyState.USER32(0000002D), ref: 0041DCBC
GetKeyState.USER32(0000000D), ref: 0041DCC4
GetKeyState.USER32(00000027), ref: 0041DCCC
GetKeyState.USER32(0000002D), ref: 0041DCD4
GetKeyState.USER32(0000000D), ref: 0041DCDC
GetKeyState.USER32(00000027), ref: 0041DCE4
GetKeyState.USER32(0000002D), ref: 0041DCEC
GetKeyState.USER32(0000000D), ref: 0041DCF4
GetKeyState.USER32(00000027), ref: 0041DCFC
GetKeyState.USER32(0000002D), ref: 0041DD04
GetKeyState.USER32(0000000D), ref: 0041DD0C
GetKeyState.USER32(00000027), ref: 0041DD14
GetKeyState.USER32(0000002D), ref: 0041DD1C
GetKeyState.USER32(0000000D), ref: 0041DD24
GetKeyState.USER32(00000027), ref: 0041DD2C
GetKeyState.USER32(0000002D), ref: 0041DD34
GetKeyState.USER32(0000000D), ref: 0041DD3C
GetKeyState.USER32(00000027), ref: 0041DD44
GetKeyState.USER32(0000002D), ref: 0041DD4C
GetKeyState.USER32(0000000D), ref: 0041DD54
GetKeyState.USER32(00000027), ref: 0041DD5C
GetKeyState.USER32(0000002D), ref: 0041DD64
GetKeyState.USER32(0000000D), ref: 0041DD6C
GetKeyState.USER32(00000027), ref: 0041DD74
GetKeyState.USER32(0000002D), ref: 0041DD7C
GetKeyState.USER32(0000000D), ref: 0041DD84
GetKeyState.USER32(00000027), ref: 0041DD8C
GetKeyState.USER32(0000002D), ref: 0041DD94
GetKeyState.USER32(0000000D), ref: 0041DD9C
GetKeyState.USER32(00000027), ref: 0041DDA4
GetKeyState.USER32(0000002D), ref: 0041DDAC
GetKeyState.USER32(0000000D), ref: 0041DDB4
GetKeyState.USER32(00000027), ref: 0041DDBC
GetKeyState.USER32(0000002D), ref: 0041DDC4
GetKeyState.USER32(0000000D), ref: 0041DDCC
GetKeyState.USER32(00000027), ref: 0041DDD4
GetKeyState.USER32(0000002D), ref: 0041DDDC
GetKeyState.USER32(0000000D), ref: 0041DDE4
GetKeyState.USER32(00000027), ref: 0041DDEC
GetKeyState.USER32(0000002D), ref: 0041DDF4
GetKeyState.USER32(0000000D), ref: 0041DDFC
GetKeyState.USER32(00000027), ref: 0041DE04
GetKeyState.USER32(0000002D), ref: 0041DE0C
GetKeyState.USER32(0000000D), ref: 0041DE14
GetKeyState.USER32(00000027), ref: 0041DE1C
GetKeyState.USER32(0000002D), ref: 0041DE24
GetKeyState.USER32(0000000D), ref: 0041DE2C
GetKeyState.USER32(00000027), ref: 0041DE34
GetKeyState.USER32(0000002D), ref: 0041DE3C
GetKeyState.USER32(0000000D), ref: 0041DE44
GetKeyState.USER32(00000027), ref: 0041DE4C
GetKeyState.USER32(0000002D), ref: 0041DE54
GetKeyState.USER32(0000000D), ref: 0041DE5C
GetKeyState.USER32(00000027), ref: 0041DE64
GetKeyState.USER32(0000002D), ref: 0041DE6C
GetKeyState.USER32(0000000D), ref: 0041DE74
GetKeyState.USER32(00000027), ref: 0041DE7C
GetKeyState.USER32(0000002D), ref: 0041DE84
GetKeyState.USER32(0000000D), ref: 0041DE8C
GetKeyState.USER32(00000027), ref: 0041DE94
GetKeyState.USER32(0000002D), ref: 0041DE9C
GetKeyState.USER32(0000000D), ref: 0041DEA4
GetKeyState.USER32(00000027), ref: 0041DEAC
GetKeyState.USER32(0000002D), ref: 0041DEB4
GetKeyState.USER32(0000000D), ref: 0041DEBC
GetKeyState.USER32(00000027), ref: 0041DEC4
GetKeyState.USER32(0000002D), ref: 0041DECC
GetKeyState.USER32(0000000D), ref: 0041DED4
GetKeyState.USER32(00000027), ref: 0041DEDC
GetKeyState.USER32(0000002D), ref: 0041DEE4
GetKeyState.USER32(0000000D), ref: 0041DEEC
GetKeyState.USER32(00000027), ref: 0041DEF4
GetKeyState.USER32(0000002D), ref: 0041DEFC
GetKeyState.USER32(0000000D), ref: 0041DF04
GetKeyState.USER32(00000027), ref: 0041DF0C
GetKeyState.USER32(0000002D), ref: 0041DF14
GetKeyState.USER32(0000000D), ref: 0041DF1C
GetKeyState.USER32(00000027), ref: 0041DF24
GetKeyState.USER32(0000002D), ref: 0041DF2C
GetKeyState.USER32(0000000D), ref: 0041DF34
GetKeyState.USER32(00000027), ref: 0041DF3C
GetKeyState.USER32(0000002D), ref: 0041DF44
GetKeyState.USER32(0000000D), ref: 0041DF4C
GetKeyState.USER32(00000027), ref: 0041DF54
GetKeyState.USER32(0000002D), ref: 0041DF5C
GetKeyState.USER32(0000000D), ref: 0041DF64
GetKeyState.USER32(00000027), ref: 0041DF6C
GetKeyState.USER32(0000002D), ref: 0041DF74
GetKeyState.USER32(0000000D), ref: 0041DF7C
GetKeyState.USER32(00000027), ref: 0041DF84
GetKeyState.USER32(0000002D), ref: 0041DF8C
GetKeyState.USER32(0000000D), ref: 0041DF94
GetKeyState.USER32(00000027), ref: 0041DF9C
GetKeyState.USER32(0000002D), ref: 0041DFA4
GetKeyState.USER32(0000000D), ref: 0041DFAC
GetKeyState.USER32(00000027), ref: 0041DFB4
GetKeyState.USER32(0000002D), ref: 0041DFBC
GetKeyState.USER32(0000000D), ref: 0041DFC4
GetKeyState.USER32(00000027), ref: 0041DFCC
GetKeyState.USER32(0000002D), ref: 0041DFD4
GetKeyState.USER32(0000000D), ref: 0041DFDC
GetKeyState.USER32(00000027), ref: 0041DFE4
GetKeyState.USER32(0000002D), ref: 0041DFEC
GetKeyState.USER32(0000000D), ref: 0041DFF4
GetKeyState.USER32(00000027), ref: 0041DFFC
GetKeyState.USER32(0000002D), ref: 0041E004
GetKeyState.USER32(0000000D), ref: 0041E00C
GetKeyState.USER32(00000027), ref: 0041E014
GetKeyState.USER32(0000002D), ref: 0041E01C
GetKeyState.USER32(0000000D), ref: 0041E024
GetKeyState.USER32(00000027), ref: 0041E02C
GetKeyState.USER32(0000002D), ref: 0041E034
GetKeyState.USER32(0000000D), ref: 0041E03C
GetKeyState.USER32(00000027), ref: 0041E044
GetKeyState.USER32(0000002D), ref: 0041E04C
GetKeyState.USER32(0000000D), ref: 0041E054
GetKeyState.USER32(00000027), ref: 0041E05C
GetKeyState.USER32(0000002D), ref: 0041E064
GetKeyState.USER32(0000000D), ref: 0041E06C
GetKeyState.USER32(00000027), ref: 0041E074
GetKeyState.USER32(0000002D), ref: 0041E07C
GetKeyState.USER32(0000000D), ref: 0041E084
GetKeyState.USER32(00000027), ref: 0041E08C
GetKeyState.USER32(0000002D), ref: 0041E094
GetKeyState.USER32(0000000D), ref: 0041E09C
GetKeyState.USER32(00000027), ref: 0041E0A4
GetKeyState.USER32(0000002D), ref: 0041E0AC
GetKeyState.USER32(0000000D), ref: 0041E0B4
GetKeyState.USER32(00000027), ref: 0041E0BC
GetKeyState.USER32(0000002D), ref: 0041E0C4
GetKeyState.USER32(0000000D), ref: 0041E0CC
GetKeyState.USER32(00000027), ref: 0041E0D4
GetKeyState.USER32(0000002D), ref: 0041E0DC
GetKeyState.USER32(0000000D), ref: 0041E0E4
GetKeyState.USER32(00000027), ref: 0041E0EC
GetKeyState.USER32(0000002D), ref: 0041E0F4
GetKeyState.USER32(0000000D), ref: 0041E0FC
GetKeyState.USER32(00000027), ref: 0041E104
GetKeyState.USER32(0000002D), ref: 0041E10C
GetKeyState.USER32(0000000D), ref: 0041E114
GetKeyState.USER32(00000027), ref: 0041E11C
GetKeyState.USER32(0000002D), ref: 0041E124
GetKeyState.USER32(0000000D), ref: 0041E12C
GetKeyState.USER32(00000027), ref: 0041E134
GetKeyState.USER32(0000002D), ref: 0041E13C
GetKeyState.USER32(0000000D), ref: 0041E144
GetKeyState.USER32(00000027), ref: 0041E14C
GetKeyState.USER32(0000002D), ref: 0041E154
GetKeyState.USER32(0000000D), ref: 0041E15C
GetKeyState.USER32(00000027), ref: 0041E164
GetKeyState.USER32(0000002D), ref: 0041E16C
GetKeyState.USER32(0000000D), ref: 0041E174
GetKeyState.USER32(00000027), ref: 0041E17C
GetKeyState.USER32(0000002D), ref: 0041E184
GetKeyState.USER32(0000000D), ref: 0041E18C
GetKeyState.USER32(00000027), ref: 0041E194
GetKeyState.USER32(0000002D), ref: 0041E19C
GetKeyState.USER32(0000000D), ref: 0041E1A4
GetKeyState.USER32(00000027), ref: 0041E1AC
GetKeyState.USER32(0000002D), ref: 0041E1B4
GetKeyState.USER32(0000000D), ref: 0041E1BC
GetKeyState.USER32(00000027), ref: 0041E1C4
GetKeyState.USER32(0000002D), ref: 0041E1CC
GetKeyState.USER32(0000000D), ref: 0041E1D4
GetKeyState.USER32(00000027), ref: 0041E1DC
GetKeyState.USER32(0000002D), ref: 0041E1E4
GetKeyState.USER32(0000000D), ref: 0041E1EC
GetKeyState.USER32(00000027), ref: 0041E1F4
GetKeyState.USER32(0000002D), ref: 0041E1FC
GetKeyState.USER32(0000000D), ref: 0041E204
GetKeyState.USER32(00000027), ref: 0041E20C
GetKeyState.USER32(0000002D), ref: 0041E214
GetKeyState.USER32(0000000D), ref: 0041E21C
GetKeyState.USER32(00000027), ref: 0041E224
GetKeyState.USER32(0000002D), ref: 0041E22C
GetKeyState.USER32(0000000D), ref: 0041E234
GetKeyState.USER32(00000027), ref: 0041E23C
GetKeyState.USER32(0000002D), ref: 0041E244
GetKeyState.USER32(0000000D), ref: 0041E24C
GetKeyState.USER32(00000027), ref: 0041E254
GetKeyState.USER32(0000002D), ref: 0041E25C
GetKeyState.USER32(0000000D), ref: 0041E264
GetKeyState.USER32(00000027), ref: 0041E26C
GetKeyState.USER32(0000002D), ref: 0041E274
GetKeyState.USER32(0000000D), ref: 0041E27C
GetKeyState.USER32(00000027), ref: 0041E284
GetKeyState.USER32(0000002D), ref: 0041E28C
GetKeyState.USER32(0000000D), ref: 0041E294
GetKeyState.USER32(00000027), ref: 0041E29C
GetKeyState.USER32(0000002D), ref: 0041E2A4
GetKeyState.USER32(0000000D), ref: 0041E2AC
GetKeyState.USER32(00000027), ref: 0041E2B4
GetKeyState.USER32(0000002D), ref: 0041E2BC
GetKeyState.USER32(0000000D), ref: 0041E2C4
GetKeyState.USER32(00000027), ref: 0041E2CC
GetKeyState.USER32(0000002D), ref: 0041E2D4
GetKeyState.USER32(0000000D), ref: 0041E2DC
GetKeyState.USER32(00000027), ref: 0041E2E4
GetKeyState.USER32(0000002D), ref: 0041E2EC
GetKeyState.USER32(0000000D), ref: 0041E2F4
GetKeyState.USER32(00000027), ref: 0041E2FC
GetKeyState.USER32(0000002D), ref: 0041E304
GetKeyState.USER32(0000000D), ref: 0041E30C
GetKeyState.USER32(00000027), ref: 0041E314
GetKeyState.USER32(0000002D), ref: 0041E31C
GetKeyState.USER32(0000000D), ref: 0041E324
GetKeyState.USER32(00000027), ref: 0041E32C
GetKeyState.USER32(0000002D), ref: 0041E334
GetKeyState.USER32(0000000D), ref: 0041E33C
GetKeyState.USER32(00000027), ref: 0041E344
GetKeyState.USER32(0000002D), ref: 0041E34C
GetKeyState.USER32(0000000D), ref: 0041E354
GetKeyState.USER32(00000027), ref: 0041E35C
GetKeyState.USER32(0000002D), ref: 0041E364
GetKeyState.USER32(0000000D), ref: 0041E36C
GetKeyState.USER32(00000027), ref: 0041E374
GetKeyState.USER32(0000002D), ref: 0041E37C
GetKeyState.USER32(0000000D), ref: 0041E384
GetKeyState.USER32(00000027), ref: 0041E38C
GetKeyState.USER32(0000002D), ref: 0041E394
GetKeyState.USER32(0000000D), ref: 0041E39C
GetKeyState.USER32(00000027), ref: 0041E3A4
GetKeyState.USER32(0000002D), ref: 0041E3AC
GetKeyState.USER32(0000000D), ref: 0041E3B4
GetKeyState.USER32(00000027), ref: 0041E3BC
GetKeyState.USER32(0000002D), ref: 0041E3C4
GetKeyState.USER32(0000000D), ref: 0041E3CC
GetKeyState.USER32(00000027), ref: 0041E3D4
GetKeyState.USER32(0000002D), ref: 0041E3DC
GetKeyState.USER32(0000000D), ref: 0041E3E4
GetKeyState.USER32(00000027), ref: 0041E3EC
GetKeyState.USER32(0000002D), ref: 0041E3F4
GetKeyState.USER32(0000000D), ref: 0041E3FC
GetKeyState.USER32(00000027), ref: 0041E404
GetKeyState.USER32(0000002D), ref: 0041E40C
GetKeyState.USER32(0000000D), ref: 0041E414
GetKeyState.USER32(00000027), ref: 0041E41C
GetKeyState.USER32(0000002D), ref: 0041E424
GetKeyState.USER32(0000000D), ref: 0041E42C
GetKeyState.USER32(00000027), ref: 0041E434
GetKeyState.USER32(0000002D), ref: 0041E43C
GetKeyState.USER32(0000000D), ref: 0041E444
GetKeyState.USER32(00000027), ref: 0041E44C
GetKeyState.USER32(0000002D), ref: 0041E454
GetKeyState.USER32(0000000D), ref: 0041E45C
GetKeyState.USER32(00000027), ref: 0041E464
GetKeyState.USER32(0000002D), ref: 0041E46C
GetKeyState.USER32(0000000D), ref: 0041E474
GetKeyState.USER32(00000027), ref: 0041E47C
GetKeyState.USER32(0000002D), ref: 0041E484
GetKeyState.USER32(0000000D), ref: 0041E48C
GetKeyState.USER32(00000027), ref: 0041E494
GetKeyState.USER32(0000002D), ref: 0041E49C
GetKeyState.USER32(0000000D), ref: 0041E4A4
GetKeyState.USER32(00000027), ref: 0041E4AC
GetKeyState.USER32(0000002D), ref: 0041E4B4
GetKeyState.USER32(0000000D), ref: 0041E4BC
GetKeyState.USER32(00000027), ref: 0041E4C4
GetKeyState.USER32(0000002D), ref: 0041E4CC
GetKeyState.USER32(0000000D), ref: 0041E4D4
GetKeyState.USER32(00000027), ref: 0041E4DC
GetKeyState.USER32(0000002D), ref: 0041E4E4
GetKeyState.USER32(0000000D), ref: 0041E4EC
GetKeyState.USER32(00000027), ref: 0041E4F4
GetKeyState.USER32(0000002D), ref: 0041E4FC
GetKeyState.USER32(0000000D), ref: 0041E504
GetKeyState.USER32(00000027), ref: 0041E50C
GetKeyState.USER32(0000002D), ref: 0041E514
GetKeyState.USER32(0000000D), ref: 0041E51C
GetKeyState.USER32(00000027), ref: 0041E524
GetKeyState.USER32(0000002D), ref: 0041E52C
GetKeyState.USER32(0000000D), ref: 0041E534
GetKeyState.USER32(00000027), ref: 0041E53C
GetKeyState.USER32(0000002D), ref: 0041E544
GetKeyState.USER32(0000000D), ref: 0041E54C
GetKeyState.USER32(00000027), ref: 0041E554
GetKeyState.USER32(0000002D), ref: 0041E55C
GetKeyState.USER32(0000000D), ref: 0041E564
GetKeyState.USER32(00000027), ref: 0041E56C
GetKeyState.USER32(0000002D), ref: 0041E574
GetKeyState.USER32(0000000D), ref: 0041E57C
GetKeyState.USER32(00000027), ref: 0041E584
GetKeyState.USER32(0000002D), ref: 0041E58C
GetKeyState.USER32(0000000D), ref: 0041E594
GetKeyState.USER32(00000027), ref: 0041E59C
GetKeyState.USER32(0000002D), ref: 0041E5A4
GetKeyState.USER32(0000000D), ref: 0041E5AC
GetKeyState.USER32(00000027), ref: 0041E5B4
GetKeyState.USER32(0000002D), ref: 0041E5BC
GetKeyState.USER32(0000000D), ref: 0041E5C4
GetKeyState.USER32(00000027), ref: 0041E5CC
GetKeyState.USER32(0000002D), ref: 0041E5D4
GetKeyState.USER32(0000000D), ref: 0041E5DC
GetKeyState.USER32(00000027), ref: 0041E5E4
GetKeyState.USER32(0000002D), ref: 0041E5EC
GetKeyState.USER32(0000000D), ref: 0041E5F4
GetKeyState.USER32(00000027), ref: 0041E5FC
GetKeyState.USER32(0000002D), ref: 0041E604
GetKeyState.USER32(0000000D), ref: 0041E60C
GetKeyState.USER32(00000027), ref: 0041E614
GetKeyState.USER32(0000002D), ref: 0041E61C
GetKeyState.USER32(0000000D), ref: 0041E624
GetKeyState.USER32(00000027), ref: 0041E62C
GetKeyState.USER32(0000002D), ref: 0041E634
GetKeyState.USER32(0000000D), ref: 0041E63C
GetKeyState.USER32(00000027), ref: 0041E644
GetKeyState.USER32(0000002D), ref: 0041E64C
GetKeyState.USER32(0000000D), ref: 0041E654
GetKeyState.USER32(00000027), ref: 0041E65C
GetKeyState.USER32(0000002D), ref: 0041E664
GetKeyState.USER32(0000000D), ref: 0041E66C
GetKeyState.USER32(00000027), ref: 0041E674
GetKeyState.USER32(0000002D), ref: 0041E67C
GetKeyState.USER32(0000000D), ref: 0041E684
GetKeyState.USER32(00000027), ref: 0041E68C
GetKeyState.USER32(0000002D), ref: 0041E694
GetKeyState.USER32(0000000D), ref: 0041E69C
GetKeyState.USER32(00000027), ref: 0041E6A4
GetKeyState.USER32(0000002D), ref: 0041E6AC
GetKeyState.USER32(0000000D), ref: 0041E6B4
GetKeyState.USER32(00000027), ref: 0041E6BC
GetKeyState.USER32(0000002D), ref: 0041E6C4
GetKeyState.USER32(0000000D), ref: 0041E6CC
GetKeyState.USER32(00000027), ref: 0041E6D4
GetKeyState.USER32(0000002D), ref: 0041E6DC
GetKeyState.USER32(0000000D), ref: 0041E6E4
GetKeyState.USER32(00000027), ref: 0041E6EC
GetKeyState.USER32(0000002D), ref: 0041E6F4
GetKeyState.USER32(0000000D), ref: 0041E6FC
GetKeyState.USER32(00000027), ref: 0041E704
GetKeyState.USER32(0000002D), ref: 0041E70C
GetKeyState.USER32(0000000D), ref: 0041E714
GetKeyState.USER32(00000027), ref: 0041E71C
GetKeyState.USER32(0000002D), ref: 0041E724
GetKeyState.USER32(0000000D), ref: 0041E72C
GetKeyState.USER32(00000027), ref: 0041E734
GetKeyState.USER32(0000002D), ref: 0041E73C
GetKeyState.USER32(0000000D), ref: 0041E744
GetKeyState.USER32(00000027), ref: 0041E74C
GetKeyState.USER32(0000002D), ref: 0041E754
GetKeyState.USER32(0000000D), ref: 0041E75C
GetKeyState.USER32(00000027), ref: 0041E764
GetKeyState.USER32(0000002D), ref: 0041E76C
GetKeyState.USER32(0000000D), ref: 0041E774
GetKeyState.USER32(00000027), ref: 0041E77C
GetKeyState.USER32(0000002D), ref: 0041E784
GetKeyState.USER32(0000000D), ref: 0041E78C
GetKeyState.USER32(00000027), ref: 0041E794
GetKeyState.USER32(0000002D), ref: 0041E79C
GetKeyState.USER32(0000000D), ref: 0041E7A4
GetKeyState.USER32(00000027), ref: 0041E7AC
GetKeyState.USER32(0000002D), ref: 0041E7B4
GetKeyState.USER32(0000000D), ref: 0041E7BC
GetKeyState.USER32(00000027), ref: 0041E7C4
GetKeyState.USER32(0000002D), ref: 0041E7CC
GetKeyState.USER32(0000000D), ref: 0041E7D4
GetKeyState.USER32(00000027), ref: 0041E7DC
GetKeyState.USER32(0000002D), ref: 0041E7E4
GetKeyState.USER32(0000000D), ref: 0041E7EC
GetKeyState.USER32(00000027), ref: 0041E7F4
GetKeyState.USER32(0000002D), ref: 0041E7FC
GetKeyState.USER32(0000000D), ref: 0041E804
GetKeyState.USER32(00000027), ref: 0041E80C
GetKeyState.USER32(0000002D), ref: 0041E814
GetKeyState.USER32(0000000D), ref: 0041E81C
GetKeyState.USER32(00000027), ref: 0041E824
GetKeyState.USER32(0000002D), ref: 0041E82C
GetKeyState.USER32(0000000D), ref: 0041E834
GetKeyState.USER32(00000027), ref: 0041E83C
GetKeyState.USER32(0000002D), ref: 0041E844
GetKeyState.USER32(0000000D), ref: 0041E84C
GetKeyState.USER32(00000027), ref: 0041E854
GetKeyState.USER32(0000002D), ref: 0041E85C
GetKeyState.USER32(0000000D), ref: 0041E864
GetKeyState.USER32(00000027), ref: 0041E86C
GetKeyState.USER32(0000002D), ref: 0041E874
GetKeyState.USER32(0000000D), ref: 0041E87C
GetKeyState.USER32(00000027), ref: 0041E884
GetKeyState.USER32(0000002D), ref: 0041E88C
GetKeyState.USER32(0000000D), ref: 0041E894
GetKeyState.USER32(00000027), ref: 0041E89C
GetKeyState.USER32(0000002D), ref: 0041E8A4
GetKeyState.USER32(0000000D), ref: 0041E8AC
GetKeyState.USER32(00000027), ref: 0041E8B4
GetKeyState.USER32(0000002D), ref: 0041E8BC
GetKeyState.USER32(0000000D), ref: 0041E8C4
GetKeyState.USER32(00000027), ref: 0041E8CC
GetKeyState.USER32(0000002D), ref: 0041E8D4
GetKeyState.USER32(0000000D), ref: 0041E8DC
GetKeyState.USER32(00000027), ref: 0041E8E4
GetKeyState.USER32(0000002D), ref: 0041E8EC
GetKeyState.USER32(0000000D), ref: 0041E8F4
GetKeyState.USER32(00000027), ref: 0041E8FC
GetKeyState.USER32(0000002D), ref: 0041E904
GetKeyState.USER32(0000000D), ref: 0041E90C
GetKeyState.USER32(00000027), ref: 0041E914
GetKeyState.USER32(0000002D), ref: 0041E91C
GetKeyState.USER32(0000000D), ref: 0041E924
GetKeyState.USER32(00000027), ref: 0041E92C
GetKeyState.USER32(0000002D), ref: 0041E934
GetKeyState.USER32(0000000D), ref: 0041E93C
GetKeyState.USER32(00000027), ref: 0041E944
GetKeyState.USER32(0000002D), ref: 0041E94C
GetKeyState.USER32(0000000D), ref: 0041E954
GetKeyState.USER32(00000027), ref: 0041E95C
GetKeyState.USER32(0000002D), ref: 0041E964
GetKeyState.USER32(0000000D), ref: 0041E96C
GetKeyState.USER32(00000027), ref: 0041E974
GetKeyState.USER32(0000002D), ref: 0041E97C
GetKeyState.USER32(0000000D), ref: 0041E984
GetKeyState.USER32(00000027), ref: 0041E98C
GetKeyState.USER32(0000002D), ref: 0041E994
GetKeyState.USER32(0000000D), ref: 0041E99C
GetKeyState.USER32(00000027), ref: 0041E9A4
GetKeyState.USER32(0000002D), ref: 0041E9AC
GetKeyState.USER32(0000000D), ref: 0041E9B4
GetKeyState.USER32(00000027), ref: 0041E9BC
GetKeyState.USER32(0000002D), ref: 0041E9C4
GetKeyState.USER32(0000000D), ref: 0041E9CC
GetKeyState.USER32(00000027), ref: 0041E9D4
GetKeyState.USER32(0000002D), ref: 0041E9DC
GetKeyState.USER32(0000000D), ref: 0041E9E4
GetKeyState.USER32(00000027), ref: 0041E9EC
GetKeyState.USER32(0000002D), ref: 0041E9F4
GetKeyState.USER32(0000000D), ref: 0041E9FC
GetKeyState.USER32(00000027), ref: 0041EA04
GetKeyState.USER32(0000002D), ref: 0041EA0C
GetKeyState.USER32(0000000D), ref: 0041EA14
GetKeyState.USER32(00000027), ref: 0041EA1C
GetKeyState.USER32(0000002D), ref: 0041EA24
GetKeyState.USER32(0000000D), ref: 0041EA2C
GetKeyState.USER32(00000027), ref: 0041EA34
GetKeyState.USER32(0000002D), ref: 0041EA3C
GetKeyState.USER32(0000000D), ref: 0041EA44
GetKeyState.USER32(00000027), ref: 0041EA4C
GetKeyState.USER32(0000002D), ref: 0041EA54
GetKeyState.USER32(0000000D), ref: 0041EA5C
GetKeyState.USER32(00000027), ref: 0041EA64
GetKeyState.USER32(0000002D), ref: 0041EA6C
GetKeyState.USER32(0000000D), ref: 0041EA74
GetKeyState.USER32(00000027), ref: 0041EA7C
GetKeyState.USER32(0000002D), ref: 0041EA84
GetKeyState.USER32(0000000D), ref: 0041EA8C
GetKeyState.USER32(00000027), ref: 0041EA94
GetKeyState.USER32(0000002D), ref: 0041EA9C
GetKeyState.USER32(0000000D), ref: 0041EAA4
GetKeyState.USER32(00000027), ref: 0041EAAC
GetKeyState.USER32(0000002D), ref: 0041EAB4
GetKeyState.USER32(0000000D), ref: 0041EABC
GetKeyState.USER32(00000027), ref: 0041EAC4
GetKeyState.USER32(0000002D), ref: 0041EACC
GetKeyState.USER32(0000000D), ref: 0041EAD4
GetKeyState.USER32(00000027), ref: 0041EADC
GetKeyState.USER32(0000002D), ref: 0041EAE4
GetKeyState.USER32(0000000D), ref: 0041EAEC
GetKeyState.USER32(00000027), ref: 0041EAF4
GetKeyState.USER32(0000002D), ref: 0041EAFC
GetKeyState.USER32(0000000D), ref: 0041EB04
GetKeyState.USER32(00000027), ref: 0041EB0C
GetKeyState.USER32(0000002D), ref: 0041EB14
GetKeyState.USER32(0000000D), ref: 0041EB1C
GetKeyState.USER32(00000027), ref: 0041EB24
GetKeyState.USER32(0000002D), ref: 0041EB2C
GetKeyState.USER32(0000000D), ref: 0041EB34
GetKeyState.USER32(00000027), ref: 0041EB3C
GetKeyState.USER32(0000002D), ref: 0041EB44
GetKeyState.USER32(0000000D), ref: 0041EB4C
GetKeyState.USER32(00000027), ref: 0041EB54
GetKeyState.USER32(0000002D), ref: 0041EB5C
GetKeyState.USER32(0000000D), ref: 0041EB64
GetKeyState.USER32(00000027), ref: 0041EB6C
GetKeyState.USER32(0000002D), ref: 0041EB74
GetKeyState.USER32(0000000D), ref: 0041EB7C
GetKeyState.USER32(00000027), ref: 0041EB84
GetKeyState.USER32(0000002D), ref: 0041EB8C
GetKeyState.USER32(0000000D), ref: 0041EB94
GetKeyState.USER32(00000027), ref: 0041EB9C
GetKeyState.USER32(0000002D), ref: 0041EBA4
GetKeyState.USER32(0000000D), ref: 0041EBAC
GetKeyState.USER32(00000027), ref: 0041EBB4
GetKeyState.USER32(0000002D), ref: 0041EBBC
GetKeyState.USER32(0000000D), ref: 0041EBC4
GetKeyState.USER32(00000027), ref: 0041EBCC
GetKeyState.USER32(0000002D), ref: 0041EBD4
GetKeyState.USER32(0000000D), ref: 0041EBDC
GetKeyState.USER32(00000027), ref: 0041EBE4
GetKeyState.USER32(0000002D), ref: 0041EBEC
GetKeyState.USER32(0000000D), ref: 0041EBF4
GetKeyState.USER32(00000027), ref: 0041EBFC
GetKeyState.USER32(0000002D), ref: 0041EC04
GetKeyState.USER32(0000000D), ref: 0041EC0C
GetKeyState.USER32(00000027), ref: 0041EC14
GetKeyState.USER32(0000002D), ref: 0041EC1C
GetKeyState.USER32(0000000D), ref: 0041EC24
GetKeyState.USER32(00000027), ref: 0041EC2C
GetKeyState.USER32(0000002D), ref: 0041EC34
GetKeyState.USER32(0000000D), ref: 0041EC3C
GetKeyState.USER32(00000027), ref: 0041EC44
GetKeyState.USER32(0000002D), ref: 0041EC4C
GetKeyState.USER32(0000000D), ref: 0041EC54
GetKeyState.USER32(00000027), ref: 0041EC5C
GetKeyState.USER32(0000002D), ref: 0041EC64
GetKeyState.USER32(0000000D), ref: 0041EC6C
GetKeyState.USER32(00000027), ref: 0041EC74
GetKeyState.USER32(0000002D), ref: 0041EC7C
GetKeyState.USER32(0000000D), ref: 0041EC84
GetKeyState.USER32(00000027), ref: 0041EC8C
GetKeyState.USER32(0000002D), ref: 0041EC94
GetKeyState.USER32(0000000D), ref: 0041EC9C
GetKeyState.USER32(00000027), ref: 0041ECA4
GetKeyState.USER32(0000002D), ref: 0041ECAC
GetKeyState.USER32(0000000D), ref: 0041ECB4
GetKeyState.USER32(00000027), ref: 0041ECBC
GetKeyState.USER32(0000002D), ref: 0041ECC4
GetKeyState.USER32(0000000D), ref: 0041ECCC
GetKeyState.USER32(00000027), ref: 0041ECD4
GetKeyState.USER32(0000002D), ref: 0041ECDC
GetKeyState.USER32(0000000D), ref: 0041ECE4
GetKeyState.USER32(00000027), ref: 0041ECEC
GetKeyState.USER32(0000002D), ref: 0041ECF4
GetKeyState.USER32(0000000D), ref: 0041ECFC
GetKeyState.USER32(00000027), ref: 0041ED04
GetKeyState.USER32(0000002D), ref: 0041ED0C
GetKeyState.USER32(0000000D), ref: 0041ED14
GetKeyState.USER32(00000027), ref: 0041ED1C
GetKeyState.USER32(0000002D), ref: 0041ED24
GetKeyState.USER32(0000000D), ref: 0041ED2C
GetKeyState.USER32(00000027), ref: 0041ED34
GetKeyState.USER32(0000002D), ref: 0041ED3C
GetKeyState.USER32(0000000D), ref: 0041ED44
GetKeyState.USER32(00000027), ref: 0041ED4C
GetKeyState.USER32(0000002D), ref: 0041ED54
GetKeyState.USER32(0000000D), ref: 0041ED5C
GetKeyState.USER32(00000027), ref: 0041ED64
GetKeyState.USER32(0000002D), ref: 0041ED6C
GetKeyState.USER32(0000000D), ref: 0041ED74
GetKeyState.USER32(00000027), ref: 0041ED7C
GetKeyState.USER32(0000002D), ref: 0041ED84
GetKeyState.USER32(0000000D), ref: 0041ED8C
GetKeyState.USER32(00000027), ref: 0041ED94
GetKeyState.USER32(0000002D), ref: 0041ED9C
GetKeyState.USER32(0000000D), ref: 0041EDA4
GetKeyState.USER32(00000027), ref: 0041EDAC
GetKeyState.USER32(0000002D), ref: 0041EDB4
GetKeyState.USER32(0000000D), ref: 0041EDBC
GetKeyState.USER32(00000027), ref: 0041EDC4
GetKeyState.USER32(0000002D), ref: 0041EDCC
GetKeyState.USER32(0000000D), ref: 0041EDD4
GetKeyState.USER32(00000027), ref: 0041EDDC
GetKeyState.USER32(0000002D), ref: 0041EDE4
GetKeyState.USER32(0000000D), ref: 0041EDEC
GetKeyState.USER32(00000027), ref: 0041EDF4
GetKeyState.USER32(0000002D), ref: 0041EDFC
GetKeyState.USER32(0000000D), ref: 0041EE04
GetKeyState.USER32(00000027), ref: 0041EE0C
GetKeyState.USER32(0000002D), ref: 0041EE14
GetKeyState.USER32(0000000D), ref: 0041EE1C
GetKeyState.USER32(00000027), ref: 0041EE24
GetKeyState.USER32(0000002D), ref: 0041EE2C
GetKeyState.USER32(0000000D), ref: 0041EE34
GetKeyState.USER32(00000027), ref: 0041EE3C
GetKeyState.USER32(0000002D), ref: 0041EE44
GetKeyState.USER32(0000000D), ref: 0041EE4C
GetKeyState.USER32(00000027), ref: 0041EE54
GetKeyState.USER32(0000002D), ref: 0041EE5C
GetKeyState.USER32(0000000D), ref: 0041EE64
GetKeyState.USER32(00000027), ref: 0041EE6C
GetKeyState.USER32(0000002D), ref: 0041EE74
GetKeyState.USER32(0000000D), ref: 0041EE7C
GetKeyState.USER32(00000027), ref: 0041EE84
GetKeyState.USER32(0000002D), ref: 0041EE8C
GetKeyState.USER32(0000000D), ref: 0041EE94
GetKeyState.USER32(00000027), ref: 0041EE9C
GetKeyState.USER32(0000002D), ref: 0041EEA4
GetKeyState.USER32(0000000D), ref: 0041EEAC
GetKeyState.USER32(00000027), ref: 0041EEB4
GetKeyState.USER32(0000002D), ref: 0041EEBC
GetKeyState.USER32(0000000D), ref: 0041EEC4
GetKeyState.USER32(00000027), ref: 0041EECC
GetKeyState.USER32(0000002D), ref: 0041EED4
GetKeyState.USER32(0000000D), ref: 0041EEDC
GetKeyState.USER32(00000027), ref: 0041EEE4
GetKeyState.USER32(0000002D), ref: 0041EEEC
GetKeyState.USER32(0000000D), ref: 0041EEF4
GetKeyState.USER32(00000027), ref: 0041EEFC
GetKeyState.USER32(0000002D), ref: 0041EF04
GetKeyState.USER32(0000000D), ref: 0041EF0C
GetKeyState.USER32(00000027), ref: 0041EF14
GetKeyState.USER32(0000002D), ref: 0041EF1C
GetKeyState.USER32(0000000D), ref: 0041EF24
GetKeyState.USER32(00000027), ref: 0041EF2C
GetKeyState.USER32(0000002D), ref: 0041EF34
GetKeyState.USER32(0000000D), ref: 0041EF3C
GetKeyState.USER32(00000027), ref: 0041EF44
GetKeyState.USER32(0000002D), ref: 0041EF4C
GetKeyState.USER32(0000000D), ref: 0041EF54
GetKeyState.USER32(00000027), ref: 0041EF5C
GetKeyState.USER32(0000002D), ref: 0041EF64
GetKeyState.USER32(0000000D), ref: 0041EF6C
GetKeyState.USER32(00000027), ref: 0041EF74
GetKeyState.USER32(0000002D), ref: 0041EF7C
GetKeyState.USER32(0000000D), ref: 0041EF84
GetKeyState.USER32(00000027), ref: 0041EF8C
GetKeyState.USER32(0000002D), ref: 0041EF94
GetKeyState.USER32(0000000D), ref: 0041EF9C
GetKeyState.USER32(00000027), ref: 0041EFA4
GetKeyState.USER32(0000002D), ref: 0041EFAC
GetKeyState.USER32(0000000D), ref: 0041EFB4
GetKeyState.USER32(00000027), ref: 0041EFBC
GetKeyState.USER32(0000002D), ref: 0041EFC4
GetKeyState.USER32(0000000D), ref: 0041EFCC
GetKeyState.USER32(00000027), ref: 0041EFD4
GetKeyState.USER32(0000002D), ref: 0041EFDC
GetKeyState.USER32(0000000D), ref: 0041EFE4
GetKeyState.USER32(00000027), ref: 0041EFEC
GetKeyState.USER32(0000002D), ref: 0041EFF4
GetKeyState.USER32(0000000D), ref: 0041EFFC
GetKeyState.USER32(00000027), ref: 0041F004
GetKeyState.USER32(0000002D), ref: 0041F00C
GetKeyState.USER32(0000000D), ref: 0041F014
GetKeyState.USER32(00000027), ref: 0041F01C
GetKeyState.USER32(0000002D), ref: 0041F024
GetKeyState.USER32(0000000D), ref: 0041F02C
GetKeyState.USER32(00000027), ref: 0041F034
GetKeyState.USER32(0000002D), ref: 0041F03C
GetKeyState.USER32(0000000D), ref: 0041F044
GetKeyState.USER32(00000027), ref: 0041F04C
GetKeyState.USER32(0000002D), ref: 0041F054
GetKeyState.USER32(0000000D), ref: 0041F05C
GetKeyState.USER32(00000027), ref: 0041F064
GetKeyState.USER32(0000002D), ref: 0041F06C
GetKeyState.USER32(0000000D), ref: 0041F074
GetKeyState.USER32(00000027), ref: 0041F07C
GetKeyState.USER32(0000002D), ref: 0041F084
GetKeyState.USER32(0000000D), ref: 0041F08C
GetKeyState.USER32(00000027), ref: 0041F094
GetKeyState.USER32(0000002D), ref: 0041F09C
GetKeyState.USER32(0000000D), ref: 0041F0A4
GetKeyState.USER32(00000027), ref: 0041F0AC
GetKeyState.USER32(0000002D), ref: 0041F0B4
GetKeyState.USER32(0000000D), ref: 0041F0BC
GetKeyState.USER32(00000027), ref: 0041F0C4
GetKeyState.USER32(0000002D), ref: 0041F0CC
GetKeyState.USER32(0000000D), ref: 0041F0D4
GetKeyState.USER32(00000027), ref: 0041F0DC
GetKeyState.USER32(0000002D), ref: 0041F0E4
GetKeyState.USER32(0000000D), ref: 0041F0EC
GetKeyState.USER32(00000027), ref: 0041F0F4
GetKeyState.USER32(0000002D), ref: 0041F0FC
GetKeyState.USER32(0000000D), ref: 0041F104
GetKeyState.USER32(00000027), ref: 0041F10C
GetKeyState.USER32(0000002D), ref: 0041F114
GetKeyState.USER32(0000000D), ref: 0041F11C
GetKeyState.USER32(00000027), ref: 0041F124
GetKeyState.USER32(0000002D), ref: 0041F12C
GetKeyState.USER32(0000000D), ref: 0041F134
GetKeyState.USER32(00000027), ref: 0041F13C
GetKeyState.USER32(0000002D), ref: 0041F144
GetKeyState.USER32(0000000D), ref: 0041F14C
GetKeyState.USER32(00000027), ref: 0041F154
GetKeyState.USER32(0000002D), ref: 0041F15C
GetKeyState.USER32(0000000D), ref: 0041F164
GetKeyState.USER32(00000027), ref: 0041F16C
GetKeyState.USER32(0000002D), ref: 0041F174
GetKeyState.USER32(0000000D), ref: 0041F17C
GetKeyState.USER32(00000027), ref: 0041F184
GetKeyState.USER32(0000002D), ref: 0041F18C
GetKeyState.USER32(0000000D), ref: 0041F194
GetKeyState.USER32(00000027), ref: 0041F19C
GetKeyState.USER32(0000002D), ref: 0041F1A4
GetKeyState.USER32(0000000D), ref: 0041F1AC
GetKeyState.USER32(00000027), ref: 0041F1B4
GetKeyState.USER32(0000002D), ref: 0041F1BC
GetKeyState.USER32(0000000D), ref: 0041F1C4
GetKeyState.USER32(00000027), ref: 0041F1CC
GetKeyState.USER32(0000002D), ref: 0041F1D4
GetKeyState.USER32(0000000D), ref: 0041F1DC
GetKeyState.USER32(00000027), ref: 0041F1E4
GetKeyState.USER32(0000002D), ref: 0041F1EC
GetKeyState.USER32(0000000D), ref: 0041F1F4
GetKeyState.USER32(00000027), ref: 0041F1FC
GetKeyState.USER32(0000002D), ref: 0041F204
GetKeyState.USER32(0000000D), ref: 0041F20C
GetKeyState.USER32(00000027), ref: 0041F214
GetKeyState.USER32(0000002D), ref: 0041F21C
GetKeyState.USER32(0000000D), ref: 0041F224
GetKeyState.USER32(00000027), ref: 0041F22C
GetKeyState.USER32(0000002D), ref: 0041F234
GetKeyState.USER32(0000000D), ref: 0041F23C
GetKeyState.USER32(00000027), ref: 0041F244
GetKeyState.USER32(0000002D), ref: 0041F24C
GetKeyState.USER32(0000000D), ref: 0041F254
GetKeyState.USER32(00000027), ref: 0041F25C
GetKeyState.USER32(0000002D), ref: 0041F264
GetKeyState.USER32(0000000D), ref: 0041F26C
GetKeyState.USER32(00000027), ref: 0041F274
GetKeyState.USER32(0000002D), ref: 0041F27C
GetKeyState.USER32(0000000D), ref: 0041F284
GetKeyState.USER32(00000027), ref: 0041F28C
GetKeyState.USER32(0000002D), ref: 0041F294
GetKeyState.USER32(0000000D), ref: 0041F29C
GetKeyState.USER32(00000027), ref: 0041F2A4
GetKeyState.USER32(0000002D), ref: 0041F2AC
GetKeyState.USER32(0000000D), ref: 0041F2B4
GetKeyState.USER32(00000027), ref: 0041F2BC
GetKeyState.USER32(0000002D), ref: 0041F2C4
GetKeyState.USER32(0000000D), ref: 0041F2CC
GetKeyState.USER32(00000027), ref: 0041F2D4
GetKeyState.USER32(0000002D), ref: 0041F2DC
GetKeyState.USER32(0000000D), ref: 0041F2E4
GetKeyState.USER32(00000027), ref: 0041F2EC
GetKeyState.USER32(0000002D), ref: 0041F2F4
GetKeyState.USER32(0000000D), ref: 0041F2FC
GetKeyState.USER32(00000027), ref: 0041F304
GetKeyState.USER32(0000002D), ref: 0041F30C
GetKeyState.USER32(0000000D), ref: 0041F314
GetKeyState.USER32(00000027), ref: 0041F31C
GetKeyState.USER32(0000002D), ref: 0041F324
GetKeyState.USER32(0000000D), ref: 0041F32C
GetKeyState.USER32(00000027), ref: 0041F334
GetKeyState.USER32(0000002D), ref: 0041F33C
GetKeyState.USER32(0000000D), ref: 0041F344
GetKeyState.USER32(00000027), ref: 0041F34C
GetKeyState.USER32(0000002D), ref: 0041F354
GetKeyState.USER32(0000000D), ref: 0041F35C
GetKeyState.USER32(00000027), ref: 0041F364
GetKeyState.USER32(0000002D), ref: 0041F36C
GetKeyState.USER32(0000000D), ref: 0041F374
GetKeyState.USER32(00000027), ref: 0041F37C
GetKeyState.USER32(0000002D), ref: 0041F384
GetKeyState.USER32(0000000D), ref: 0041F38C
GetKeyState.USER32(00000027), ref: 0041F394
GetKeyState.USER32(0000002D), ref: 0041F39C
GetKeyState.USER32(0000000D), ref: 0041F3A4
GetKeyState.USER32(00000027), ref: 0041F3AC
GetKeyState.USER32(0000002D), ref: 0041F3B4
GetKeyState.USER32(0000000D), ref: 0041F3BC
GetKeyState.USER32(00000027), ref: 0041F3C4
GetKeyState.USER32(0000002D), ref: 0041F3CC
GetKeyState.USER32(0000000D), ref: 0041F3D4
GetKeyState.USER32(00000027), ref: 0041F3DC
GetKeyState.USER32(0000002D), ref: 0041F3E4
GetKeyState.USER32(0000000D), ref: 0041F3EC
GetKeyState.USER32(00000027), ref: 0041F3F4
GetKeyState.USER32(0000002D), ref: 0041F3FC
GetKeyState.USER32(0000000D), ref: 0041F404
GetKeyState.USER32(00000027), ref: 0041F40C
GetKeyState.USER32(0000002D), ref: 0041F414
GetKeyState.USER32(0000000D), ref: 0041F41C
GetKeyState.USER32(00000027), ref: 0041F424
GetKeyState.USER32(0000002D), ref: 0041F42C
GetKeyState.USER32(0000000D), ref: 0041F434
GetKeyState.USER32(00000027), ref: 0041F43C
GetKeyState.USER32(0000002D), ref: 0041F444
GetKeyState.USER32(0000000D), ref: 0041F44C
GetKeyState.USER32(00000027), ref: 0041F454
GetKeyState.USER32(0000002D), ref: 0041F45C
GetKeyState.USER32(0000000D), ref: 0041F464
GetKeyState.USER32(00000027), ref: 0041F46C
GetKeyState.USER32(0000002D), ref: 0041F474
GetKeyState.USER32(0000000D), ref: 0041F47C
GetKeyState.USER32(00000027), ref: 0041F484
GetKeyState.USER32(0000002D), ref: 0041F48C
GetKeyState.USER32(0000000D), ref: 0041F494
GetKeyState.USER32(00000027), ref: 0041F49C
GetKeyState.USER32(0000002D), ref: 0041F4A4
GetKeyState.USER32(0000000D), ref: 0041F4AC
GetKeyState.USER32(00000027), ref: 0041F4B4
GetKeyState.USER32(0000002D), ref: 0041F4BC
GetKeyState.USER32(0000000D), ref: 0041F4C4
GetKeyState.USER32(00000027), ref: 0041F4CC
GetKeyState.USER32(0000002D), ref: 0041F4D4
GetKeyState.USER32(0000000D), ref: 0041F4DC
GetKeyState.USER32(00000027), ref: 0041F4E4
GetKeyState.USER32(0000002D), ref: 0041F4EC
GetKeyState.USER32(0000000D), ref: 0041F4F4
GetKeyState.USER32(00000027), ref: 0041F4FC
GetKeyState.USER32(0000002D), ref: 0041F504
GetKeyState.USER32(0000000D), ref: 0041F50C
GetKeyState.USER32(00000027), ref: 0041F514
GetKeyState.USER32(0000002D), ref: 0041F51C
GetKeyState.USER32(0000000D), ref: 0041F524
GetKeyState.USER32(00000027), ref: 0041F52C
GetKeyState.USER32(0000002D), ref: 0041F534
GetKeyState.USER32(0000000D), ref: 0041F53C
GetKeyState.USER32(00000027), ref: 0041F544
GetKeyState.USER32(0000002D), ref: 0041F54C
GetKeyState.USER32(0000000D), ref: 0041F554
GetKeyState.USER32(00000027), ref: 0041F55C
GetKeyState.USER32(0000002D), ref: 0041F564
GetKeyState.USER32(0000000D), ref: 0041F56C
GetKeyState.USER32(00000027), ref: 0041F574
GetKeyState.USER32(0000002D), ref: 0041F57C
GetKeyState.USER32(0000000D), ref: 0041F584
GetKeyState.USER32(00000027), ref: 0041F58C
GetKeyState.USER32(0000002D), ref: 0041F594
GetKeyState.USER32(0000000D), ref: 0041F59C
GetKeyState.USER32(00000027), ref: 0041F5A4
GetKeyState.USER32(0000002D), ref: 0041F5AC
GetKeyState.USER32(0000000D), ref: 0041F5B4
GetKeyState.USER32(00000027), ref: 0041F5BC
GetKeyState.USER32(0000002D), ref: 0041F5C4
GetKeyState.USER32(0000000D), ref: 0041F5CC
GetKeyState.USER32(00000027), ref: 0041F5D4
GetKeyState.USER32(0000002D), ref: 0041F5DC
GetKeyState.USER32(0000000D), ref: 0041F5E4
GetKeyState.USER32(00000027), ref: 0041F5EC
GetKeyState.USER32(0000002D), ref: 0041F5F4
GetKeyState.USER32(0000000D), ref: 0041F5FC
GetKeyState.USER32(00000027), ref: 0041F604
GetKeyState.USER32(0000002D), ref: 0041F60C
GetKeyState.USER32(0000000D), ref: 0041F614
GetKeyState.USER32(00000027), ref: 0041F61C
GetKeyState.USER32(0000002D), ref: 0041F624
GetKeyState.USER32(0000000D), ref: 0041F62C
GetKeyState.USER32(00000027), ref: 0041F634
GetKeyState.USER32(0000002D), ref: 0041F63C
GetKeyState.USER32(0000000D), ref: 0041F644
GetKeyState.USER32(00000027), ref: 0041F64C
GetKeyState.USER32(0000002D), ref: 0041F654
GetKeyState.USER32(0000000D), ref: 0041F65C
GetKeyState.USER32(00000027), ref: 0041F664
GetKeyState.USER32(0000002D), ref: 0041F66C
GetKeyState.USER32(0000000D), ref: 0041F674
GetKeyState.USER32(00000027), ref: 0041F67C
GetKeyState.USER32(0000002D), ref: 0041F684
GetKeyState.USER32(0000000D), ref: 0041F68C
GetKeyState.USER32(00000027), ref: 0041F694
GetKeyState.USER32(0000002D), ref: 0041F69C
GetKeyState.USER32(0000000D), ref: 0041F6A4
GetKeyState.USER32(00000027), ref: 0041F6AC
GetKeyState.USER32(0000002D), ref: 0041F6B4
GetKeyState.USER32(0000000D), ref: 0041F6BC
GetKeyState.USER32(00000027), ref: 0041F6C4
GetKeyState.USER32(0000002D), ref: 0041F6CC
GetKeyState.USER32(0000000D), ref: 0041F6D4
GetKeyState.USER32(00000027), ref: 0041F6DC
GetKeyState.USER32(0000002D), ref: 0041F6E4
GetKeyState.USER32(0000000D), ref: 0041F6EC
GetKeyState.USER32(00000027), ref: 0041F6F4
GetKeyState.USER32(0000002D), ref: 0041F6FC
GetKeyState.USER32(0000000D), ref: 0041F704
GetKeyState.USER32(00000027), ref: 0041F70C
GetKeyState.USER32(0000002D), ref: 0041F714
GetKeyState.USER32(0000000D), ref: 0041F71C
GetKeyState.USER32(00000027), ref: 0041F724
GetKeyState.USER32(0000002D), ref: 0041F72C
GetKeyState.USER32(0000000D), ref: 0041F734
GetKeyState.USER32(00000027), ref: 0041F73C
GetKeyState.USER32(0000002D), ref: 0041F744
GetKeyState.USER32(0000000D), ref: 0041F74C
GetKeyState.USER32(00000027), ref: 0041F754
GetKeyState.USER32(0000002D), ref: 0041F75C
GetKeyState.USER32(0000000D), ref: 0041F764
GetKeyState.USER32(00000027), ref: 0041F76C
GetKeyState.USER32(0000002D), ref: 0041F774
GetKeyState.USER32(0000000D), ref: 0041F77C
GetKeyState.USER32(00000027), ref: 0041F784
GetKeyState.USER32(0000002D), ref: 0041F78C
GetKeyState.USER32(0000000D), ref: 0041F794
GetKeyState.USER32(00000027), ref: 0041F79C
GetKeyState.USER32(0000002D), ref: 0041F7A4
GetKeyState.USER32(0000000D), ref: 0041F7AC
GetKeyState.USER32(00000027), ref: 0041F7B4
GetKeyState.USER32(0000002D), ref: 0041F7BC
GetKeyState.USER32(0000000D), ref: 0041F7C4
GetKeyState.USER32(00000027), ref: 0041F7CC
GetKeyState.USER32(0000002D), ref: 0041F7D4
GetKeyState.USER32(0000000D), ref: 0041F7DC
GetKeyState.USER32(00000027), ref: 0041F7E4
GetKeyState.USER32(0000002D), ref: 0041F7EC
GetKeyState.USER32(0000000D), ref: 0041F7F4
GetKeyState.USER32(00000027), ref: 0041F7FC
GetKeyState.USER32(0000002D), ref: 0041F804
GetKeyState.USER32(0000000D), ref: 0041F80C
GetKeyState.USER32(00000027), ref: 0041F814
GetKeyState.USER32(0000002D), ref: 0041F81C
GetKeyState.USER32(0000000D), ref: 0041F824
GetKeyState.USER32(00000027), ref: 0041F82C
GetKeyState.USER32(0000002D), ref: 0041F834
GetKeyState.USER32(0000000D), ref: 0041F83C
GetKeyState.USER32(00000027), ref: 0041F844
GetKeyState.USER32(0000002D), ref: 0041F84C
GetKeyState.USER32(0000000D), ref: 0041F854
GetKeyState.USER32(00000027), ref: 0041F85C
GetKeyState.USER32(0000002D), ref: 0041F864
GetKeyState.USER32(0000000D), ref: 0041F86C
GetKeyState.USER32(00000027), ref: 0041F874
GetKeyState.USER32(0000002D), ref: 0041F87C
GetKeyState.USER32(0000000D), ref: 0041F884
GetKeyState.USER32(00000027), ref: 0041F88C
GetKeyState.USER32(0000002D), ref: 0041F894
GetKeyState.USER32(0000000D), ref: 0041F89C
GetKeyState.USER32(00000027), ref: 0041F8A4
GetKeyState.USER32(0000002D), ref: 0041F8AC
GetKeyState.USER32(0000000D), ref: 0041F8B4
GetKeyState.USER32(00000027), ref: 0041F8BC
GetKeyState.USER32(0000002D), ref: 0041F8C4
GetKeyState.USER32(0000000D), ref: 0041F8CC
GetKeyState.USER32(00000027), ref: 0041F8D4
GetKeyState.USER32(0000002D), ref: 0041F8DC
GetKeyState.USER32(0000000D), ref: 0041F8E4
GetKeyState.USER32(00000027), ref: 0041F8EC
GetKeyState.USER32(0000002D), ref: 0041F8F4
GetKeyState.USER32(0000000D), ref: 0041F8FC
GetKeyState.USER32(00000027), ref: 0041F904
GetKeyState.USER32(0000002D), ref: 0041F90C
GetKeyState.USER32(0000000D), ref: 0041F914
GetKeyState.USER32(00000027), ref: 0041F91C
GetKeyState.USER32(0000002D), ref: 0041F924
GetKeyState.USER32(0000000D), ref: 0041F92C
GetKeyState.USER32(00000027), ref: 0041F934
GetKeyState.USER32(0000002D), ref: 0041F93C
GetKeyState.USER32(0000000D), ref: 0041F944
GetKeyState.USER32(00000027), ref: 0041F94C
GetKeyState.USER32(0000002D), ref: 0041F954
GetKeyState.USER32(0000000D), ref: 0041F95C
GetKeyState.USER32(00000027), ref: 0041F964
GetKeyState.USER32(0000002D), ref: 0041F96C
GetKeyState.USER32(0000000D), ref: 0041F974
GetKeyState.USER32(00000027), ref: 0041F97C
GetKeyState.USER32(0000002D), ref: 0041F984
GetKeyState.USER32(0000000D), ref: 0041F98C
GetKeyState.USER32(00000027), ref: 0041F994
GetKeyState.USER32(0000002D), ref: 0041F99C
GetKeyState.USER32(0000000D), ref: 0041F9A4
GetKeyState.USER32(00000027), ref: 0041F9AC
GetKeyState.USER32(0000002D), ref: 0041F9B4
GetKeyState.USER32(0000000D), ref: 0041F9BC
GetKeyState.USER32(00000027), ref: 0041F9C4
GetKeyState.USER32(0000002D), ref: 0041F9CC
GetKeyState.USER32(0000000D), ref: 0041F9D4
GetKeyState.USER32(00000027), ref: 0041F9DC
GetKeyState.USER32(0000002D), ref: 0041F9E4
GetKeyState.USER32(0000000D), ref: 0041F9EC
GetKeyState.USER32(00000027), ref: 0041F9F4
GetKeyState.USER32(0000002D), ref: 0041F9FC
GetKeyState.USER32(0000000D), ref: 0041FA04
GetKeyState.USER32(00000027), ref: 0041FA0C
GetKeyState.USER32(0000002D), ref: 0041FA14
GetKeyState.USER32(0000000D), ref: 0041FA1C
GetKeyState.USER32(00000027), ref: 0041FA24
GetKeyState.USER32(0000002D), ref: 0041FA2C
GetKeyState.USER32(0000000D), ref: 0041FA34
GetKeyState.USER32(00000027), ref: 0041FA3C
GetKeyState.USER32(0000002D), ref: 0041FA44
GetKeyState.USER32(0000000D), ref: 0041FA4C
GetKeyState.USER32(00000027), ref: 0041FA54
GetKeyState.USER32(0000002D), ref: 0041FA5C
GetKeyState.USER32(0000000D), ref: 0041FA64
GetKeyState.USER32(00000027), ref: 0041FA6C
GetKeyState.USER32(0000002D), ref: 0041FA74
GetKeyState.USER32(0000000D), ref: 0041FA7C
GetKeyState.USER32(00000027), ref: 0041FA84
GetKeyState.USER32(0000002D), ref: 0041FA8C
GetKeyState.USER32(0000000D), ref: 0041FA94
GetKeyState.USER32(00000027), ref: 0041FA9C
GetKeyState.USER32(0000002D), ref: 0041FAA4
GetKeyState.USER32(0000000D), ref: 0041FAAC
GetKeyState.USER32(00000027), ref: 0041FAB4
GetKeyState.USER32(0000002D), ref: 0041FABC
GetKeyState.USER32(0000000D), ref: 0041FAC4
GetKeyState.USER32(00000027), ref: 0041FACC
GetKeyState.USER32(0000002D), ref: 0041FAD4
GetKeyState.USER32(0000000D), ref: 0041FADC
GetKeyState.USER32(00000027), ref: 0041FAE4
GetKeyState.USER32(0000002D), ref: 0041FAEC
GetKeyState.USER32(0000000D), ref: 0041FAF4
GetKeyState.USER32(00000027), ref: 0041FAFC
GetKeyState.USER32(0000002D), ref: 0041FB04
GetKeyState.USER32(0000000D), ref: 0041FB0C
GetKeyState.USER32(00000027), ref: 0041FB14
GetKeyState.USER32(0000002D), ref: 0041FB1C
GetKeyState.USER32(0000000D), ref: 0041FB24
GetKeyState.USER32(00000027), ref: 0041FB2C
GetKeyState.USER32(0000002D), ref: 0041FB34
GetKeyState.USER32(0000000D), ref: 0041FB3C
GetKeyState.USER32(00000027), ref: 0041FB44
GetKeyState.USER32(0000002D), ref: 0041FB4C
GetKeyState.USER32(0000000D), ref: 0041FB54
GetKeyState.USER32(00000027), ref: 0041FB5C
GetKeyState.USER32(0000002D), ref: 0041FB64
GetKeyState.USER32(0000000D), ref: 0041FB6C
GetKeyState.USER32(00000027), ref: 0041FB74
GetKeyState.USER32(0000002D), ref: 0041FB7C
GetKeyState.USER32(0000000D), ref: 0041FB84
GetKeyState.USER32(00000027), ref: 0041FB8C
GetKeyState.USER32(0000002D), ref: 0041FB94
GetKeyState.USER32(0000000D), ref: 0041FB9C
GetKeyState.USER32(00000027), ref: 0041FBA4
GetKeyState.USER32(0000002D), ref: 0041FBAC
GetKeyState.USER32(0000000D), ref: 0041FBB4
GetKeyState.USER32(00000027), ref: 0041FBBC
GetKeyState.USER32(0000002D), ref: 0041FBC4
GetKeyState.USER32(0000000D), ref: 0041FBCC
GetKeyState.USER32(00000027), ref: 0041FBD4
GetKeyState.USER32(0000002D), ref: 0041FBDC
GetKeyState.USER32(0000000D), ref: 0041FBE4
GetKeyState.USER32(00000027), ref: 0041FBEC
GetKeyState.USER32(0000002D), ref: 0041FBF4
GetKeyState.USER32(0000000D), ref: 0041FBFC
GetKeyState.USER32(00000027), ref: 0041FC04
GetKeyState.USER32(0000002D), ref: 0041FC0C
GetKeyState.USER32(0000000D), ref: 0041FC14
GetKeyState.USER32(00000027), ref: 0041FC1C
GetKeyState.USER32(0000002D), ref: 0041FC24
GetKeyState.USER32(0000000D), ref: 0041FC2C
GetKeyState.USER32(00000027), ref: 0041FC34
GetKeyState.USER32(0000002D), ref: 0041FC3C
GetKeyState.USER32(0000000D), ref: 0041FC44
GetKeyState.USER32(00000027), ref: 0041FC4C
GetKeyState.USER32(0000002D), ref: 0041FC54
GetKeyState.USER32(0000000D), ref: 0041FC5C
GetKeyState.USER32(00000027), ref: 0041FC64
GetKeyState.USER32(0000002D), ref: 0041FC6C
GetKeyState.USER32(0000000D), ref: 0041FC74
GetKeyState.USER32(00000027), ref: 0041FC7C
GetKeyState.USER32(0000002D), ref: 0041FC84
GetKeyState.USER32(0000000D), ref: 0041FC8C
GetKeyState.USER32(00000027), ref: 0041FC94
GetKeyState.USER32(0000002D), ref: 0041FC9C
GetKeyState.USER32(0000000D), ref: 0041FCA4
GetKeyState.USER32(00000027), ref: 0041FCAC
GetKeyState.USER32(0000002D), ref: 0041FCB4
GetKeyState.USER32(0000000D), ref: 0041FCBC
GetKeyState.USER32(00000027), ref: 0041FCC4
GetKeyState.USER32(0000002D), ref: 0041FCCC
GetKeyState.USER32(0000000D), ref: 0041FCD4
GetKeyState.USER32(00000027), ref: 0041FCDC
GetKeyState.USER32(0000002D), ref: 0041FCE4
GetKeyState.USER32(0000000D), ref: 0041FCEC
GetKeyState.USER32(00000027), ref: 0041FCF4
GetKeyState.USER32(0000002D), ref: 0041FCFC
GetKeyState.USER32(0000000D), ref: 0041FD04
GetKeyState.USER32(00000027), ref: 0041FD0C
GetKeyState.USER32(0000002D), ref: 0041FD14
GetKeyState.USER32(0000000D), ref: 0041FD1C
GetKeyState.USER32(00000027), ref: 0041FD24
GetKeyState.USER32(0000002D), ref: 0041FD2C
GetKeyState.USER32(0000000D), ref: 0041FD34
GetKeyState.USER32(00000027), ref: 0041FD3C
GetKeyState.USER32(0000002D), ref: 0041FD44
GetKeyState.USER32(0000000D), ref: 0041FD4C
GetKeyState.USER32(00000027), ref: 0041FD54
GetKeyState.USER32(0000002D), ref: 0041FD5C
GetKeyState.USER32(0000000D), ref: 0041FD64
GetKeyState.USER32(00000027), ref: 0041FD6C
GetKeyState.USER32(0000002D), ref: 0041FD74
GetKeyState.USER32(0000000D), ref: 0041FD7C
GetKeyState.USER32(00000027), ref: 0041FD84
GetKeyState.USER32(0000002D), ref: 0041FD8C
GetKeyState.USER32(0000000D), ref: 0041FD94
GetKeyState.USER32(00000027), ref: 0041FD9C
GetKeyState.USER32(0000002D), ref: 0041FDA4
GetKeyState.USER32(0000000D), ref: 0041FDAC
GetKeyState.USER32(00000027), ref: 0041FDB4
GetKeyState.USER32(0000002D), ref: 0041FDBC
GetKeyState.USER32(0000000D), ref: 0041FDC4
GetKeyState.USER32(00000027), ref: 0041FDCC
GetKeyState.USER32(0000002D), ref: 0041FDD4
GetKeyState.USER32(0000000D), ref: 0041FDDC
GetKeyState.USER32(00000027), ref: 0041FDE4
GetKeyState.USER32(0000002D), ref: 0041FDEC
GetKeyState.USER32(0000000D), ref: 0041FDF4
GetKeyState.USER32(00000027), ref: 0041FDFC
GetKeyState.USER32(0000002D), ref: 0041FE04
GetKeyState.USER32(0000000D), ref: 0041FE0C
GetKeyState.USER32(00000027), ref: 0041FE14
GetKeyState.USER32(0000002D), ref: 0041FE1C
GetKeyState.USER32(0000000D), ref: 0041FE24
GetKeyState.USER32(00000027), ref: 0041FE2C
GetKeyState.USER32(0000002D), ref: 0041FE34
GetKeyState.USER32(0000000D), ref: 0041FE3C
GetKeyState.USER32(00000027), ref: 0041FE44
GetKeyState.USER32(0000002D), ref: 0041FE4C
GetKeyState.USER32(0000000D), ref: 0041FE54
GetKeyState.USER32(00000027), ref: 0041FE5C
GetKeyState.USER32(0000002D), ref: 0041FE64
GetKeyState.USER32(0000000D), ref: 0041FE6C
GetKeyState.USER32(00000027), ref: 0041FE74
GetKeyState.USER32(0000002D), ref: 0041FE7C
GetKeyState.USER32(0000000D), ref: 0041FE84
GetKeyState.USER32(00000027), ref: 0041FE8C
GetKeyState.USER32(0000002D), ref: 0041FE94
GetKeyState.USER32(0000000D), ref: 0041FE9C
GetKeyState.USER32(00000027), ref: 0041FEA4
GetKeyState.USER32(0000002D), ref: 0041FEAC
GetKeyState.USER32(0000000D), ref: 0041FEB4
GetKeyState.USER32(00000027), ref: 0041FEBC
GetKeyState.USER32(0000002D), ref: 0041FEC4
GetKeyState.USER32(0000000D), ref: 0041FECC
GetKeyState.USER32(00000027), ref: 0041FED4
GetKeyState.USER32(0000002D), ref: 0041FEDC
GetKeyState.USER32(0000000D), ref: 0041FEE4
GetKeyState.USER32(00000027), ref: 0041FEEC
GetKeyState.USER32(0000002D), ref: 0041FEF4
GetKeyState.USER32(0000000D), ref: 0041FEFC
GetKeyState.USER32(00000027), ref: 0041FF04
GetKeyState.USER32(0000002D), ref: 0041FF0C
GetKeyState.USER32(0000000D), ref: 0041FF14
GetKeyState.USER32(00000027), ref: 0041FF1C
GetKeyState.USER32(0000002D), ref: 0041FF24
GetKeyState.USER32(0000000D), ref: 0041FF2C
GetKeyState.USER32(00000027), ref: 0041FF34
GetKeyState.USER32(0000002D), ref: 0041FF3C
GetKeyState.USER32(0000000D), ref: 0041FF44
GetKeyState.USER32(00000027), ref: 0041FF4C
GetKeyState.USER32(0000002D), ref: 0041FF54
GetKeyState.USER32(0000000D), ref: 0041FF5C
GetKeyState.USER32(00000027), ref: 0041FF64
GetKeyState.USER32(0000002D), ref: 0041FF6C
GetKeyState.USER32(0000000D), ref: 0041FF74
GetKeyState.USER32(00000027), ref: 0041FF7C
GetKeyState.USER32(0000002D), ref: 0041FF84
GetKeyState.USER32(0000000D), ref: 0041FF8C
GetKeyState.USER32(00000027), ref: 0041FF94
GetKeyState.USER32(0000002D), ref: 0041FF9C
GetKeyState.USER32(0000000D), ref: 0041FFA4
GetKeyState.USER32(00000027), ref: 0041FFAC
GetKeyState.USER32(0000002D), ref: 0041FFB4
GetKeyState.USER32(0000000D), ref: 0041FFBC
GetKeyState.USER32(00000027), ref: 0041FFC4
GetKeyState.USER32(0000002D), ref: 0041FFCC
GetKeyState.USER32(0000000D), ref: 0041FFD4
GetKeyState.USER32(00000027), ref: 0041FFDC
GetKeyState.USER32(0000002D), ref: 0041FFE4
GetKeyState.USER32(0000000D), ref: 0041FFEC
GetKeyState.USER32(00000027), ref: 0041FFF4
GetKeyState.USER32(0000002D), ref: 0041FFFC
GetKeyState.USER32(0000000D), ref: 00420004
GetKeyState.USER32(00000027), ref: 0042000C
GetKeyState.USER32(0000002D), ref: 00420014
GetKeyState.USER32(0000000D), ref: 0042001C
GetKeyState.USER32(00000027), ref: 00420024
GetKeyState.USER32(0000002D), ref: 0042002C
GetKeyState.USER32(0000000D), ref: 00420034
GetKeyState.USER32(00000027), ref: 0042003C
GetKeyState.USER32(0000002D), ref: 00420044
GetKeyState.USER32(0000000D), ref: 0042004C
GetKeyState.USER32(00000027), ref: 00420054
GetKeyState.USER32(0000002D), ref: 0042005C
GetKeyState.USER32(0000000D), ref: 00420064
GetKeyState.USER32(00000027), ref: 0042006C
GetKeyState.USER32(0000002D), ref: 00420074
GetKeyState.USER32(0000000D), ref: 0042007C
GetKeyState.USER32(00000027), ref: 00420084
GetKeyState.USER32(0000002D), ref: 0042008C
GetKeyState.USER32(0000000D), ref: 00420094
GetKeyState.USER32(00000027), ref: 0042009C
GetKeyState.USER32(0000002D), ref: 004200A4
GetKeyState.USER32(0000000D), ref: 004200AC
GetKeyState.USER32(00000027), ref: 004200B4
GetKeyState.USER32(0000002D), ref: 004200BC
GetKeyState.USER32(0000000D), ref: 004200C4
GetKeyState.USER32(00000027), ref: 004200CC
GetKeyState.USER32(0000002D), ref: 004200D4
GetKeyState.USER32(0000000D), ref: 004200DC
GetKeyState.USER32(00000027), ref: 004200E4
GetKeyState.USER32(0000002D), ref: 004200EC
GetKeyState.USER32(0000000D), ref: 004200F4
GetKeyState.USER32(00000027), ref: 004200FC
GetKeyState.USER32(0000002D), ref: 00420104
GetKeyState.USER32(0000000D), ref: 0042010C
GetKeyState.USER32(00000027), ref: 00420114
GetKeyState.USER32(0000002D), ref: 0042011C
GetKeyState.USER32(0000000D), ref: 00420124
GetKeyState.USER32(00000027), ref: 0042012C
GetKeyState.USER32(0000002D), ref: 00420134
GetKeyState.USER32(0000000D), ref: 0042013C
GetKeyState.USER32(00000027), ref: 00420144
GetKeyState.USER32(0000002D), ref: 0042014C
GetKeyState.USER32(0000000D), ref: 00420154
GetKeyState.USER32(00000027), ref: 0042015C
GetKeyState.USER32(0000002D), ref: 00420164
GetKeyState.USER32(0000000D), ref: 0042016C
GetKeyState.USER32(00000027), ref: 00420174
GetKeyState.USER32(0000002D), ref: 0042017C
GetKeyState.USER32(0000000D), ref: 00420184
GetKeyState.USER32(00000027), ref: 0042018C
GetKeyState.USER32(0000002D), ref: 00420194
GetKeyState.USER32(0000000D), ref: 0042019C
GetKeyState.USER32(00000027), ref: 004201A4
GetKeyState.USER32(0000002D), ref: 004201AC
GetKeyState.USER32(0000000D), ref: 004201B4
GetKeyState.USER32(00000027), ref: 004201BC
GetKeyState.USER32(0000002D), ref: 004201C4
GetKeyState.USER32(0000000D), ref: 004201CC
GetKeyState.USER32(00000027), ref: 004201D4
GetKeyState.USER32(0000002D), ref: 004201DC
GetKeyState.USER32(0000000D), ref: 004201E4
GetKeyState.USER32(00000027), ref: 004201EC
GetKeyState.USER32(0000002D), ref: 004201F4
GetKeyState.USER32(0000000D), ref: 004201FC
GetKeyState.USER32(00000027), ref: 00420204
GetKeyState.USER32(0000002D), ref: 0042020C
GetKeyState.USER32(0000000D), ref: 00420214
GetKeyState.USER32(00000027), ref: 0042021C
GetKeyState.USER32(0000002D), ref: 00420224
GetKeyState.USER32(0000000D), ref: 0042022C
GetKeyState.USER32(00000027), ref: 00420234
GetKeyState.USER32(0000002D), ref: 0042023C
GetKeyState.USER32(0000000D), ref: 00420244
GetKeyState.USER32(00000027), ref: 0042024C
GetKeyState.USER32(0000002D), ref: 00420254
GetKeyState.USER32(0000000D), ref: 0042025C
GetKeyState.USER32(00000027), ref: 00420264

Strings

8jI, xrefs: 00413636

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: State
String ID: 8jI
API String ID: 1649606143-1160451875
Opcode ID: a7cf6cc6a3548258f1b76fee3ffd0e9e299ba3c8d8f3cf6bcf6bffa13fe37b9b
Instruction ID: ce9c991557a1b56eebb3cab7beb10fac6bac18f26e5806d98774b4e82e45148b
Opcode Fuzzy Hash: a7cf6cc6a3548258f1b76fee3ffd0e9e299ba3c8d8f3cf6bcf6bffa13fe37b9b
Instruction Fuzzy Hash: 02540375644605EBE7016BE0EE0EB587B72EB28701FB040B7F7068D9E4CAF056048B7A

Uniqueness

Uniqueness Score: -1.00%

Function 004441D1, Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 483windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004441D8
IsIconic.USER32(?), ref: 00444420
SetForegroundWindow.USER32(?), ref: 00444442
SendMessageA.USER32(?,00000111,0000E108,00000000), ref: 00444760
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 004447A2

Strings

[print(", xrefs: 0044426D
[open(", xrefs: 00444211
[printto(", xrefs: 004442C6
",", xrefs: 00444496, 0044449B, 00444573, 0044464B

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Message$ForegroundH_prolog3IconicPostSendWindow
String ID: ","$[open("$[print("$[printto("
API String ID: 3303669223-3790869113
Opcode ID: 80bef68be650fb9280e84282c6a522f432f6bc73d9bcb1ca62a013c514ebbc57
Instruction ID: e2902cee9f32c3bc013ba18211be509e1ace9a7a8bb546de2190923f7aa83874
Opcode Fuzzy Hash: 80bef68be650fb9280e84282c6a522f432f6bc73d9bcb1ca62a013c514ebbc57
Instruction Fuzzy Hash: F912B471900148AFDB04EFB5C845FEE7BB4AF04318F04825EF556AB2D2DB789A44C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00460294, Relevance: 15.1, APIs: 10, Instructions: 96nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,00000046,00000000,?), ref: 004602A9
GetWindowRect.USER32(?,?), ref: 004602C1
SetRect.USER32(?,?,00000000,?,?), ref: 00460300
InvalidateRect.USER32(?,?,00000001), ref: 0046030F
SetRect.USER32(?,?,00000000,?,?), ref: 00460326
InvalidateRect.USER32(?,?,00000001), ref: 00460335
SetRect.USER32(?,00000000,?,?,?), ref: 00460365
InvalidateRect.USER32(?,?,00000001), ref: 00460370
SetRect.USER32(?,00000000,?,?,?), ref: 00460387
InvalidateRect.USER32(?,?,00000001), ref: 00460392

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Invalidate$Window$NtdllProc_
String ID:
API String ID: 1652583904-0
Opcode ID: 385edbd70a18fadcac8e3427365bb059f2ef12fc4736ae8b9c45ce590d3980c9
Instruction ID: 407d50c58f8772814aa42725c578cd41ae09de308f76131f82ece4ddd533c623
Opcode Fuzzy Hash: 385edbd70a18fadcac8e3427365bb059f2ef12fc4736ae8b9c45ce590d3980c9
Instruction Fuzzy Hash: 6A31F876900609BFDB05CFA4DD48EAA7B7CFB08300F500166FA05A65A0D770AE54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00460A0B, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00460A93
_memset.LIBCMT ref: 00460AA1
IsWindow.USER32(?), ref: 00460BEA

Strings

(, xrefs: 00460AB7

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ClientScreenWindow_memset
String ID: (
API String ID: 1268500159-3887548279
Opcode ID: 9c264cfe9d74ddac181c07af1802897ed3399ddf7203b5b7585d9e0927491bbc
Instruction ID: b9eba4e5dfe38d860a6c48603ff1ba58d2e8d47740a336d9b58c91b6bca696c5
Opcode Fuzzy Hash: 9c264cfe9d74ddac181c07af1802897ed3399ddf7203b5b7585d9e0927491bbc
Instruction Fuzzy Hash: 58518E31A00204DFDF20DF94C848BAFBBB5EF54718F20816BE545A7291E779AE41CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0044533D, Relevance: 12.1, APIs: 8, Instructions: 129filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044535C
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 0044539D

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

PathIsUNCA.SHLWAPI(?,?,?,00000000), ref: 004453E7
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00445405
CharUpperA.USER32(?), ref: 0044542C
FindFirstFileA.KERNEL32(?,00000000), ref: 0044543D
FindClose.KERNEL32(00000000), ref: 00445449
lstrlen.KERNEL32(?), ref: 0044545E

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 3249967234-0
Opcode ID: a3ca3e4f46ba490d4bf42218047b70c05385d97843a3e1d4a07e7a4428fd8d89
Instruction ID: 9fd480b87422177af677c5df184a999c3b2a23cbef93fecb7cd39c195d8dd6d8
Opcode Fuzzy Hash: a3ca3e4f46ba490d4bf42218047b70c05385d97843a3e1d4a07e7a4428fd8d89
Instruction Fuzzy Hash: BA41E071900909AFEF11EFB5CC45BFF7778EF14369F10052BF815A6292EB3899408A68

Uniqueness

Uniqueness Score: -1.00%

Function 004119D0, Relevance: 9.1, APIs: 6, Instructions: 131keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(0000002D), ref: 00411B64
GetKeyState.USER32(0000000D), ref: 00411B6C
GetKeyState.USER32(00000027), ref: 00411B74
GetKeyState.USER32(0000002D), ref: 00411B7C
GetKeyState.USER32(0000000D), ref: 00411B84
GetKeyState.USER32(00000027), ref: 00411B8C

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: a0d630855f57bd0dba183d0b14e6f9e263cf919d7533cf9f0de25ae1740ff256
Instruction ID: 39f5f2121012a3760903e81ce98bdd1e4f9f43fb77e1c7818f5f9896c98835f1
Opcode Fuzzy Hash: a0d630855f57bd0dba183d0b14e6f9e263cf919d7533cf9f0de25ae1740ff256
Instruction Fuzzy Hash: F6611A74A05299DFCB15CF98D9987EDBBB1AF49300F2481E6D889A7351CB306E90DF05

Uniqueness

Uniqueness Score: -1.00%

Function 004501B1, Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004501BB

Part of subcall function 00433B33: _memset.LIBCMT ref: 00433B4A

_memset.LIBCMT ref: 0045020E
GetVersionExA.KERNEL32(?,00000000,00000000,00000018), ref: 00450223
_malloc.LIBCMT ref: 0045024C
_memset.LIBCMT ref: 00450263

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: _memset$H_prolog3_Version_malloc
String ID:
API String ID: 1339555267-0
Opcode ID: 69cf650f30b1e326ce7667bd405f13ea108f636098e4f13d8d2fcc6a7a661fd6
Instruction ID: ec0a2ee4913b40cae3b6d9970be1092a5b2fee2543df5665aa0a86f91605c092
Opcode Fuzzy Hash: 69cf650f30b1e326ce7667bd405f13ea108f636098e4f13d8d2fcc6a7a661fd6
Instruction Fuzzy Hash: E2517EB4A00B04DFDB21DF69C980A9ABBF0BF09314F04469EE99997352D778E944CF19

Uniqueness

Uniqueness Score: -1.00%

Function 004287DB, Relevance: 6.0, APIs: 4, Instructions: 41keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042D0B0: GetWindowLongA.USER32(00051A74,000000F0), ref: 0042D0BB

GetKeyState.USER32(00000010), ref: 004287FF
GetKeyState.USER32(00000011), ref: 00428808
GetKeyState.USER32(00000012), ref: 00428811
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00428827

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 5b8e3f685b6b59abe6575c02f6bd7dba42368099a46bf636015f779bc30236cc
Instruction ID: 1689506f9572f9775f11dcbf7e0cb78577e3d374c0b22e172c5a070582ce35b6
Opcode Fuzzy Hash: 5b8e3f685b6b59abe6575c02f6bd7dba42368099a46bf636015f779bc30236cc
Instruction Fuzzy Hash: 9AF0E932BC22AA15E61032756C41FAD80545F60BCAFD1153FA641EA1D1CFA88C028279

Uniqueness

Uniqueness Score: -1.00%

Function 0045436A, Relevance: 4.6, APIs: 3, Instructions: 125stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 0045439F

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 4e9330202cb4b3a8e3a1d79174e3071f48a93d3bb4b09bd07b5be158f63a4a35
Instruction ID: 371db06cd75d5740fa58b6eeb0ea53adc36e3429a991514e8f44e2a98576a3f0
Opcode Fuzzy Hash: 4e9330202cb4b3a8e3a1d79174e3071f48a93d3bb4b09bd07b5be158f63a4a35
Instruction Fuzzy Hash: 66417F715007049FD730DF65C880AABB7F8BF59315B10892EE89ACB652E734E588CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0048E259, Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 0048E26C
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 0048E27E
GetACP.KERNEL32 ref: 0048E2A7

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 964362f101c2ee65f878e861e04b5754c1f7e349172afa95bc92bc0fd065ffda
Instruction ID: c1e2cc09f883cee6145a9ddd52c79846e5d0f2851db043eb5a73f264d44562fc
Opcode Fuzzy Hash: 964362f101c2ee65f878e861e04b5754c1f7e349172afa95bc92bc0fd065ffda
Instruction Fuzzy Hash: 9EF0F631E002685BD726AF7599156EFB7E8AF05B45B1041BEED42E7340D6386E0887CC

Uniqueness

Uniqueness Score: -1.00%

Function 00425251, Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d56348a6f85e24538f699c0b4319066e5ce1a8e85230057a2dcd133df63bc7b
Instruction ID: 1ef3d081958c2bd474a59e898b8eac2f1dd1a82fa4f48a2636387601cccfa3ea
Opcode Fuzzy Hash: 3d56348a6f85e24538f699c0b4319066e5ce1a8e85230057a2dcd133df63bc7b
Instruction Fuzzy Hash: C9F03131704919EBDF02AF61EC04BAE3B7DAF14344F9480A6FC16D41A0DB38CA159F69

Uniqueness

Uniqueness Score: -1.00%

Function 0043824F, Relevance: 4.5, APIs: 3, Instructions: 27keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00438273
GetKeyState.USER32(00000011), ref: 0043827C
GetKeyState.USER32(00000012), ref: 00438285

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: a3aeb2acdd37f40b0ad83d311b6c7549f6f0968427398304e6b7742f7e8af769
Instruction ID: 7edf86adf5dde4801733c4db44079f77ce05b16e6d42a46fa5bfa5fed573430f
Opcode Fuzzy Hash: a3aeb2acdd37f40b0ad83d311b6c7549f6f0968427398304e6b7742f7e8af769
Instruction Fuzzy Hash: ACE09234540B5599DF009352A900FA7A7505B18784F11A4FFBBC4B6050CFAC89629769

Uniqueness

Uniqueness Score: -1.00%

Function 00425BDB, Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00425C02
CallWindowProcA.USER32(?,?,?,?,?), ref: 00425C17

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$CallNtdllProcProc_
String ID:
API String ID: 1646280189-0
Opcode ID: 7d1059909db2392f82c03ed35cacae69d0da46d86bdddc6fabe0bbc51d1e19e0
Instruction ID: ed79c863324d0622d8927af402c108c6cbd5a9cf1f1be454d96c4b215b5ef0a2
Opcode Fuzzy Hash: 7d1059909db2392f82c03ed35cacae69d0da46d86bdddc6fabe0bbc51d1e19e0
Instruction Fuzzy Hash: 38F0C936200619FFCF129FA5EC04DAA7BB9FF18351B54846AFA4986530E732D920EF54

Uniqueness

Uniqueness Score: -1.00%

Function 0048211A, Relevance: 3.0, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0048211A
EnumSystemLocalesA.KERNEL32(Function_00081D80,00000001), ref: 00482132

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: EnumLocalesSystem_strlen
String ID:
API String ID: 216762292-0
Opcode ID: 7e644580d8679c588eaa46614716530c55cf2d8c0665f979eba3847f635449a2
Instruction ID: 8fb02a84694708e162a1ad32fce527be54a861cac3eda82ea0280981334199eb
Opcode Fuzzy Hash: 7e644580d8679c588eaa46614716530c55cf2d8c0665f979eba3847f635449a2
Instruction Fuzzy Hash: C9D023B09107050AE710AF35C50D33677D0E720F09F708D5FD946C04D0D3BC90448704

Uniqueness

Uniqueness Score: -1.00%

Function 00470940, Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

__decode_pointer.LIBCMT ref: 0047094E

Part of subcall function 0046C447: TlsGetValue.KERNEL32(00000000,00474B2F,004651E5,8007000E,?,004249E7,?,?,00000000,00431A77,0000000C,00000004,00401F8C,8007000E), ref: 0046C454
Part of subcall function 0046C447: TlsGetValue.KERNEL32(00000006,?,004249E7,?,?,00000000,00431A77,0000000C,00000004,00401F8C,8007000E), ref: 0046C46B

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00470955

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: 99c8d07b8bbb5ab6c6bc5baaa8cca4560a10269d6f3c57f3468e57544f22f57e
Instruction ID: d31c6062f9496b5a7b6fb9d17f3332287f85f33387f7ba152ccc232f4bec90db
Opcode Fuzzy Hash: 99c8d07b8bbb5ab6c6bc5baaa8cca4560a10269d6f3c57f3468e57544f22f57e
Instruction Fuzzy Hash: BBC08CC48083C00FC7829779588E3A83A009731204F6498BF914084242EA6C4880823B

Uniqueness

Uniqueness Score: -1.00%

Function 00431760, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

CreateBindCtx.OLE32(00000000,?), ref: 0043179D

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: BindCreate
String ID:
API String ID: 170202629-0
Opcode ID: 7038fda4f160b9fa8a6aa7fb39885de1b001e1abd068da6acc36e6e07929a094
Instruction ID: 9a8261bf783bb225d9a0e548f9324dc546bc139634d3933e41f841ad61a1cb1f
Opcode Fuzzy Hash: 7038fda4f160b9fa8a6aa7fb39885de1b001e1abd068da6acc36e6e07929a094
Instruction Fuzzy Hash: 5511FB75900219BBDF11AFA1C88589FBBBCAF48744F14946BF801D6221E738DA41DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00428BEF, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d292b4c49064c5daa8db42e98b39392f960e1e0bc49ce33bfed65c2f1db7bd2
Instruction ID: 6bbce99adb526f2c20b2f504c5b5c7a0378f808d066eca3bc8cfd2efb6bcb4d8
Opcode Fuzzy Hash: 0d292b4c49064c5daa8db42e98b39392f960e1e0bc49ce33bfed65c2f1db7bd2
Instruction Fuzzy Hash: 30F0FE32503529FB8F125E92AD058AF3B69EF18351B40841AB91551011CB398521AB79

Uniqueness

Uniqueness Score: -1.00%

Function 004684EB, Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 35e17616aebe805ea179e47a0e5523b8b8815d65615be2100b2eee5145f064bd
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: CAD17F73C0E9B30A8B35812D446813BEB626FD174532FC3E69CD82F389EA2A5D04D5D5

Uniqueness

Uniqueness Score: -1.00%

Function 004680CB, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 3375bfa68a3598cf0ad3be209be4ced970c2eb0a4b5867a85b7ff75c42070196
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: BCD15D73C0E9B30A8735822D446812BEB626FD1B5431EC3E79CD82F389EA2B5D05D6D5

Uniqueness

Uniqueness Score: -1.00%

Function 00411960, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

Uniqueness

Uniqueness Score: -1.00%

Function 0046C833, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00465733), ref: 0046C839
__mtterm.LIBCMT ref: 0046C845

Part of subcall function 0046C511: __decode_pointer.LIBCMT ref: 0046C522
Part of subcall function 0046C511: TlsFree.KERNEL32(00000020,0046C9B2), ref: 0046C53C
Part of subcall function 0046C511: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00473786
Part of subcall function 0046C511: RtlDeleteCriticalSection.NTDLL(00000020), ref: 004737B0

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0046C85B
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0046C868
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0046C875
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0046C882
TlsAlloc.KERNEL32 ref: 0046C8D2
TlsSetValue.KERNEL32(00000000), ref: 0046C8ED
__init_pointers.LIBCMT ref: 0046C8F7
__encode_pointer.LIBCMT ref: 0046C902
__encode_pointer.LIBCMT ref: 0046C912
__encode_pointer.LIBCMT ref: 0046C922
__encode_pointer.LIBCMT ref: 0046C932
__decode_pointer.LIBCMT ref: 0046C953
__calloc_crt.LIBCMT ref: 0046C96C
__decode_pointer.LIBCMT ref: 0046C986
GetCurrentThreadId.KERNEL32 ref: 0046C99C

Strings

FlsSetValue, xrefs: 0046C86A
KERNEL32.DLL, xrefs: 0046C834
FlsFree, xrefs: 0046C877
FlsAlloc, xrefs: 0046C855
FlsGetValue, xrefs: 0046C85D

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4287529916-3819984048
Opcode ID: cc987a725c7217b5e88bf44882643ca9310309a22009201fc3ef92901727ecdd
Instruction ID: 108d55eeb68c76d73187b598e6b5e0125aa603bccc3315bb4007dfc3ef088b44
Opcode Fuzzy Hash: cc987a725c7217b5e88bf44882643ca9310309a22009201fc3ef92901727ecdd
Instruction Fuzzy Hash: 353184B19007219BDB21BF76AC45A263BA5AB14355B20473BE950D32B0FB7C8C51CB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0042A331, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042A33B

Part of subcall function 0043B004: __EH_prolog3.LIBCMT ref: 0043B00B

CallNextHookEx.USER32(?,?,?,?), ref: 0042A37F

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

GetClassLongA.USER32(?,000000E6), ref: 0042A3C3
GlobalGetAtomNameA.KERNEL32 ref: 0042A3ED
SetWindowLongA.USER32(?,000000FC,Function_00028BEF), ref: 0042A442
_memset.LIBCMT ref: 0042A48C
GetClassLongA.USER32(?,000000E0), ref: 0042A4BC
GetClassNameA.USER32(?,?,00000100), ref: 0042A4DD
GetWindowLongA.USER32(?,000000FC), ref: 0042A501
GetPropA.USER32(?,AfxOldWndProc423), ref: 0042A51B
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 0042A526
GetPropA.USER32(?,AfxOldWndProc423), ref: 0042A52E
GlobalAddAtomA.KERNEL32(AfxOldWndProc423), ref: 0042A536
SetWindowLongA.USER32(?,000000FC,Function_0002A1ED), ref: 0042A544
CallNextHookEx.USER32(?,00000003,?,?), ref: 0042A55C
UnhookWindowsHookEx.USER32(?), ref: 0042A570

Strings

ime, xrefs: 0042A3F6
AfxOldWndProc423, xrefs: 0042A514, 0042A519, 0042A524, 0042A52C, 0042A535
#32768, xrefs: 0042A49E, 0042A4A3, 0042A4ED

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$Exception@8H_prolog3H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 867647115-4034971020
Opcode ID: 73982f17cc36d2f013fe1e905a3d4d504a4f4abae111ffd8d770bfa0b9a947d7
Instruction ID: 499761b1f5bf5645989e73fd14c2c6e9b9c300b16c1c6bc20af451b6293831c7
Opcode Fuzzy Hash: 73982f17cc36d2f013fe1e905a3d4d504a4f4abae111ffd8d770bfa0b9a947d7
Instruction Fuzzy Hash: E3610A71600235AFCB21AF61EC09BAF7B78EF14325F500166FA05A6291C778DE91CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00425072, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,77435D80,0042525C,?,?,?,?,?,?,?,00427C92,00000000,00000002,00000028), ref: 0042509B
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 004250B7
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004250C8
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004250D9
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004250EA
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 004250FB
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042510C
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 0042511D

Strings

MonitorFromPoint, xrefs: 004250E4
MonitorFromRect, xrefs: 004250D3
EnumDisplayMonitors, xrefs: 004250F5
GetMonitorInfoA, xrefs: 00425106
EnumDisplayDevicesA, xrefs: 00425117
GetSystemMetrics, xrefs: 004250B1
MonitorFromWindow, xrefs: 004250C2
USER32, xrefs: 00425091

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: e2154b68cb233d54c8caff03e05dc560ec79ae28466e51d556e1154457b11b7d
Instruction ID: ffe40eb1cbd5fb4a2ca738016bab18726784d3ed504dcb75a5c22f4bddda467f
Opcode Fuzzy Hash: e2154b68cb233d54c8caff03e05dc560ec79ae28466e51d556e1154457b11b7d
Instruction Fuzzy Hash: 89214D71E14A61AF87119F2ABCC067AFEEAB25D7507A40A3FD008D2654DF384442DFAC

Uniqueness

Uniqueness Score: -1.00%

Function 00440F24, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

72E6AC50.USER32(00000000), ref: 00440F45
_memset.LIBCMT ref: 00440F56
MulDiv.KERNEL32(?,00000000), ref: 00440F77
_wctomb_s.LIBCMT ref: 00440F92

Part of subcall function 00468A98: __mbsnbcpy_s_l.LIBCMT ref: 00468AAA

CreateFontIndirectA.GDI32(?), ref: 00440FA4
SelectObject.GDI32(?,00000000), ref: 00440FBB
GetTextMetricsA.GDI32(?,?), ref: 00440FCA
GetTextExtentPoint32A.GDI32(?,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 00440FED
SelectObject.GDI32(?,?), ref: 00441008
DeleteObject.GDI32(?), ref: 0044100D
GetDialogBaseUnits.USER32 ref: 0044101E
GetDialogBaseUnits.USER32 ref: 00441026
MulDiv.KERNEL32(?,?,00000004), ref: 00441040
MulDiv.KERNEL32(?,00000000,00000008), ref: 0044104A

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00440FE5

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Object$BaseDialogSelectTextUnits$CreateDeleteExtentFontIndirectMetricsPoint32__mbsnbcpy_s_l_memset_wctomb_s
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 2576797865-222967699
Opcode ID: 5f7890fdb32187aa4fdf184288fcaa5acbcf61e538a8a84a241e27f5dd8a2801
Instruction ID: af69376edf1d57f5b4c1cf39a60d978919f2815a4b72c8698fd36576ee7d6c56
Opcode Fuzzy Hash: 5f7890fdb32187aa4fdf184288fcaa5acbcf61e538a8a84a241e27f5dd8a2801
Instruction Fuzzy Hash: D14136B1D00208AFDF11DFE5DC46B9EBBB8FF18705F20006AF605A62A1DA75AA15CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00461D37, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 98registrystringCOMMON

Download Yara Rule

APIs

RegSetValueA.ADVAPI32(?,Insertable,00000001,00496010,00000000), ref: 00461D63
RegSetValueA.ADVAPI32(?,Insertable,00000001,00496010,00000000), ref: 00461D71
RegDeleteValueA.ADVAPI32(?,Insertable), ref: 00461D89
RegDeleteValueA.ADVAPI32(?,Insertable), ref: 00461D8F
RegOpenKeyExA.ADVAPI32(?,InprocServer32,00000000,00020006,?), ref: 00461DD4
lstrlen.KERNEL32(00000000), ref: 00461DE4
RegSetValueExA.ADVAPI32(?,ThreadingModel,00000000,00000001,00000000,00000001), ref: 00461DF9
RegCloseKey.ADVAPI32(?), ref: 00461E09

Strings

ThreadingModel, xrefs: 00461DF1
Apartment, xrefs: 00461DA3
InprocServer32, xrefs: 00461DCC
Free, xrefs: 00461DAC
Both, xrefs: 00461DB8
Insertable, xrefs: 00461D48, 00461D5F, 00461D6D, 00461D85, 00461D8B

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Value$Delete$CloseOpenlstrlen
String ID: Apartment$Both$Free$InprocServer32$Insertable$ThreadingModel
API String ID: 46240047-3148118246
Opcode ID: 32f0530586aa9b430962d5b506d48ef4f3d6dc53f9791d59474d94385542a030
Instruction ID: 1d1490edf1fa267366dd4877aba5a694ad6d3987d93f5939f80e7cf4f0fd5c49
Opcode Fuzzy Hash: 32f0530586aa9b430962d5b506d48ef4f3d6dc53f9791d59474d94385542a030
Instruction Fuzzy Hash: 1921D131A00314BBDF214F64DC85FBB7A68DB15B54F184036FE01AA270D379AC1187AD

Uniqueness

Uniqueness Score: -1.00%

Function 00441507, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 127registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commdlg_LBSelChangedNotify), ref: 0044156B
RegisterClipboardFormatA.USER32(commdlg_ShareViolation), ref: 00441577
RegisterClipboardFormatA.USER32(commdlg_FileNameOK), ref: 00441583
RegisterClipboardFormatA.USER32(commdlg_ColorOK), ref: 0044158F
RegisterClipboardFormatA.USER32(commdlg_help), ref: 0044159B
RegisterClipboardFormatA.USER32(commdlg_SetRGBColor), ref: 004415A7

Strings

commdlg_help, xrefs: 00441591
commdlg_FileNameOK, xrefs: 00441579
commdlg_ShareViolation, xrefs: 0044156D
commdlg_LBSelChangedNotify, xrefs: 00441566
commdlg_SetRGBColor, xrefs: 0044159D
commdlg_ColorOK, xrefs: 00441585

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 1228543026-3888057576
Opcode ID: b23e90fa72e3b04a5c9403be8bdf332f91b28985ca118a3f77cde2b1b41d9977
Instruction ID: d3e3c26ab3377bf5ea8eb2cb56fb2ec01005344bfb4928f0534c6f5a5c65daaf
Opcode Fuzzy Hash: b23e90fa72e3b04a5c9403be8bdf332f91b28985ca118a3f77cde2b1b41d9977
Instruction Fuzzy Hash: B141C631A40214AFEF32AF29DC88AAA3BA0EB45344B15042BE90547360D739DC91CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0043DAF5, Relevance: 21.2, APIs: 14, Instructions: 205COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0043DAFC
SafeArrayGetDim.OLEAUT32(?), ref: 0043DB1D
SafeArrayGetDim.OLEAUT32(00000000), ref: 0043DB27

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ArraySafe$H_prolog3_catch
String ID:
API String ID: 4271779948-0
Opcode ID: b2d35a14504d8dcb8219f7512794f077aeeb22b642a3e628b8e171fa70ce744c
Instruction ID: 706477791aa5022ea6659f13f8f902d320c9eb0c9b9d845f466ac7d0905fac32
Opcode Fuzzy Hash: b2d35a14504d8dcb8219f7512794f077aeeb22b642a3e628b8e171fa70ce744c
Instruction Fuzzy Hash: 58616EB2E00118AFCF15AFB5EC458AEBFB5EF48350F10452BF405E72A0DA799940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401760, Relevance: 21.2, APIs: 14, Instructions: 185windowCOMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 0040178D
DrawFrameControl.USER32(?,?,00000004,00002010), ref: 004017E4
OffsetRect.USER32(?,00000001,00000001), ref: 004017FA
DrawFocusRect.USER32(?,?), ref: 0040182E
GetSystemMetrics.USER32(0000002E), ref: 00401836
GetSystemMetrics.USER32(0000002D), ref: 00401841
InflateRect.USER32(?,?,?), ref: 0040185A
GetSystemMetrics.USER32(0000002D), ref: 00401868
GetSysColor.USER32(00000011), ref: 004018AD
GetSystemMetrics.USER32(0000002D), ref: 004018D7
DrawEdge.USER32(?,?,00000006,00000004), ref: 004018F9
GetSystemMetrics.USER32(0000002D), ref: 00401901
GetStockObject.GDI32(00000004), ref: 0040194D
FrameRect.USER32(?,?,00000000), ref: 0040195F

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MetricsRectSystem$Draw$Frame$ColorControlCopyEdgeFocusInflateObjectOffsetStock
String ID:
API String ID: 894214792-0
Opcode ID: 2b82d64be3daede9bb63e9214587e6ad94b6cae51adfb87e32737d05465f3f34
Instruction ID: a7e17e1e9a6d9672e54fce63551d19440a9f99b615a5b9accd090a2f984a22e0
Opcode Fuzzy Hash: 2b82d64be3daede9bb63e9214587e6ad94b6cae51adfb87e32737d05465f3f34
Instruction Fuzzy Hash: 187107B5E00609DFDB04DFE8C985AEEBBB5FF48300F14826AE515BB290D770A941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042E0B7, Relevance: 19.7, APIs: 13, Instructions: 231windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042E0BE

Part of subcall function 0042DE24: CreateRectRgnIndirect.GDI32(?), ref: 0042DE2B

CopyRect.USER32(?,?), ref: 0042E0F7
InflateRect.USER32(?,?,?), ref: 0042E10D
IntersectRect.USER32(?,?,?), ref: 0042E11B
CreateRectRgnIndirect.GDI32(?), ref: 0042E125
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042E138

Part of subcall function 0042DE58: CombineRgn.GDI32(?,?,00000002,?), ref: 0042DE7B

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042E1A4
CopyRect.USER32(?,?), ref: 0042E1C1
InflateRect.USER32(?,?,?), ref: 0042E1D7
IntersectRect.USER32(?,?,?), ref: 0042E1E5
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042E21B

Part of subcall function 0042E014: CreatePatternBrush.GDI32(00000000), ref: 0042E067
Part of subcall function 0042E014: DeleteObject.GDI32(00000000), ref: 0042E073

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 0042E290

Part of subcall function 0042F90A: SelectObject.GDI32(?,00000000), ref: 0042F92C
Part of subcall function 0042F90A: SelectObject.GDI32(?,?), ref: 0042F942

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 0042E2E3

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BrushCombineDeleteH_prolog3Pattern
String ID:
API String ID: 1603051353-0
Opcode ID: aa68fd6fd8ef8442c081ef009ed5e14ffa9a24ab2af976772d0b64a42f5b89e0
Instruction ID: c149187e7549750f4c2a0f0e379a0031e31000bc3c02936a9b7c84e8d2a2376e
Opcode Fuzzy Hash: aa68fd6fd8ef8442c081ef009ed5e14ffa9a24ab2af976772d0b64a42f5b89e0
Instruction Fuzzy Hash: 17912771A0011DEFCF01EFA5D9859EEBBB8BF18304F90416AF505A7250DB38AE05CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0045455E, Relevance: 18.1, APIs: 12, Instructions: 121filetimeCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 00454572
GetLastError.KERNEL32(?), ref: 00454589
SetFileAttributesA.KERNEL32(?,?), ref: 004545A7
GetLastError.KERNEL32(?), ref: 004545B4
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 0045461E
GetLastError.KERNEL32(?), ref: 0045462E
SetFileTime.KERNEL32(00000000,?,?,?), ref: 00454641
GetLastError.KERNEL32(?), ref: 0045464E
CloseHandle.KERNEL32(00000000), ref: 00454657
GetLastError.KERNEL32(?), ref: 00454664
SetFileAttributesA.KERNEL32(?,?), ref: 0045467F
GetLastError.KERNEL32(?), ref: 0045468C

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ErrorLast$File$Attributes$CloseCreateHandleTime
String ID:
API String ID: 3867745407-0
Opcode ID: c3ea9bbbf0563371f2a04e578cf53339922c218aed8040f2efd7e5ff1f779a26
Instruction ID: 867b42768f93d0b9de139925877ef4b9d275edb4965efe40d64b1a4efea75cc0
Opcode Fuzzy Hash: c3ea9bbbf0563371f2a04e578cf53339922c218aed8040f2efd7e5ff1f779a26
Instruction Fuzzy Hash: D4418371900208BBCB21AFA1DD44E9F7FB8EF44319F10446AF8159A152D738AA84DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043895B, Relevance: 18.1, APIs: 12, Instructions: 91synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00438979
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00438997
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004389A1
ResumeThread.KERNEL32(00000000), ref: 004389E3
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004389EE
CloseHandle.KERNEL32(?), ref: 004389F7
SuspendThread.KERNEL32(?), ref: 00438A02
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00438A12
CloseHandle.KERNEL32(?), ref: 00438A1B
CloseHandle.KERNEL32(?), ref: 00438A3D

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

SetEvent.KERNEL32(00000004), ref: 00438A25

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseEventHandle$CreateObjectSingleThreadWait$Exception@8ResumeSuspendThrow_memset
String ID:
API String ID: 3191170017-0
Opcode ID: 158ca5004ddaef708d49a8141608c5f5ac12df98952062f2318c0635b93235dd
Instruction ID: 3df54c299e2a8959ccddf9cd7138dff9481e620c7e17a7261587a52ee9fce332
Opcode Fuzzy Hash: 158ca5004ddaef708d49a8141608c5f5ac12df98952062f2318c0635b93235dd
Instruction Fuzzy Hash: 18313C71C00709BFCB11AFA5DC809AEFBB8AB18354F24913FF515A2160DA7599418F54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A270, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 346windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042F61B: __EH_prolog3.LIBCMT ref: 0042F622
Part of subcall function 0042F61B: BeginPaint.USER32(?,?,00000004,00403460,?,FBEF3A85), ref: 0042F64E

GetClientRect.USER32(?,?), ref: 0040A2E3
DNameNode::DNameNode.LIBCMTD ref: 0040A2EF
IsWindowVisible.USER32(?), ref: 0040A37C
72E6AC50.USER32(?), ref: 0040A416
GetSysColor.USER32(0000000F), ref: 0040A575
CreateRectRgn.GDI32(?,?,?,?), ref: 0040A66E
IsWindowVisible.USER32(?), ref: 0040A6EB
InvalidateRect.USER32(?,00000000,00000001), ref: 0040A7FA

Strings

0iI, xrefs: 0040A484, 0040A48F
iI, xrefs: 0040A675, 0040A67D, 0040A680

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$NameVisibleWindow$BeginClientColorCreateH_prolog3InvalidateNodeNode::Paint
String ID: iI$0iI
API String ID: 413417237-2563602027
Opcode ID: 9c1d4b3049e3f64c9fa34d9531d395eea1db47531d43e858c534a295e4a15de2
Instruction ID: a5f2e8ce51b53b4e0e2fd97db3d16e67a1ecd7d8008d5d169ef1374511310b9a
Opcode Fuzzy Hash: 9c1d4b3049e3f64c9fa34d9531d395eea1db47531d43e858c534a295e4a15de2
Instruction Fuzzy Hash: FF023270A01228DFDB24DB55CC94BDAB7B5BF49304F1081EAE50DAB291CB74AE84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004361D2, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 004361DF
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 00436200
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 00436212
GetProcAddress.KERNEL32(ActivateActCtx), ref: 00436224
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 00436236

Strings

ReleaseActCtx, xrefs: 00436202
CreateActCtxW, xrefs: 004361FA
DeactivateActCtx, xrefs: 00436226
ActivateActCtx, xrefs: 00436214
KERNEL32, xrefs: 004361DA

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 169955e2fa58e1b057438599d254ba8111878c595b0cf4ff5b710bbd0ea05eae
Instruction ID: a8738d942849b9358f56c854035916489acea440a0dfff84b8e6a3f67ccc025b
Opcode Fuzzy Hash: 169955e2fa58e1b057438599d254ba8111878c595b0cf4ff5b710bbd0ea05eae
Instruction Fuzzy Hash: 8EF0F870D55324BFCF19EF7DAC19A863EA4EA157003208ABBAB04D2371DBB848408F4D

Uniqueness

Uniqueness Score: -1.00%

Function 0043423D, Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00434244
FindResourceA.KERNEL32(?,?,00000005), ref: 00434277
LoadResource.KERNEL32(?,00000000), ref: 0043427F
LockResource.KERNEL32(628467F9,00000024,00420938,00000000), ref: 00434290
GetDesktopWindow.USER32 ref: 004342C3
IsWindowEnabled.USER32(00000000), ref: 004342D1
EnableWindow.USER32(00000000,00000000), ref: 004342E0

Part of subcall function 0042D216: IsWindowEnabled.USER32(?), ref: 0042D21F

Part of subcall function 0042D231: EnableWindow.USER32(?,00000000), ref: 0042D23E

EnableWindow.USER32(00000000,00000001), ref: 004343BC
GetActiveWindow.USER32 ref: 004343C7
SetActiveWindow.USER32(00000000,?,00000024,00420938,00000000), ref: 004343D5
FreeResource.KERNEL32(628467F9,?,00000024,00420938,00000000), ref: 004343F1

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: ba77e99a7422cc0034ba54e50669e459d15d1efcdfdf9e9cfe03b78629492daf
Instruction ID: c9ebe7ec55a414e5fca565b3692fdaa7cdb2652bd7f2073380e5c2447dd9846e
Opcode Fuzzy Hash: ba77e99a7422cc0034ba54e50669e459d15d1efcdfdf9e9cfe03b78629492daf
Instruction Fuzzy Hash: 0551A030B00705DBCF21AFA5D8456AEBAB1BF88715F60103FE501B72A1CB785D41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00424070, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 284stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 004240F2
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,00000400,?,?,00000002), ref: 004241F7
CharUpperA.USER32(?,00000400,?,?,00000002), ref: 00424234
lstrlen.KERNEL32(00000000,?,00000002), ref: 00424259
MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000400,?,00000400,00000002,00000400,?,00000002), ref: 00424374
_wcscpy_s.LIBCMT ref: 004243D4

Strings

W, xrefs: 00424143
W, xrefs: 004242AA
P, xrefs: 004243EE

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Char$ByteMultiWidelstrlen$Upper_wcscpy_s
String ID: P$W$W
API String ID: 35703797-3161791867
Opcode ID: 978f81365cd5560f42e0942264eeb1a124de45c093bb828ee0927418b0489d08
Instruction ID: 3c6f67d8651cea7fbb7bcecd28b7f34013ed8dfd131e73d639f2fd49a219a0cf
Opcode Fuzzy Hash: 978f81365cd5560f42e0942264eeb1a124de45c093bb828ee0927418b0489d08
Instruction Fuzzy Hash: 8DD12AB0E00228DFDF24DF95D844BAEB7B1FF88314F60819AE519A7280C7785A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00438B45, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 213COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004439EC

Strings

command, xrefs: 00443A42, 00443B5F, 00443B7C, 00443B99
%s\DefaultIcon, xrefs: 00443AD0
ddeexec, xrefs: 00443B00, 00443B21, 00443B42
%s\ShellNew, xrefs: 00443C19
%s\shell\printto\%s, xrefs: 00443A3D, 00443B4D, 00443BA0
%s\shell\print\%s, xrefs: 00443B2C, 00443B83
%s\shell\open\%s, xrefs: 00443B0B, 00443B66

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID: %s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$command$ddeexec
API String ID: 431132790-556638191
Opcode ID: 397a9a7599293b970c99356f0e7275dcb816d109b19acfde9548aa15e2af0633
Instruction ID: c1b3633533f799b49148b0f5e204fe9d2727ccd4a7bd006f10eaa4bbb3daefc8
Opcode Fuzzy Hash: 397a9a7599293b970c99356f0e7275dcb816d109b19acfde9548aa15e2af0633
Instruction Fuzzy Hash: 59819C7190010AABDF05EBA5CC46EFFBB75AF14319F14051EF111B22E2EB395A40CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042A1ED, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0042A1F4
GetPropA.USER32(?,AfxOldWndProc423), ref: 0042A203
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 0042A25D

Part of subcall function 00428A86: GetWindowRect.USER32(?,10000000), ref: 00428AAE
Part of subcall function 00428A86: GetWindow.USER32(?,00000004), ref: 00428ACB

SetWindowLongA.USER32(?,000000FC,?), ref: 0042A284
RemovePropA.USER32(?,AfxOldWndProc423), ref: 0042A28C
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 0042A293
GlobalDeleteAtom.KERNEL32(00000000), ref: 0042A29A

Part of subcall function 00426B29: GetWindowRect.USER32(?,00000000), ref: 00426B35

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 0042A2EE

Strings

AfxOldWndProc423, xrefs: 0042A1FC, 0042A201, 0042A28A, 0042A292

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 6459d67e17c8a170ac8695b4defba54b38b17e9b686a0a0181cb5a68e01b1634
Instruction ID: f1cd393b2c9c9304a29548e6a6e91f8cc26ee96e069cdfd14c527dffd22137c8
Opcode Fuzzy Hash: 6459d67e17c8a170ac8695b4defba54b38b17e9b686a0a0181cb5a68e01b1634
Instruction Fuzzy Hash: 2A318272901529EBCF02AFE5ED49DBF7A78EF15310F90006BF901A5151CB398A20DB7A

Uniqueness

Uniqueness Score: -1.00%

Function 004450B3, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 004450FB
RegOpenKeyA.ADVAPI32(?,?,?), ref: 0044510F
RegOpenKeyA.ADVAPI32(?,InProcServer32,?), ref: 0044512A
RegQueryValueExA.ADVAPI32(?,00496010,00000000,?,?,?), ref: 00445144
RegCloseKey.ADVAPI32(?), ref: 00445154
RegCloseKey.ADVAPI32(?), ref: 00445159
RegCloseKey.ADVAPI32(?), ref: 0044515E

Strings

InProcServer32, xrefs: 0044511F
CLSID, xrefs: 004450E5

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseOpen$QueryValue
String ID: CLSID$InProcServer32
API String ID: 3523390698-323508013
Opcode ID: fa319ead1085453ed253635d2aead1f89f0e0db68a0d192ccde558eefaeff1e3
Instruction ID: 9137ee7421db8fd18b301a2ad8a68994b8624a1053db23c369b42424d017b88e
Opcode Fuzzy Hash: fa319ead1085453ed253635d2aead1f89f0e0db68a0d192ccde558eefaeff1e3
Instruction Fuzzy Hash: 03214772900129BBDF11AF95CC80DAEBF79EF447A0B114266F904A6260D7358B11DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004450C3, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 004450FB
RegOpenKeyA.ADVAPI32(?,?,?), ref: 0044510F
RegOpenKeyA.ADVAPI32(?,InProcServer32,?), ref: 0044512A
RegQueryValueExA.ADVAPI32(?,00496010,00000000,?,?,?), ref: 00445144
RegCloseKey.ADVAPI32(?), ref: 00445154
RegCloseKey.ADVAPI32(?), ref: 00445159
RegCloseKey.ADVAPI32(?), ref: 0044515E

Strings

InProcServer32, xrefs: 0044511F
CLSID, xrefs: 004450E5

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseOpen$QueryValue
String ID: CLSID$InProcServer32
API String ID: 3523390698-323508013
Opcode ID: 303435b0dd5df502bc398e087a941d59f6a3e0e20f7e1a2fb25f0b450bb85219
Instruction ID: e7a4f80baadd1649b035570b6dbad89dcb4f7606636439c04271f56dec4ff5ec
Opcode Fuzzy Hash: 303435b0dd5df502bc398e087a941d59f6a3e0e20f7e1a2fb25f0b450bb85219
Instruction Fuzzy Hash: 4211597290011CBBDF11EF99CC80DAEBF79EF447A0B114126F904A6260D7358F11DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0046C54E, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,004AFD30,0000000C,0046C660,00000000,00000000,?,004249E7,?,?,00000000,00431A77,0000000C,00000004,00401F8C,8007000E), ref: 0046C55F
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0046C588
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0046C598
InterlockedIncrement.KERNEL32(004B6290), ref: 0046C5BA
__lock.LIBCMT ref: 0046C5C2
___addlocaleref.LIBCMT ref: 0046C5E1

Strings

DecodePointer, xrefs: 0046C590
KERNEL32.DLL, xrefs: 0046C55A
EncodePointer, xrefs: 0046C57C

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: a3110f36c8834da6c2413e0d0f0afb2cbdd0e05e989669e300dc8c9146871146
Instruction ID: 792b06a3d80afc4c73e10b188a7f336fb8bb5b6ecec27aca7ba1407ae78f8da5
Opcode Fuzzy Hash: a3110f36c8834da6c2413e0d0f0afb2cbdd0e05e989669e300dc8c9146871146
Instruction Fuzzy Hash: 141151B0900B019FD720EF76D845B5ABBE0AF14304F10492FE59A96390D7B8A9408F6A

Uniqueness

Uniqueness Score: -1.00%

Function 0045066A, Relevance: 15.2, APIs: 10, Instructions: 224COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00450689
__mbsinc.LIBCMT ref: 004506E7
__mbsinc.LIBCMT ref: 004506F6
__mbsinc.LIBCMT ref: 0045072C
__mbsinc.LIBCMT ref: 0045077B
__mbsinc.LIBCMT ref: 004507C9
__splitpath_s.LIBCMT ref: 004507FF
__splitpath_s.LIBCMT ref: 0045084B
__makepath_s.LIBCMT ref: 0045088A
_strcpy_s.LIBCMT ref: 004508A9

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: __mbsinc$__splitpath_s$H_prolog3__makepath_s_strcpy_s
String ID:
API String ID: 545433585-0
Opcode ID: fc881cb3137b76310346386a42b85b12935baa44db866bba5500a1f336251b9c
Instruction ID: 9add3b73befbe0644d13e2e6a8bb9cd025d9c8afa47b86a934318b5e7d6fbc65
Opcode Fuzzy Hash: fc881cb3137b76310346386a42b85b12935baa44db866bba5500a1f336251b9c
Instruction Fuzzy Hash: 7081C4B59001499FDB15EFA4C891FEE77B8AF09314F14015EF901A7282D738AE45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00432345, Relevance: 15.2, APIs: 10, Instructions: 157windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00432364
GetMenuItemCount.USER32(?), ref: 0043238A
GetSubMenu.USER32(?,?), ref: 004323BD
GetMenuState.USER32(?,?,00000400), ref: 004323CD
GetSubMenu.USER32(?,?), ref: 0043242B
GetMenuStringA.USER32(?,?,00000000,00000100,00000400), ref: 00432444
AppendMenuA.USER32(00000000,00000010,00000000,?), ref: 00432499
GetMenuItemCount.USER32(00000000), ref: 004324CC
GetMenuItemID.USER32(?,?), ref: 004324F6
InsertMenuA.USER32(?,?,00000000,00000000), ref: 00432506

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$Item$Count$AppendH_prolog3InsertStateString
String ID:
API String ID: 915444591-0
Opcode ID: 3b6f262ffa35d775a6a71c9e49e5d60e03f93ad9a811f74e27f12fc7ecde7cbc
Instruction ID: 5cda6fe1ebb2a8f0457b82e3c4450cdc0e07c22664c3669c9d3d3987056659dd
Opcode Fuzzy Hash: 3b6f262ffa35d775a6a71c9e49e5d60e03f93ad9a811f74e27f12fc7ecde7cbc
Instruction Fuzzy Hash: 0E615771900219EFCF25DF94DD85AEEBBB1FF18314F50402AE905A62A0D7785A90CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00430584, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0043058B
GetObjectA.GDI32(00000003,00000018,?), ref: 004305FB

Part of subcall function 0042F7D9: CreatePatternBrush.GDI32(?), ref: 0042F7E8

Part of subcall function 0042F871: SelectObject.GDI32(?,?), ref: 0042F879

GetPixel.GDI32(?,00000000,00000000), ref: 00430686

Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E5F5
Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E603

FillRect.USER32(00000003,?,?), ref: 00430724

Strings

0iI, xrefs: 004307C2, 0043061F, 00430627, 00430633, 00430649, 0043062A
\I, xrefs: 004307B3, 0043062B
0iI, xrefs: 004306E4
wB, xrefs: 00430592

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ColorObject$BrushCreateFillH_prolog3PatternPixelRectSelect
String ID: 0iI$0iI$wB$\I
API String ID: 3860601836-2140233288
Opcode ID: 8067348be2bace1e674a51faef78af393769356911e534233f3a737049054a04
Instruction ID: 110fad3c76ad8e1cd43b7353e9a83c7aeb14935e3bfbe93795b9b330122dfed8
Opcode Fuzzy Hash: 8067348be2bace1e674a51faef78af393769356911e534233f3a737049054a04
Instruction Fuzzy Hash: A8811371A0021CAFDF11EF96DD85DEEBBBAFF08304F50402AF505A6261DB359A14DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00430071, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00430078
GetSysColor.USER32(00000014), ref: 004300B5

Part of subcall function 0042FD14: __EH_prolog3.LIBCMT ref: 0042FD1B
Part of subcall function 0042FD14: CreateSolidBrush.GDI32(?), ref: 0042FD36

GetSysColor.USER32(00000010), ref: 004300C6
GetObjectA.GDI32(00000004,00000018,?), ref: 00430106

Part of subcall function 0042F871: SelectObject.GDI32(?,?), ref: 0042F879

GetPixel.GDI32(?,00000000,00000000), ref: 00430166

Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E5F5
Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E603

Part of subcall function 0042E353: SetBkColor.GDI32(00000000,?), ref: 0042E362
Part of subcall function 0042E353: ExtTextOutA.GDI32(00000000,00000000,00000000,00000002,000000FE,00000000,00000000,00000000), ref: 0042E394

Part of subcall function 0042F90A: SelectObject.GDI32(?,00000000), ref: 0042F92C
Part of subcall function 0042F90A: SelectObject.GDI32(?,?), ref: 0042F942

Strings

0iI, xrefs: 004301B9
wB, xrefs: 0043007F
0iI, xrefs: 00430276, 00430126

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Color$Object$Select$H_prolog3$BrushCreatePixelSolidText
String ID: 0iI$0iI$wB
API String ID: 1733962545-942363113
Opcode ID: 0900d93e5530260d9fabd8d1422d3e7a3f6d03afb6f2bd4f3c2b8b3d7ab43a82
Instruction ID: 80bfc1c15978f71c2c866403cdb6cebd9129e582f79e580015248d5566d36213
Opcode Fuzzy Hash: 0900d93e5530260d9fabd8d1422d3e7a3f6d03afb6f2bd4f3c2b8b3d7ab43a82
Instruction Fuzzy Hash: 5E613371A00118AFDF02EFD1DD91AEEBF79EF08304F90402AF505A6261CB359A55DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00429B8A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00429BD6
SetActiveWindow.USER32(?), ref: 00429BE8
SendMessageA.USER32(?,00000112,?,?), ref: 00429BFE
IsWindow.USER32(?), ref: 00429C0B
SetActiveWindow.USER32(?), ref: 00429C12
IsWindow.USER32(?), ref: 00429C17
SetFocus.USER32(?), ref: 00429C21

Strings

u, xrefs: 00429C29

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: f284afb7760cb957fb0635f9ad929975f0807e765e919848b0ae8825eb9502b2
Instruction ID: d348894838a3642426cbb7aa319bbef4c4c02fd940be3b7f19667bec2a8c90a2
Opcode Fuzzy Hash: f284afb7760cb957fb0635f9ad929975f0807e765e919848b0ae8825eb9502b2
Instruction Fuzzy Hash: 6511B732B00229ABDB396B36ED0496F7AA8FF10310F944437E90596669D63CDD00DB5C

Uniqueness

Uniqueness Score: -1.00%

Function 00431ECF, Relevance: 13.7, APIs: 9, Instructions: 232filecomstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00431ED6
OleDuplicateData.OLE32(?,?,00000000), ref: 00431F55
GlobalFix.KERNEL32(00000000), ref: 00431F84
CopyMetaFileA.GDI32(?,00000000), ref: 00431F90
GlobalUnWire.KERNEL32(?), ref: 00431FA0
GlobalFree.KERNEL32(?), ref: 00431FA9
GlobalUnWire.KERNEL32(?), ref: 00431FB5
lstrlenW.KERNEL32(?,0000005C), ref: 00432015
CopyFileA.KERNEL32(?,?,00000000), ref: 0043210D

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Global$CopyFileWire$DataDuplicateFreeH_prolog3_Metalstrlen
String ID:
API String ID: 884821866-0
Opcode ID: 287a1aebf2c19080628307ba7cb378429f6c6c1b09ac2f563a2d8ce70d2646f4
Instruction ID: 83d64ef6d82358e0c448ead30c5f53a8bb4f00e047f856afd7a7a2a382059534
Opcode Fuzzy Hash: 287a1aebf2c19080628307ba7cb378429f6c6c1b09ac2f563a2d8ce70d2646f4
Instruction Fuzzy Hash: 8B818CB5500606AFDB249FA4CE8892AFBB9FF0C344B20852EF41A97660D778EC41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004600E0, Relevance: 13.6, APIs: 9, Instructions: 130timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 004600EB
GetCursorPos.USER32(?), ref: 0046010A
ScreenToClient.USER32(?,?), ref: 00460117
GetCapture.USER32 ref: 0046016D

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

ClientToScreen.USER32(?,?), ref: 004601B4
WindowFromPoint.USER32(?,?), ref: 004601C0
IsChild.USER32(?,00000000), ref: 004601D5
KillTimer.USER32(?,0000E001), ref: 00460212
KillTimer.USER32(?,0000E000), ref: 0046022E

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ClientKillScreenTimer$CaptureChildCursorException@8FromPointStateThrowWindow
String ID:
API String ID: 4062695252-0
Opcode ID: 14d52ddf0317309eec691da1787a927599b6a588895748fad2f078f7a2a0115a
Instruction ID: 8bd0f261af0f6dd364fb52263707b43133c16f72a88229e4ba552fed31f09ebd
Opcode Fuzzy Hash: 14d52ddf0317309eec691da1787a927599b6a588895748fad2f078f7a2a0115a
Instruction Fuzzy Hash: DF419231600605EFDB219F65CC48AAF7BB5FF45324F20066AE451D72A1EB39DE018B09

Uniqueness

Uniqueness Score: -1.00%

Function 00444E41, Relevance: 13.6, APIs: 9, Instructions: 85stringCOMMON

Download Yara Rule

APIs

lstrcmpi.KERNEL32(?,00000000), ref: 00444E64
GetSystemMetrics.USER32(0000002A), ref: 00444E77

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MetricsSystemlstrcmpi
String ID:
API String ID: 2335526769-0
Opcode ID: 66d95b70c3e95b83a2832b5f820fd3ae77f8190ffb6236c533732b53ecbfc8a8
Instruction ID: 36df39a8456a3c1d52ed006b5abf4123fb4f3cbae9e0fe231b10a76f43665271
Opcode Fuzzy Hash: 66d95b70c3e95b83a2832b5f820fd3ae77f8190ffb6236c533732b53ecbfc8a8
Instruction Fuzzy Hash: 57210BB1904618ABEB205F749C44FAB77BCEB85760F204277F911D21C1D6748D45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004302A4, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 244COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004302AB
GetObjectA.GDI32(00000004,00000018,?), ref: 00430344

Part of subcall function 0042F7D9: CreatePatternBrush.GDI32(?), ref: 0042F7E8

Part of subcall function 0042F784: DeleteObject.GDI32(00000000), ref: 0042F793

Part of subcall function 0042F871: SelectObject.GDI32(?,?), ref: 0042F879

GetPixel.GDI32(?,00000000,00000000), ref: 004303F7

Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E5F5
Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E603

FillRect.USER32(?,?,?), ref: 004304AB

Strings

0iI, xrefs: 00430546, 00430392, 0043039A, 004303A6, 004303BA, 0043039D
\I, xrefs: 00430537, 0043039E
wB, xrefs: 004302B2

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Object$Color$BrushCreateDeleteFillH_prolog3PatternPixelRectSelect
String ID: 0iI$wB$\I
API String ID: 83244786-2814042032
Opcode ID: 1adcd9f24de79e74118a777d421bb0be50624f06a4af3255cc6a06b3fa039e5d
Instruction ID: 91168940268c9d8a5546851508e18be2bb985b01754f22cd82b4ddd7f4c697f5
Opcode Fuzzy Hash: 1adcd9f24de79e74118a777d421bb0be50624f06a4af3255cc6a06b3fa039e5d
Instruction Fuzzy Hash: F391F171D00518AEDF11EFA6DC819AEBBB9FF18344FA0813AF505A2162DB358E05DF24

Uniqueness

Uniqueness Score: -1.00%

Function 0043404D, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00434054
GetSystemMetrics.USER32(0000002A), ref: 00434105
GlobalFix.KERNEL32(00000000), ref: 0043416E
CreateDialogIndirectParamA.USER32(72AFF916,?,00051A74,00433A0C,00000000), ref: 0043419D

Strings

MS Shell Dlg, xrefs: 0043410F

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 3629235202-76309092
Opcode ID: 52c7093d10b9740256b16c417f8d73e4e6f4d323d1a6a1783ae72f853e49db5c
Instruction ID: 0b92763112ac87aa3483198eaeb9158f3da4aa1ccc37268257b5c62af80f00bf
Opcode Fuzzy Hash: 52c7093d10b9740256b16c417f8d73e4e6f4d323d1a6a1783ae72f853e49db5c
Instruction Fuzzy Hash: 4251D230A00505DFCF15EFA4C8899EEBBB0AF98314F24556AF411A7295DB38AD80CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00461EEC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123registrystringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00461F0B
RegOpenKeyExA.ADVAPI32(80000000,CLSID,00000000,00020019,00000000,00000000,00000000,00000024), ref: 00461F69
lstrlen.KERNEL32(?,00000000,00000000,00000024), ref: 00461FA3
RegQueryValueA.ADVAPI32(?,?,?,?), ref: 00461FFE
lstrlen.KERNEL32(?,?,?,?), ref: 00462012
RegSetValueA.ADVAPI32(?,?,00000001,?,00000000), ref: 0046201E

Strings

CLSID, xrefs: 00461F63

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Valuelstrlen$H_prolog3OpenQuery
String ID: CLSID
API String ID: 2019324235-910414637
Opcode ID: 76ff079e09c3969faff010a7a22ca217922f47b8ad8d5cf26507474a82b11c7b
Instruction ID: a1f1605ddb7df09a5358c07ad4ae96247b826c35326a0b8482186f8bce270229
Opcode Fuzzy Hash: 76ff079e09c3969faff010a7a22ca217922f47b8ad8d5cf26507474a82b11c7b
Instruction Fuzzy Hash: BC516B71D002099FDF25EFA4C845BEEB7B4FF08314F14402AEA01B7291E7B85A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00442028, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,000000FF), ref: 00442045

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

Part of subcall function 00435FD6: _strcpy_s.LIBCMT ref: 00435FE2

Strings

\..., xrefs: 00442119

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw_strcpy_slstrlen
String ID: \...
API String ID: 3876547911-1167917071
Opcode ID: e6eb64056e002e66c805c6e0a27d241c8d870955b415d0f8aaca3fe1620c73ed
Instruction ID: 42a2292c9b20fda667538bf7b86329f37f6b7d375937648c07801b39f737fe4a
Opcode Fuzzy Hash: e6eb64056e002e66c805c6e0a27d241c8d870955b415d0f8aaca3fe1620c73ed
Instruction Fuzzy Hash: 4A310771800608FFFF219F61CD41AAE7BE4AF11355F50801FFA14A6251E7B89E80CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043166E, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49registrystringCOMMON

Download Yara Rule

APIs

CoTreatAsClass.OLE32(?,?), ref: 00431681
RegOpenKeyA.ADVAPI32(80000000,CLSID,00000000), ref: 0043169D
lstrlen.KERNEL32(00000000,00000000), ref: 004316C1
RegSetValueA.ADVAPI32(00000000,00000000,00000001,00000000,00000000), ref: 004316D1
CoTreatAsClass.OLE32(?,?), ref: 004316E4
RegCloseKey.ADVAPI32(00000000), ref: 004316EB

Strings

CLSID, xrefs: 00431693

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ClassTreat$CloseOpenValuelstrlen
String ID: CLSID
API String ID: 2749374906-910414637
Opcode ID: 68e20e656cd0b6d1e86e3166246512b89ce9a1065560b195472a05fe1e454b31
Instruction ID: 9a2b9054b90591dc79bd413bc1651e5b02757a47b7b401a100799f5d004c686f
Opcode Fuzzy Hash: 68e20e656cd0b6d1e86e3166246512b89ce9a1065560b195472a05fe1e454b31
Instruction Fuzzy Hash: 8E011B36400608BFDF029FA5DC09E9E3FB9EB88361F24403AFA0496120DB759A61DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004495C3, Relevance: 12.3, APIs: 8, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004495CA

Part of subcall function 00447736: SysStringLen.OLEAUT32(?), ref: 0044773E

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 00449754
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00449775
GlobalAlloc.KERNEL32(00000000,00000000), ref: 004497C2
GlobalFix.KERNEL32(00000000), ref: 004497D0
GlobalUnWire.KERNEL32(?), ref: 004497E8
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 0044980B
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 00449827

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Global$BytesLock$Create$AllocDocfileH_prolog3OpenStorageStringWire
String ID:
API String ID: 802470565-0
Opcode ID: 2cfd525402b84dea415f4df456ee5765019231de3684ca96289a03f8815a6fc1
Instruction ID: eb8af1fab2efe83a17776826c7a12255c4e86d5d89b992476a34001d2d78022d
Opcode Fuzzy Hash: 2cfd525402b84dea415f4df456ee5765019231de3684ca96289a03f8815a6fc1
Instruction Fuzzy Hash: 24C108B090020AEFEB14DFA4C8889AFB7B9FF49304B20492EF515EB250D7759D41DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A080, Relevance: 12.1, APIs: 8, Instructions: 149windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040A0A5
GetSystemMetrics.USER32(00000002), ref: 0040A0F9
IsWindowVisible.USER32(?), ref: 0040A149
GetWindowRect.USER32(?,?), ref: 0040A171
GetSystemMetrics.USER32(00000002), ref: 0040A1A3
EqualRect.USER32(?,?), ref: 0040A1ED
SetScrollRange.USER32(?,00000002,00000000,?,00000001), ref: 0040A23F
IsWindow.USER32(?), ref: 0040A251

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$MetricsRectSystem$EqualRangeScrollVisible
String ID:
API String ID: 138543920-0
Opcode ID: 83a59bdaa79d99779841bc1c677b1f3067270412c7b73721e13fb11b8b57bb35
Instruction ID: d27297bea302efe9100eb14c1d37142a2accb9b854946e7b28aa6154da5f8863
Opcode Fuzzy Hash: 83a59bdaa79d99779841bc1c677b1f3067270412c7b73721e13fb11b8b57bb35
Instruction Fuzzy Hash: D161C374A012499FDB08CFD8D894BEEBBB5FF48304F248269E905AB385DB35A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004285F6, Relevance: 12.1, APIs: 8, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00428629
BeginDeferWindowPos.USER32(00000008), ref: 00428641
GetTopWindow.USER32(?), ref: 00428653
GetDlgCtrlID.USER32(00000000), ref: 0042865E
SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 00428690
GetWindow.USER32(00000000,00000002), ref: 00428699
CopyRect.USER32(?,?), ref: 004286B7
EndDeferWindowPos.USER32(00000000), ref: 00428733

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: ea76392944c69afac70b61d44cfa8ff6f7c9b3553034f9b407cde5d3f5bcb301
Instruction ID: 73610178d2d6cc58f9f0f7181951526ca28a1cba15b00c5cc3b765b6c19ddaf6
Opcode Fuzzy Hash: ea76392944c69afac70b61d44cfa8ff6f7c9b3553034f9b407cde5d3f5bcb301
Instruction Fuzzy Hash: B5414A71A02629DFCF11DF94E8849EEB7B5FF58301B64416FE905A6250CB389E40CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00425355, Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c73b59531d3bfaec74e3eae91433727e686d231e90ce2774447aace643aa890
Instruction ID: ab012a67ceef316ff4d573170196622335baf43f92f51d43b6ecbe6ca09dbc53
Opcode Fuzzy Hash: 2c73b59531d3bfaec74e3eae91433727e686d231e90ce2774447aace643aa890
Instruction Fuzzy Hash: 18312C71A0052AAF9F01AFA5EC449FFBBBCEB54341BA44423E901D2110E738DA818BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0045000F, Relevance: 12.1, APIs: 8, Instructions: 85windowstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,?,?,?,00444B08,00000104,00000000,*.*,00000000,?,?,0000F002,00000000), ref: 0045001D
_memset.LIBCMT ref: 00450036
GetFocus.USER32 ref: 0045003E
IsWindowEnabled.USER32(?), ref: 0045006B
EnableWindow.USER32(?,00000000), ref: 0045007E
EnableWindow.USER32(?,00000001), ref: 004500C7
IsWindow.USER32(?), ref: 004500CD
SetFocus.USER32(?), ref: 004500DB

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$EnableFocus$Enabled_memsetlstrlen
String ID:
API String ID: 2950697994-0
Opcode ID: 2abda9bfd506df4c1e9a5bd7d19bac1a632b8f143138b62ed702329613a88393
Instruction ID: 436b1504667a8f7c6e9135d92a55f8a2046f521f1782444093aaae234082b942
Opcode Fuzzy Hash: 2abda9bfd506df4c1e9a5bd7d19bac1a632b8f143138b62ed702329613a88393
Instruction Fuzzy Hash: E221A074200B00AFD7229F31ED49B1ABBE5FF44B05F20452FF945872A2CB79E8098B59

Uniqueness

Uniqueness Score: -1.00%

Function 0043159E, Relevance: 12.1, APIs: 8, Instructions: 82comCOMMON

Download Yara Rule

APIs

ReadClassStg.OLE32(?,?), ref: 004315BC
ReadFmtUserTypeStg.OLE32(?,?,?), ref: 004315D8
OleRegGetUserType.OLE32(?,00000001,?), ref: 004315EB
WriteClassStg.OLE32(?,?), ref: 00431603
WriteFmtUserTypeStg.OLE32(?,?,?), ref: 00431619
SetConvertStg.OLE32(?,00000001), ref: 00431625
WriteClassStg.OLE32(?,?), ref: 00431637
WriteFmtUserTypeStg.OLE32(?,?,?), ref: 00431640

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: TypeUserWrite$Class$Read$Convert
String ID:
API String ID: 1541382906-0
Opcode ID: a7c6ac9713bd554ae58ac03af6df60ea570ce47c8f1765f3f9063d14d2e10e5e
Instruction ID: a252a55671db20270f49b874e57c8f04d4fa30fba97261b6856979e2f31c9f38
Opcode Fuzzy Hash: a7c6ac9713bd554ae58ac03af6df60ea570ce47c8f1765f3f9063d14d2e10e5e
Instruction Fuzzy Hash: 5721D77190111DABCF01EFA5DC819EEBBF9EF5C300F544026E501F2160D7359A528FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004314B4, Relevance: 12.1, APIs: 8, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 004314C2
GetMenuItemCount.USER32(?), ref: 004314CC
GetSubMenu.USER32(?,00000000), ref: 004314E4
GetMenuItemCount.USER32(00000000), ref: 004314F5
GetSubMenu.USER32(00000000,00000000), ref: 00431505
RemoveMenu.USER32(00000000,00000000,00000400), ref: 0043151D
GetSubMenu.USER32(?,00000000), ref: 00431535
RemoveMenu.USER32(?,00000000,00000400), ref: 0043154E

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: d16b60f1a5e6ed30f96d21a631807bc4c4d97dd21d3bfadfa36601936f651e7b
Instruction ID: 20e1c45749ddbb6376052be6bf9a8022e29d629ddf6fe95ce69eaa816e9989f0
Opcode Fuzzy Hash: d16b60f1a5e6ed30f96d21a631807bc4c4d97dd21d3bfadfa36601936f651e7b
Instruction Fuzzy Hash: 3F11D631109700BFD6124B1A9C45A6FBBE4FBC8B15F20152FF14762120D6349D458B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00431B01, Relevance: 12.1, APIs: 8, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 00431B10
GlobalAlloc.KERNEL32(00002002,00000000), ref: 00431B22
GlobalSize.KERNEL32(?), ref: 00431B33
GlobalFix.KERNEL32(?), ref: 00431B44
GlobalFix.KERNEL32(?), ref: 00431B4A
GlobalSize.KERNEL32(?), ref: 00431B55
GlobalUnWire.KERNEL32(?), ref: 00431B68
GlobalUnWire.KERNEL32(?), ref: 00431B6D

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Global$Size$Wire$Alloc
String ID:
API String ID: 3936089190-0
Opcode ID: ed37a90c938d42861bacec5c120c6e7e0c4ae0d433f8159c563f3e0bac93391b
Instruction ID: 90638b1036c9b48635baf3103529c43afcc8db078dded4a402ca12820d66050d
Opcode Fuzzy Hash: ed37a90c938d42861bacec5c120c6e7e0c4ae0d433f8159c563f3e0bac93391b
Instruction Fuzzy Hash: 9D012171500218BFDB116F769C84C5FBF6CEF58394B509477FC0992221E6759D10DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00455E40, Relevance: 10.9, APIs: 7, Instructions: 383COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00455E47

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: df6cfd62ebe613fc95804b313181aa804a50d685e1bd911b8197e44de22c741b
Instruction ID: b18e221edf9c7e975ba2bde9f5deb2b633c8d15d925410e33d34afcf77578489
Opcode Fuzzy Hash: df6cfd62ebe613fc95804b313181aa804a50d685e1bd911b8197e44de22c741b
Instruction Fuzzy Hash: 97E1AF31900A09DBCF22DF90C880AAF77B1EF48316F61451BFD15AB252D779D989CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0045D5D4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0045D645
SetRectEmpty.USER32(?), ref: 0045D67F
UnionRect.USER32(?,?,?), ref: 0045D6C2
IsRectEmpty.USER32(?), ref: 0045D6D0
SetRectEmpty.USER32(?), ref: 0045D6DE

Strings

P, xrefs: 0045D5F4

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Empty$LongUnionWindow
String ID: P
API String ID: 1811082079-3110715001
Opcode ID: 0c22958b34b7730b307c50d6b6f1bb88bde84b0e360081016a404687bf38d74d
Instruction ID: 5adfbf1bbc85537babf4ecdf67d9ae69c1df72975928236f0d37725bdbcacd3d
Opcode Fuzzy Hash: 0c22958b34b7730b307c50d6b6f1bb88bde84b0e360081016a404687bf38d74d
Instruction Fuzzy Hash: 69417C71A002199FDF25CFA4C888EFEB7B9FF48301F14052EE915AB281DB789945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044DA5F, Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044DA66
_memset.LIBCMT ref: 0044DAD2

Part of subcall function 0043E09C: _memset.LIBCMT ref: 0043E0A4

VariantClear.OLEAUT32(?), ref: 0044DB12
SysFreeString.OLEAUT32(00000000), ref: 0044DB93
SysFreeString.OLEAUT32(00000000), ref: 0044DBA2
SysFreeString.OLEAUT32(00000000), ref: 0044DBB1
VariantClear.OLEAUT32(00000000), ref: 0044DBC6

Part of subcall function 0044D548: __EH_prolog3.LIBCMT ref: 0044D564
Part of subcall function 0044D548: VariantClear.OLEAUT32(?), ref: 0044D5C9

Part of subcall function 0043E07C: VariantCopy.OLEAUT32(00000000,00000000), ref: 0043E08A

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Variant$ClearFreeString$H_prolog3_memset$Copy
String ID:
API String ID: 2905758408-0
Opcode ID: df00e951e54fb2dbd5e6573edc6402e724cbfc47b949385949726d8de575ce8b
Instruction ID: cf0221228da0c635827d5496ab872e3c26230b02a44b9ddcc60bdb90c270afd4
Opcode Fuzzy Hash: df00e951e54fb2dbd5e6573edc6402e724cbfc47b949385949726d8de575ce8b
Instruction Fuzzy Hash: A2513B71E00209DFEB50CFA4C884BEEBBB8FF08305F20452AE515EB291D778A944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0045C017, Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0045C05F

Part of subcall function 0042D0B0: GetWindowLongA.USER32(00051A74,000000F0), ref: 0042D0BB

SendMessageA.USER32(?,0000043D,00000000,00000000), ref: 0045C0B8
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0045C0C6
SendMessageA.USER32(?,0000043C,?,00000000), ref: 0045C0D7
SendMessageA.USER32(?,0000043C,?,00000000), ref: 0045C0E6
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0045C0F1
InvalidateRect.USER32(?,00000000,00000001,00000000,00000000), ref: 0045C164

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$InvalidateLongRectWindow_memcmp
String ID:
API String ID: 235743446-0
Opcode ID: fafe825ad7228038c6332e39928d7b4ba48fba4a417128c699427b7718cbb2dc
Instruction ID: 4134d7efdca9d37384a39ff0fc17461611f15b359d26bc70d31199d5e7de2980
Opcode Fuzzy Hash: fafe825ad7228038c6332e39928d7b4ba48fba4a417128c699427b7718cbb2dc
Instruction Fuzzy Hash: D641A570740708BFEB219B64CC46FAEBBB4FF08B54F104419FA556A2D1C7B5A940CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043902E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0043904D
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00439109
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 00439120
RegCloseKey.ADVAPI32(?,?,?,?,?,Software\,00000018), ref: 0043913A
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 0043914C

Strings

Software\, xrefs: 004390A2

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: 33e874c3f5c2f47488be3e01fc7713972d9333de8a5d64c843dfa43f6ff872b0
Instruction ID: fcc9eef9efc875c3347d35f80fe552007a25ee799c6b70d59a28cc3da576f06d
Opcode Fuzzy Hash: 33e874c3f5c2f47488be3e01fc7713972d9333de8a5d64c843dfa43f6ff872b0
Instruction Fuzzy Hash: BA417C719002099BDF11EBA5CC41AFFB7B9EF48314F20452FF551E2290DBB89A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00428330, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004283BD
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 004283E6
GetWindowLongA.USER32(?,000000FC), ref: 004283F8
GetWindowLongA.USER32(?,000000FC), ref: 00428409
SetWindowLongA.USER32(?,000000FC,?), ref: 00428425

Strings

(, xrefs: 004283DC

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: aa70cf9991edfe17c0e93bd969f382b70f242d8c100ee762a05610511bf43b40
Instruction ID: 5245e27f153f885226bd8ed9587101e8360d3800fe77c7db5178dad9169ff2a1
Opcode Fuzzy Hash: aa70cf9991edfe17c0e93bd969f382b70f242d8c100ee762a05610511bf43b40
Instruction Fuzzy Hash: 2C31B070701721DFDB21EFB9D884A6EBBE4BF08714F54056EE98197691DB39E800CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00449F53, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00449F5A

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

72E6AC50.USER32(?,?,?,?,?,?,?,00000020), ref: 00449FD8
IntersectRect.USER32(?,?,?), ref: 0044A012
CreateRectRgnIndirect.GDI32(?), ref: 0044A01C

Strings

iI, xrefs: 00449F7F, 00449FFD
iI, xrefs: 00449FB3, 0044A023, 0044A030, 0044A05F, 0044A033

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$CreateException@8H_prolog3IndirectIntersectThrow
String ID: iI$ iI
API String ID: 3511876931-2230048027
Opcode ID: 8f1636e98046218fb9f71c9a2155fdb69b9762767143606b9e4de6f2414393c2
Instruction ID: a5533098e72008d65e1277bd3aac55e346b06bb3bd0e90c502a913e77afb3d82
Opcode Fuzzy Hash: 8f1636e98046218fb9f71c9a2155fdb69b9762767143606b9e4de6f2414393c2
Instruction Fuzzy Hash: 06318E71D0021ADFDF01EFA4C485A9FBB74BF18304F60806BE500AB251C7785E45DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0044DFE2, Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000002), ref: 0044DFFD
GetParent.USER32(?), ref: 0044E00E
GetWindow.USER32(?,00000002), ref: 0044E031
GetWindow.USER32(?,00000002), ref: 0044E043
GetWindowLongA.USER32(?,000000EC), ref: 0044E052
IsWindowVisible.USER32(?), ref: 0044E06C
GetTopWindow.USER32(?), ref: 0044E092

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: fc23c9cc7f7a8f04d9f98e68d5feec954021d990ee24e3d533493cb9e9dda2ad
Instruction ID: 87f3aa9fbb93860753bd5670c795bbef0fde173dbcf2df5d9757d2ff2af55d49
Opcode Fuzzy Hash: fc23c9cc7f7a8f04d9f98e68d5feec954021d990ee24e3d533493cb9e9dda2ad
Instruction Fuzzy Hash: 3F21C832A01B34ABE6326BB69C09F2F769CFF54340F05056BF9A597251DA5DDC0087A8

Uniqueness

Uniqueness Score: -1.00%

Function 00469D68, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 00469D97
__calloc_crt.LIBCMT ref: 00469DA3
CreateThread.KERNEL32(?,?,V',00000000,?,004389D8), ref: 00469DE7
GetLastError.KERNEL32(?,74B5F560,00000000,?,?,004389D8,?,?,00438843,?,?,?), ref: 00469DF1
__dosmaperr.LIBCMT ref: 00469E09

Part of subcall function 00465CF1: __getptd_noexit.LIBCMT ref: 00465CF1

Part of subcall function 00463B2F: __decode_pointer.LIBCMT ref: 00463B38

Strings

V', xrefs: 00469DDC

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd_noexit
String ID: V'
API String ID: 1067611704-3023508238
Opcode ID: 8743c3be804247c145a3a4be5019aff543d5038356154c62fafe68321a9d7470
Instruction ID: fb5e4da0b117410375bbad19fb401f9fc1cf6710e04e842880a6498677e4daf5
Opcode Fuzzy Hash: 8743c3be804247c145a3a4be5019aff543d5038356154c62fafe68321a9d7470
Instruction Fuzzy Hash: 7C11C472501215BFDB11FF65DC8289FB7A9EF04328B20413FF40192191FBB99D1097AA

Uniqueness

Uniqueness Score: -1.00%

Function 00441A11, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 00441A3F
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00441A62
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00441A7E
RegCloseKey.ADVAPI32(?), ref: 00441A8E
RegCloseKey.ADVAPI32(?), ref: 00441A98

Strings

software, xrefs: 00441A27

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 4e087246080b665e612655a1622b0ce865231f8270a515f7e3e7d0d7d600a562
Instruction ID: 98a928b585dd66db765a2d0ef6b8fec0ffa976242eb70c8d0c55856759e0f330
Opcode Fuzzy Hash: 4e087246080b665e612655a1622b0ce865231f8270a515f7e3e7d0d7d600a562
Instruction Fuzzy Hash: 5A11F876D01119BBDB21DBDADD89CEFBFBCEF85740B1000AAA505B2121D2709A44DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00441272, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00441298
GetStockObject.GDI32(0000000D), ref: 004412A0
GetObjectA.GDI32(00000000,0000003C,?), ref: 004412AD
72E6AC50.USER32(00000000), ref: 004412BC
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 004412DC

Strings

System, xrefs: 00441293, 004412FD

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Object$Stock
String ID: System
API String ID: 1996491644-3470857405
Opcode ID: 85742eba04ba0ac5c0b9a169595a2f7edd27af6b1082703b227fa8d3dca0c5f9
Instruction ID: efcf138f56418c1de1c4fac4b438dff483d3b96d3b75ff6b5f817f5f3065ae2e
Opcode Fuzzy Hash: 85742eba04ba0ac5c0b9a169595a2f7edd27af6b1082703b227fa8d3dca0c5f9
Instruction Fuzzy Hash: 32116071A00218EBEB109FA1DC45FAE77B8EB14781F00007BFA01E6290DAB49D418B68

Uniqueness

Uniqueness Score: -1.00%

Function 00425E90, Relevance: 10.6, APIs: 7, Instructions: 60COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00425E9C
GetWindowRect.USER32(?,?), ref: 00425EB7
ScreenToClient.USER32(?,?), ref: 00425ECA
ScreenToClient.USER32(?,?), ref: 00425ED3
EqualRect.USER32(?,?), ref: 00425EDD
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 00425F05
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 00425F0F

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 4b8d3b03d105c6c92bfb59d8b9ccfbac19bdce33a607203a6b633710ae88da2d
Instruction ID: 1851073c1d0a6dce7cfb011fc5a74cc0d5baeb06a2478cb612cb11a35ec18814
Opcode Fuzzy Hash: 4b8d3b03d105c6c92bfb59d8b9ccfbac19bdce33a607203a6b633710ae88da2d
Instruction Fuzzy Hash: 86114F7660061AAFDB119FA4EC44EABB7BCFF94310F65842ABD15D3214D730AD00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00438F71, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00438F78

Part of subcall function 004454C6: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 004454EF
Part of subcall function 004454C6: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00445506

PathFindFileNameA.SHLWAPI(?,00000000,00000008), ref: 00438FC1
PathRemoveExtensionA.SHLWAPI(00000000,00000000), ref: 00438FDD

Part of subcall function 00424EC0: _strlen.LIBCMT ref: 00424ED3

GlobalAddAtomA.KERNEL32(?), ref: 00438FF6
GlobalAddAtomA.KERNEL32(system), ref: 00439004

Strings

system, xrefs: 00438FF8

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: NamePath$AtomFileGlobal$ExtensionFindH_prolog3ModuleRemoveShort_strlen
String ID: system
API String ID: 3650951976-3377271179
Opcode ID: b49fec180c34d6ba47ebbf03bd59e5ca0a44a505b85dc8998f49f62db5cd290c
Instruction ID: 13288fb9781c1e6eff66447eba7f07fcaa7f13881cdf5d75177e6fbb8d75a167
Opcode Fuzzy Hash: b49fec180c34d6ba47ebbf03bd59e5ca0a44a505b85dc8998f49f62db5cd290c
Instruction Fuzzy Hash: F0111C71900616ABCF19EBB5CC16AAFB734BF14358F50421EB425272E2DB782944CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0043C87B, Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 0043C887
GetSysColor.USER32(00000010), ref: 0043C88E
GetSysColor.USER32(00000014), ref: 0043C895
GetSysColor.USER32(00000012), ref: 0043C89C
GetSysColor.USER32(00000006), ref: 0043C8A3
GetSysColorBrush.USER32(0000000F), ref: 0043C8B0
GetSysColorBrush.USER32(00000006), ref: 0043C8B7

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 385814a089f269c27319cf449cbd80ecd22fa6b03813cd614d15b4aaf18d10ea
Instruction ID: a1d969fa825aa364dfb7567f33018f2d01d0747df3cd598d01d6b07b91e09a11
Opcode Fuzzy Hash: 385814a089f269c27319cf449cbd80ecd22fa6b03813cd614d15b4aaf18d10ea
Instruction Fuzzy Hash: 64F0F8719417489BD730BBB29D09B47BAE1EFC4B10F12092AD2858BA90E6B6E4419F44

Uniqueness

Uniqueness Score: -1.00%

Function 0044D548, Relevance: 9.4, APIs: 6, Instructions: 404COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044D564
VariantClear.OLEAUT32(?), ref: 0044D5C9

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

VariantClear.OLEAUT32(?), ref: 0044D7D8
VariantClear.OLEAUT32(?), ref: 0044D84A
VariantClear.OLEAUT32(?), ref: 0044DA3B

Part of subcall function 0043E07C: VariantCopy.OLEAUT32(00000000,00000000), ref: 0043E08A

Part of subcall function 00440120: __EH_prolog3.LIBCMT ref: 0044012A
Part of subcall function 00440120: lstrlen.KERNEL32(?,?,?,00000224), ref: 00440149
Part of subcall function 00440120: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 00440151

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Variant$Clear$H_prolog3$AllocByteCopyException@8StringThrowlstrlen
String ID:
API String ID: 1791476184-0
Opcode ID: 084417ea08202759bb2564d6f684081c96621db87b5d71c9b22eb76e9d746620
Instruction ID: df17e1a367c75c3b8c88260a42499d30d7f60e52a836e9271637e570ca369dc9
Opcode Fuzzy Hash: 084417ea08202759bb2564d6f684081c96621db87b5d71c9b22eb76e9d746620
Instruction Fuzzy Hash: B0F1517190014CEBEF55EFA1C881AFE7BB9AF08308F50415BF85193291DB789A48DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00461812, Relevance: 9.3, APIs: 6, Instructions: 326COMMON

Download Yara Rule

APIs

Part of subcall function 00461128: PeekMessageA.USER32(00000000,00000000,0000000F,0000000F,00000000), ref: 00461169
Part of subcall function 00461128: SetRectEmpty.USER32(?), ref: 0046118D
Part of subcall function 00461128: GetDesktopWindow.USER32 ref: 004611A5
Part of subcall function 00461128: LockWindowUpdate.USER32(?,00000000), ref: 004611B6

Part of subcall function 0042EA35: GetModuleHandleA.KERNEL32(GDI32.DLL,?,00461839), ref: 0042EA3D
Part of subcall function 0042EA35: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 0042EA49

GetWindowRect.USER32(?,?), ref: 0046185F

Part of subcall function 0042EA6B: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,00461846,00000000), ref: 0042EA74
Part of subcall function 0042EA6B: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 0042EA82

InflateRect.USER32(?,00000002,00000002), ref: 00461951
InflateRect.USER32(?,00000002,00000002), ref: 00461AF7

Part of subcall function 00460F8D: OffsetRect.USER32(?,?,?), ref: 00460FC4

Part of subcall function 00461346: OffsetRect.USER32(?,?,?), ref: 0046136F
Part of subcall function 00461346: OffsetRect.USER32(?,?,?), ref: 00461379
Part of subcall function 00461346: OffsetRect.USER32(?,?,?), ref: 00461383
Part of subcall function 00461346: OffsetRect.USER32(?,?,?), ref: 0046138D

Part of subcall function 004616F7: GetCapture.USER32 ref: 00461708
Part of subcall function 004616F7: SetCapture.USER32(?), ref: 00461718
Part of subcall function 004616F7: GetCapture.USER32 ref: 00461724
Part of subcall function 004616F7: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0046173E
Part of subcall function 004616F7: DispatchMessageA.USER32(?), ref: 00461770
Part of subcall function 004616F7: GetCapture.USER32 ref: 004617CE

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Offset$Capture$MessageWindow$AddressHandleInflateModuleProc$DesktopDispatchEmptyLockPeekUpdate
String ID:
API String ID: 1062258019-0
Opcode ID: bb17cb3fd4cd0aea74b2c1469bd5b42907e4f7e5967dc3f378f5aeb1bc16cf14
Instruction ID: a9f99f256b9e512fb5a1507ce0a57196f6a6c4a7232904c73705dc0a64a16066
Opcode Fuzzy Hash: bb17cb3fd4cd0aea74b2c1469bd5b42907e4f7e5967dc3f378f5aeb1bc16cf14
Instruction Fuzzy Hash: 8AB16D72900608AFCF01DFA8C885EEE7BBAEF4A310F144559FD05AF255D671AE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0045573B, Relevance: 9.3, APIs: 6, Instructions: 253stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00455742
lstrlen.KERNEL32(00000000,000000FF,00000050,00445CC5,00000000,00000001,?,?,000000FF,?,?,?), ref: 00455774

Part of subcall function 00431975: _memcpy_s.LIBCMT ref: 00431985

_memset.LIBCMT ref: 00455844
VariantClear.OLEAUT32(?), ref: 00455923

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID:
API String ID: 4021759052-0
Opcode ID: 995ce19c836a5364cfebdd0bbbea13692f0384d19ec35a9aefc5f59139e5b488
Instruction ID: 033f81a3f94650e4e3da5f3ad662889425b84fc39f7ce4a670f27c92c0a4e309
Opcode Fuzzy Hash: 995ce19c836a5364cfebdd0bbbea13692f0384d19ec35a9aefc5f59139e5b488
Instruction Fuzzy Hash: FEA1CE70C00A09DBDF11EFA5C8916BEBBB0FF04316F24415AE815B7292D7399E49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004613F6, Relevance: 9.1, APIs: 6, Instructions: 144COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 0046146E
GetSystemMetrics.USER32(0000004D), ref: 00461475
GetSystemMetrics.USER32(0000004E), ref: 0046147C
GetSystemMetrics.USER32(0000004F), ref: 00461486
IntersectRect.USER32(?,?,?), ref: 004614D3
IntersectRect.USER32(?,?,?), ref: 00461527

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$IntersectRect
String ID:
API String ID: 1124862357-0
Opcode ID: 51364c71f1f83f6e72a3f71336fc1aed885a947e8c5e4d5db9191cc5226ebcbf
Instruction ID: 39d75fe830b600184b51c82de161be24a731b1957af622799e84a79e143b57e3
Opcode Fuzzy Hash: 51364c71f1f83f6e72a3f71336fc1aed885a947e8c5e4d5db9191cc5226ebcbf
Instruction Fuzzy Hash: E1518272A002099FCF54DFACC5C5A9EBBB5FF08314F1441A6E905EB20AE634E980CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00455CC2, Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00455CF1
SysAllocString.OLEAUT32(00000000), ref: 00455D42
SysAllocString.OLEAUT32(00000000), ref: 00455D66

Part of subcall function 00432790: __EH_prolog3.LIBCMT ref: 00432797

SysAllocString.OLEAUT32(00000000), ref: 00455DBE
SysAllocString.OLEAUT32(00000000), ref: 00455DE7
SysAllocString.OLEAUT32(00000000), ref: 00455E16

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocString$H_prolog3_memset
String ID:
API String ID: 842698744-0
Opcode ID: 6c33a65e0a41f1d243485fb21858a62619aeef60b07836e78bbc1cfd38fbfe58
Instruction ID: 79d48bccd11d10ee2f2482a0a4805d11fd6bd5ccf5d8570937c399d1c2b8cbf6
Opcode Fuzzy Hash: 6c33a65e0a41f1d243485fb21858a62619aeef60b07836e78bbc1cfd38fbfe58
Instruction Fuzzy Hash: 074130709007048BCB24EF75D891BAEB7B0AF08314F10852FE86597292DB78A848CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00435DDD, Relevance: 9.1, APIs: 6, Instructions: 115threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00435D32: GetParent.USER32(?), ref: 00435D85
Part of subcall function 00435D32: GetLastActivePopup.USER32(?), ref: 00435D94
Part of subcall function 00435D32: IsWindowEnabled.USER32(?), ref: 00435DA9
Part of subcall function 00435D32: EnableWindow.USER32(?,00000000), ref: 00435DBC

EnableWindow.USER32(?,00000001), ref: 00435E2A
GetWindowThreadProcessId.USER32(?,?), ref: 00435E38
GetCurrentProcessId.KERNEL32 ref: 00435E42
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 00435E57
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00435ED4
EnableWindow.USER32(?,00000001), ref: 00435F10

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: f618bbd009e5ad6a64c6bca3097c3fa01b530f9c22c44f6c22a7058a3ec25aa7
Instruction ID: df0d31919eaef55f45b99f611ae650f05f3c5c69cb9c7a72eb7ac165cec39960
Opcode Fuzzy Hash: f618bbd009e5ad6a64c6bca3097c3fa01b530f9c22c44f6c22a7058a3ec25aa7
Instruction Fuzzy Hash: 8941A371A00B089FEB319F65CC46BDE77B8AF08714F24102BE9199B281D7749A408F58

Uniqueness

Uniqueness Score: -1.00%

Function 004616F7, Relevance: 9.1, APIs: 6, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00461708
SetCapture.USER32(?), ref: 00461718
GetCapture.USER32 ref: 00461724
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0046173E
DispatchMessageA.USER32(?), ref: 00461770
GetCapture.USER32 ref: 004617CE

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: 3ba3302855d7a0a56198fe192bdb332ebdd88570f7c721474d79f722d49a7b3a
Instruction ID: b052f7a43e04f98e187a32cc13b8219058864accc116d30341e98d1848757261
Opcode Fuzzy Hash: 3ba3302855d7a0a56198fe192bdb332ebdd88570f7c721474d79f722d49a7b3a
Instruction Fuzzy Hash: 6C31A471A006499FDB21BBB6888587FB6E9EB40746F1C442FB04292271EE389D41D76F

Uniqueness

Uniqueness Score: -1.00%

Function 0045A072, Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00460423

Part of subcall function 0042F58C: __EH_prolog3.LIBCMT ref: 0042F593

GetClientRect.USER32(?,?), ref: 0046043E
GetWindowRect.USER32(?,?), ref: 0046044B

Part of subcall function 0042F083: ScreenToClient.USER32(?,00426F87), ref: 0042F097
Part of subcall function 0042F083: ScreenToClient.USER32(?,00426F8F), ref: 0042F0A0

OffsetRect.USER32(?,?,?), ref: 00460472

Part of subcall function 0042E803: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0042E828
Part of subcall function 0042E803: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0042E83D

OffsetRect.USER32(?,?,?), ref: 00460490

Part of subcall function 0042E887: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0042E8AC
Part of subcall function 0042E887: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0042E8C1

SendMessageA.USER32(?,00000014,?,00000000), ref: 004604BA

Part of subcall function 0042F5E0: __EH_prolog3.LIBCMT ref: 0042F5E7

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Clip$ClientH_prolog3$ExcludeIntersectOffsetScreen$MessageSendWindow
String ID:
API String ID: 3264636056-0
Opcode ID: 780016c8dad77c662d2d0e44254e707948077181d40eabcd83a3117c3dfda344
Instruction ID: 52aeb892dae2ff7e7503e5255d0292d2f86c492414c69fe2648aacbd39832eef
Opcode Fuzzy Hash: 780016c8dad77c662d2d0e44254e707948077181d40eabcd83a3117c3dfda344
Instruction Fuzzy Hash: A2210A72D1011AEBDF19EB90DC55DFEB3B8FF18304F40412AF556A31A1EA346A0ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 0045D353, Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00460423

Part of subcall function 0042F58C: __EH_prolog3.LIBCMT ref: 0042F593

GetClientRect.USER32(?,?), ref: 0046043E
GetWindowRect.USER32(?,?), ref: 0046044B

Part of subcall function 0042F083: ScreenToClient.USER32(?,00426F87), ref: 0042F097
Part of subcall function 0042F083: ScreenToClient.USER32(?,00426F8F), ref: 0042F0A0

OffsetRect.USER32(?,?,?), ref: 00460472

Part of subcall function 0042E803: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0042E828
Part of subcall function 0042E803: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0042E83D

OffsetRect.USER32(?,?,?), ref: 00460490

Part of subcall function 0042E887: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0042E8AC
Part of subcall function 0042E887: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0042E8C1

SendMessageA.USER32(?,00000014,?,00000000), ref: 004604BA

Part of subcall function 0042F5E0: __EH_prolog3.LIBCMT ref: 0042F5E7

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Clip$ClientH_prolog3$ExcludeIntersectOffsetScreen$MessageSendWindow
String ID:
API String ID: 3264636056-0
Opcode ID: 58be4f8becf372ef947a30cb0d16f6877d5838b48ca9d1b8b801067428915ff9
Instruction ID: 52aeb892dae2ff7e7503e5255d0292d2f86c492414c69fe2648aacbd39832eef
Opcode Fuzzy Hash: 58be4f8becf372ef947a30cb0d16f6877d5838b48ca9d1b8b801067428915ff9
Instruction Fuzzy Hash: A2210A72D1011AEBDF19EB90DC55DFEB3B8FF18304F40412AF556A31A1EA346A0ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 00461128, Relevance: 9.1, APIs: 6, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(00000000,00000000,0000000F,0000000F), ref: 00461147
DispatchMessageA.USER32(?), ref: 0046115A
PeekMessageA.USER32(00000000,00000000,0000000F,0000000F,00000000), ref: 00461169
SetRectEmpty.USER32(?), ref: 0046118D
GetDesktopWindow.USER32 ref: 004611A5
LockWindowUpdate.USER32(?,00000000), ref: 004611B6

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 83d55cdbf4199dce1bce32920c873c373f3a617fda06205890c5ead2ab98ceb1
Instruction ID: ccec9f1434be9dba82f120e438890d34278208c68813aa93901d7ab4e74e2a6f
Opcode Fuzzy Hash: 83d55cdbf4199dce1bce32920c873c373f3a617fda06205890c5ead2ab98ceb1
Instruction Fuzzy Hash: 86215EB2500B04AFD3119F66DC84E677BECFB19354F45083FF295C6621EA39E8058B65

Uniqueness

Uniqueness Score: -1.00%

Function 00435D32, Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00435D64
GetParent.USER32(?), ref: 00435D72
GetParent.USER32(?), ref: 00435D85
GetLastActivePopup.USER32(?), ref: 00435D94
IsWindowEnabled.USER32(?), ref: 00435DA9
EnableWindow.USER32(?,00000000), ref: 00435DBC

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 232fb1b1023f3a283ddf8380ba0d50784a0d2229f5b8dd2140d7fc52efe6ad8e
Instruction ID: c29248bb2bdd9eec502c0be5cb88ef1ef4b5df2601754d589ece185fbc84ddad
Opcode Fuzzy Hash: 232fb1b1023f3a283ddf8380ba0d50784a0d2229f5b8dd2140d7fc52efe6ad8e
Instruction Fuzzy Hash: 0411A032601F219B97322A698C4872BB2BC9F6DB55F26A16BEC05D7360DB68CC01469D

Uniqueness

Uniqueness Score: -1.00%

Function 00458B1A, Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00458B21

Part of subcall function 0042E014: CreatePatternBrush.GDI32(00000000), ref: 0042E067
Part of subcall function 0042E014: DeleteObject.GDI32(00000000), ref: 0042E073

GetClientRect.USER32(?,?), ref: 00458B40
CreateRectRgnIndirect.GDI32(?), ref: 00458B59
72E6AC50.USER32(?,00000000,?,?,?,?,00000018), ref: 00458B6B

Part of subcall function 0042F006: SelectClipRgn.GDI32(?,00000000), ref: 0042F028
Part of subcall function 0042F006: SelectClipRgn.GDI32(?,00000004), ref: 0042F03E

SendMessageA.USER32(?,00000198,000000FF,?), ref: 00458B93

Part of subcall function 0042F90A: SelectObject.GDI32(?,00000000), ref: 0042F92C
Part of subcall function 0042F90A: SelectObject.GDI32(?,?), ref: 0042F942

PatBlt.GDI32(?,?,00000002,?,00000002,005A0049), ref: 00458BCC

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Select$Object$ClipCreateRect$BrushClientDeleteH_prolog3IndirectMessagePatternSend
String ID:
API String ID: 350508849-0
Opcode ID: c851512549dc72a469b824f9648207ad74beb9c94254118d1cbcc2ea968fcda6
Instruction ID: ec0ae3c8f5bef7c82778913b6fb6a6fe8ca57455e51a7bd6fbcdf920ba185868
Opcode Fuzzy Hash: c851512549dc72a469b824f9648207ad74beb9c94254118d1cbcc2ea968fcda6
Instruction Fuzzy Hash: 21215CB2900609AFCF01EFE5CD499EEBBB5FF18301F90413AE505B6161DB799A04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004510D2, Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004510DB
GetWindow.USER32(00000000), ref: 004510E8
GetWindowLongA.USER32(00000000,000000F0), ref: 00451121
ShowWindow.USER32(00000000,00000000), ref: 0045113D
ShowWindow.USER32(00000000,00000004), ref: 00451162
GetWindow.USER32(00000000,00000002), ref: 0045116B

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: aa7084c99fe2cdf82b03945d5d0823ac9723bc462560ac603830541bf1e55072
Instruction ID: 726291603aac2289780cbe5a8dfec5007c1907363cccd7349db81d7f7ff38b67
Opcode Fuzzy Hash: aa7084c99fe2cdf82b03945d5d0823ac9723bc462560ac603830541bf1e55072
Instruction Fuzzy Hash: C5110131101F15ABD32287258C89F5F7298AF15723F6001AAFA10966A2CF3DDC48CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 0043DD83, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SafeArrayGetDim.OLEAUT32(?), ref: 0043DD97
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0043DDAB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0043DDC0
SafeArrayRedim.OLEAUT32(?,?), ref: 0043DDEC
VariantClear.OLEAUT32(?), ref: 0043DDFE
SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 0043DE1B

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ArraySafe$Bound$ClearCreateRedimVariant
String ID:
API String ID: 3151960920-0
Opcode ID: 25a9bce8934f7cdce320e30f9f719ab92a897020e93fc81c35eb9b2610338687
Instruction ID: 6fecfb84d09974c3cf85b945c2a5826721877074268fc7c24cd8106db2351658
Opcode Fuzzy Hash: 25a9bce8934f7cdce320e30f9f719ab92a897020e93fc81c35eb9b2610338687
Instruction Fuzzy Hash: D9114C71900608AFCB15AFA1DC44A9E7BBDEF18301F20842AF955E6160D774AAC0CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00441BD8, Relevance: 9.1, APIs: 6, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 00441BFC
RegDeleteValueA.ADVAPI32(00000000,00000000), ref: 00441C1C
RegCloseKey.ADVAPI32(00000000), ref: 00441C47

Part of subcall function 00441A11: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 00441A3F
Part of subcall function 00441A11: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00441A62
Part of subcall function 00441A11: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00441A7E
Part of subcall function 00441A11: RegCloseKey.ADVAPI32(?), ref: 00441A8E
Part of subcall function 00441A11: RegCloseKey.ADVAPI32(?), ref: 00441A98

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00441C62

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
String ID:
API String ID: 1886894508-0
Opcode ID: 7b88b03f12b11b30ba458db35d5d8490e6e73e8d7665758443e2b1d268d06f51
Instruction ID: 702b6ea730abb062cc6f85268ac557c8b032716844741aeabce0c6f7a7527954
Opcode Fuzzy Hash: 7b88b03f12b11b30ba458db35d5d8490e6e73e8d7665758443e2b1d268d06f51
Instruction Fuzzy Hash: 8D117C32481615FBEF221F60DC48BEE3B65EF14395F204026FD1599130D739C9A2DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00441123, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126stringCOMMON

Download Yara Rule

APIs

GlobalFix.KERNEL32(?), ref: 0044114D
lstrlen.KERNEL32(?), ref: 00441195
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 004411AF

Strings

System, xrefs: 00441149

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharGlobalMultiWidelstrlen
String ID: System
API String ID: 1200732322-3470857405
Opcode ID: 019028ed831b24a0425f2883b7b4c77f743bc691e0f4b4925ff7ef83c4440eb0
Instruction ID: 78ec9d3f4f15f9bf8524794f7a73a36ce1c43e571cb22dfda15e09295f454d5f
Opcode Fuzzy Hash: 019028ed831b24a0425f2883b7b4c77f743bc691e0f4b4925ff7ef83c4440eb0
Instruction Fuzzy Hash: 38410471900219DFDB14DFF0C885AAEBBB5FF04304F24812BE412EB295E7789995CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004540BB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004540C2

Part of subcall function 0042D0B0: GetWindowLongA.USER32(00051A74,000000F0), ref: 0042D0BB

_swprintf.LIBCMT ref: 0045410B

Part of subcall function 00465BB7: __vsprintf_s_l.LIBCMT ref: 00465BCA

Part of subcall function 0042AF60: _strlen.LIBCMT ref: 0042AF71

_swprintf.LIBCMT ref: 00454179

Strings

:%d, xrefs: 00454100, 0045416E
- , xrefs: 0045411F, 00454150

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: _swprintf$H_prolog3_LongWindow__vsprintf_s_l_strlen
String ID: - $:%d
API String ID: 1012054303-2359489159
Opcode ID: c2f69b9290585a4191d0d8e98bf983ebca3f3461ea74fa7c8415e37881effb01
Instruction ID: 0a8e60a9ce2202564c0febdbaef21f8b288af393016574dbc51c28d30e6d9186
Opcode Fuzzy Hash: c2f69b9290585a4191d0d8e98bf983ebca3f3461ea74fa7c8415e37881effb01
Instruction Fuzzy Hash: EE21E5715002086BCB10FBA1EE42FEF7779AF54B09F64012FB901A3192EF6C6A48C759

Uniqueness

Uniqueness Score: -1.00%

Function 0044A137, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044A13E
GetRgnBox.GDI32(?,?), ref: 0044A1B9
IntersectRect.USER32(?,?,?), ref: 0044A1CE
EqualRect.USER32(?,?), ref: 0044A1DC

Strings

iI, xrefs: 0044A18F

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID: iI
API String ID: 2161412305-2083763752
Opcode ID: 9a3bcecb922714f435a42ab5814590608633cd6e67dcf2b78680492a244a211a
Instruction ID: 6dd45661d84c583fd11fcbf6ea376196217d30ad7dd7a0cdc0fc8330caaf2ab9
Opcode Fuzzy Hash: 9a3bcecb922714f435a42ab5814590608633cd6e67dcf2b78680492a244a211a
Instruction Fuzzy Hash: FF211B71900209EFDF01EFA5C8809EEBB78BF18304F50856FE555A3211D7789A15DFA6

Uniqueness

Uniqueness Score: -1.00%

Function 004252BC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 004252FA
GetSystemMetrics.USER32(00000000), ref: 00425312
GetSystemMetrics.USER32(00000001), ref: 00425319

Strings

DISPLAY, xrefs: 00425336
B, xrefs: 004252D9

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: fe705c72d47645350ecf0a7aaa2001952a9a93f22a8d4fa8cc595dcd9c8498ff
Instruction ID: 2a64c509d53a38fc692451156f1ad28cfd3574a2fd99ab79969b739bf255c0ee
Opcode Fuzzy Hash: fe705c72d47645350ecf0a7aaa2001952a9a93f22a8d4fa8cc595dcd9c8498ff
Instruction Fuzzy Hash: E611E372701A34EBDF11DFA4AC80A5BBBA9EF09790F504467FD05AE146D2B4C900CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 00402170, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,?,00402065,00000000,00000000,00000000), ref: 0040217E
LockResource.KERNEL32(00000000), ref: 00402198

Strings

e @, xrefs: 004021C5
e @, xrefs: 004021EC

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Resource$LoadLock
String ID: e @$e @
API String ID: 1037334470-2578036179
Opcode ID: 935784628f2149bfccd79260cb87169c6ac242db3efe21c5b41a5fd91cd171ca
Instruction ID: c32a6a5ee8ead18c2feb433e2f1b996dea7d625eddc9b1dcaf6e65adce45fb8b
Opcode Fuzzy Hash: 935784628f2149bfccd79260cb87169c6ac242db3efe21c5b41a5fd91cd171ca
Instruction Fuzzy Hash: 15211D34900119EFCF44DFE4CA48AAEB7B1BF58300F2045AAE816BB280D3749E41EB54

Uniqueness

Uniqueness Score: -1.00%

Function 00439F36, Relevance: 7.8, APIs: 5, Instructions: 255memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00439F4F
MapDialogRect.USER32(?,00000000), ref: 00439FE0
SysAllocStringLen.OLEAUT32(?,?), ref: 00439FFF

Part of subcall function 004249C8: _malloc.LIBCMT ref: 004249E2

SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,00000000,00000000,0000FC84,00000000), ref: 0043A193
SysFreeString.OLEAUT32(00000000), ref: 0043A1E5

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: String$AllocDialogFreeH_prolog3RectWindow_malloc
String ID:
API String ID: 4007256086-0
Opcode ID: 959d00eb605dfe0d5732bb0a069cb509a733c3978264fbd96740ab1e96529b67
Instruction ID: 99b66e8069c00a5a822964a948881b8a2839058b7a5d38c6e1cdac7576d6a50a
Opcode Fuzzy Hash: 959d00eb605dfe0d5732bb0a069cb509a733c3978264fbd96740ab1e96529b67
Instruction Fuzzy Hash: E0B113B1900209EFDB04DF69C980AEE7BB4FF08314F11912AFC5997351E738A994CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00431B78, Relevance: 7.6, APIs: 5, Instructions: 104stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00431BA6
lstrlenW.KERNEL32(?), ref: 00431BBE
GlobalAlloc.KERNEL32(00002042,?), ref: 00431BDE
GlobalFix.KERNEL32(00000000), ref: 00431BF0
GlobalUnWire.KERNEL32(?), ref: 00431C73

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Global$lstrlen$AllocWire
String ID:
API String ID: 3740923207-0
Opcode ID: 24d535cd88f39f98fa6056f19f4fcda996cafc55627c12ed93a545bfc3e7f9bd
Instruction ID: ef231a2fc84e190576409ea7f3f5d99891a231af8517b68307d7de6b627450fb
Opcode Fuzzy Hash: 24d535cd88f39f98fa6056f19f4fcda996cafc55627c12ed93a545bfc3e7f9bd
Instruction Fuzzy Hash: 55414AB1900209DFCF11DF65C984AAABBF8FF09304F11516AEC05A7215D3B8E945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00440345, Relevance: 7.6, APIs: 5, Instructions: 100timeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044034C
GetWindowTextLengthA.USER32(?), ref: 00440392
GetWindowTextA.USER32(?,00000000,00000000), ref: 004403BC
SystemTimeToFileTime.KERNEL32(?,?,?,000000FF), ref: 00440409

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,0000001C), ref: 0044041B

Part of subcall function 0043E619: _memset.LIBCMT ref: 0043E62A

Part of subcall function 0043B159: lstrlen.KERNEL32(0042BE56,?,?,00000000), ref: 0043B183
Part of subcall function 0043B159: _memset.LIBCMT ref: 0043B1A0
Part of subcall function 0043B159: GetWindowTextA.USER32(?,00000000,00000100), ref: 0043B1BA
Part of subcall function 0043B159: lstrcmp.KERNEL32(00000000,0042BE56), ref: 0043B1CC
Part of subcall function 0043B159: SetWindowTextA.USER32(?,0042BE56), ref: 0043B1D8

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: TextTimeWindow$FileSystem_memset$Exception@8H_prolog3LengthThrowlstrcmplstrlen
String ID:
API String ID: 4241279144-0
Opcode ID: 1e203d5feb6ba7416775312bad6bb11010ebf9b3af5255b256193720e03d8391
Instruction ID: 56f81c1204b01356de3f01f4b5a43c070605305e740c434b4196c7fde51da5f5
Opcode Fuzzy Hash: 1e203d5feb6ba7416775312bad6bb11010ebf9b3af5255b256193720e03d8391
Instruction Fuzzy Hash: 193170B1500119EBCF10EFA1DC41DFE7B79FF18318F10452AFA15A6191DB389951DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424700, Relevance: 7.6, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00422CBE), ref: 00424721
WideCharToMultiByte.KERNEL32(00422CBE,00000000,00000000,00422CBE,?,00000000,00000000,00000000), ref: 0042476E
GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 00424780
WideCharToMultiByte.KERNEL32(00422CBE,00000000,00000000,00422CBE,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004247A1
WideCharToMultiByte.KERNEL32(00422CBE,00000000,00000000,00422CBE,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004247E2

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: 54d78283ba454dd695977614ee7e4c1606649cec43323e0355f90b723d99ca75
Instruction ID: b3b4b9de4c3a99adfa54af7f5ea65af0d6ca345405be419927ae977f5e390937
Opcode Fuzzy Hash: 54d78283ba454dd695977614ee7e4c1606649cec43323e0355f90b723d99ca75
Instruction Fuzzy Hash: 943141B5B50218BFDB00DF98DC82FAE77B4FB88704F508159F515EB280D675A940CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004290DC, Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004290E6
GetTopWindow.USER32(?), ref: 0042910B
GetDlgCtrlID.USER32(00000000), ref: 0042911A
SendMessageA.USER32(00000087,00000087,00000000,00000000), ref: 00429176
GetWindow.USER32(00000000,00000002), ref: 004291B5

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: e5d45308472b41fbf09c5578c0a02ed69a7bd344680b804e8f213e43094a7d6f
Instruction ID: 31da7d5f2914d963ffe51a99a223dd74f411b2eab3745ba105c35d0e5e285114
Opcode Fuzzy Hash: e5d45308472b41fbf09c5578c0a02ed69a7bd344680b804e8f213e43094a7d6f
Instruction Fuzzy Hash: E021F731A00125AAEF25EB96EC89EBE7674AF10300F90426BF455E3291EB384D50CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045035D, Relevance: 7.6, APIs: 5, Instructions: 79windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00450364
GetParent.USER32(?), ref: 004503B4
SendMessageA.USER32(?,00000464,00000104,?), ref: 004503C8
GetParent.USER32(?), ref: 004503FB
SendMessageA.USER32(?,00000465,00000104,?), ref: 0045040F

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageParentSend$H_prolog3
String ID:
API String ID: 1482283565-0
Opcode ID: 3fdcd5636cb703956bb2b14c251d974bcc5d5ced9c9e7584b9b81977ef971d4b
Instruction ID: 1222faadfffda6702f010a1afce5fe00e7e965ef18cae49e5e766e53ed473933
Opcode Fuzzy Hash: 3fdcd5636cb703956bb2b14c251d974bcc5d5ced9c9e7584b9b81977ef971d4b
Instruction Fuzzy Hash: 4231BC71A00526EBCB05EFA1CC45DAF7B74FF04328F50022BB925672E2DB389944CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00438E62, Relevance: 7.6, APIs: 5, Instructions: 75registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00438E81
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 00438EA0
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 00438EBE
RegDeleteKeyA.ADVAPI32(?,?), ref: 00438F39
RegCloseKey.ADVAPI32(?), ref: 00438F44

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseDeleteEnumH_prolog3_catchOpen
String ID:
API String ID: 3522057324-0
Opcode ID: 0b281cf58e6a223c24391e5df390a37801d520ed156c241f1be87367661ca2f3
Instruction ID: 53cddd275aaec55248745f0eaf95a19b9a2e265378e72c8cc115b2e73f618818
Opcode Fuzzy Hash: 0b281cf58e6a223c24391e5df390a37801d520ed156c241f1be87367661ca2f3
Instruction Fuzzy Hash: 3121CC72D042099BDB22EF64D801BFEB7B4EB18320F10412AF945A7290DB785E449BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00451A66, Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042D0B0: GetWindowLongA.USER32(00051A74,000000F0), ref: 0042D0BB

SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00451ACC
SendMessageA.USER32(?,00000086,00000000,00000000), ref: 00451AE1
GetDesktopWindow.USER32 ref: 00451AE5
SendMessageA.USER32(00000000,0000036D,?,00000000), ref: 00451B0D
GetWindow.USER32(00000000), ref: 00451B12

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: d4c5221eb20712f2bd36a9c26e5f7e02adf5441203fe856e6e7b755bc69b6b8c
Instruction ID: f6a8b98b71d85b9614e7aeb15fd5bbf574f7131bf3d168cc4316236e9d3a2c57
Opcode Fuzzy Hash: d4c5221eb20712f2bd36a9c26e5f7e02adf5441203fe856e6e7b755bc69b6b8c
Instruction Fuzzy Hash: 01113432301B1177E6276A628C81F6FB659AF0475AF11012AFA01062B3DF9D9C0883AD

Uniqueness

Uniqueness Score: -1.00%

Function 0045224A, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 004522C9
GlobalAddAtomA.KERNEL32(?), ref: 004522D5
GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 004522E8
GlobalAddAtomA.KERNEL32(?), ref: 004522EE
SendMessageA.USER32(?,000003E4,?,?), ref: 00452312

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: b31cc56a890e109627b5eaffe3c154c0680e8a0bc21828fd65d38639818ab14f
Instruction ID: 5f2cc5fb318cde3a158844135492b8f4ff329199bd56369a7db0cedc776f93bd
Opcode Fuzzy Hash: b31cc56a890e109627b5eaffe3c154c0680e8a0bc21828fd65d38639818ab14f
Instruction Fuzzy Hash: A0214C719006089AEB309FB9DC45BEEB7F8FB08705F00441BE959D7182E7B8A948CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004518E7, Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 00451908
PostMessageA.USER32(?,00000367,00000000,00000000), ref: 0045191E
GetCapture.USER32 ref: 00451920
ReleaseCapture.USER32 ref: 0045192B
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00451951

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 49dd26f4650bcf38642053e4e3c2aa5bb7107522d1162575bbde5269219be9ca
Instruction ID: ad4e0a8dd1eb12aebfaedbe512b2325a449cf88ecf9cf21df5cf89e55c230ced
Opcode Fuzzy Hash: 49dd26f4650bcf38642053e4e3c2aa5bb7107522d1162575bbde5269219be9ca
Instruction Fuzzy Hash: 0C012631104A08AFD6216F22DC44E1B7FACFB55705F61043FF18682132C636E904C768

Uniqueness

Uniqueness Score: -1.00%

Function 0045DF2B, Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0045DF3B
SysStringByteLen.OLEAUT32(?), ref: 0045DF5F
SysStringByteLen.OLEAUT32(?), ref: 0045DF66
_memcmp.LIBCMT ref: 0045DF73
SysFreeString.OLEAUT32(?), ref: 0045DF83

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: String$Byte$Free_memcmp
String ID:
API String ID: 1539101663-0
Opcode ID: 76d227cb5b0e5971892c59830e5665c2602cc9c2ff43c133b2da6a95c51278a2
Instruction ID: 57f0ce526d9b92aaf54321782f08b613c9d87362464619fe56b597e8b360ce13
Opcode Fuzzy Hash: 76d227cb5b0e5971892c59830e5665c2602cc9c2ff43c133b2da6a95c51278a2
Instruction Fuzzy Hash: 51F0D172B00108BFCF219FA5CC4899F7FA8EF54395710003AF80592211EB34DE04DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00464DB5, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00464DD3

Part of subcall function 004738B0: __mtinitlocknum.LIBCMT ref: 004738C4
Part of subcall function 004738B0: __amsg_exit.LIBCMT ref: 004738D0
Part of subcall function 004738B0: RtlEnterCriticalSection.NTDLL(?), ref: 004738D8

___sbh_find_block.LIBCMT ref: 00464DDE
___sbh_free_block.LIBCMT ref: 00464DED
HeapFree.KERNEL32(00000000,8007000E,004AF9E8,0000000C,00473891,00000000,004AFF50,0000000C,004738C9,8007000E,?,8007000E,00465276,00000004,004AFA28,0000000C), ref: 00464E1D
GetLastError.KERNEL32(?,004249E7,?,?,00000000,00431A77,0000000C,00000004,00401F8C,8007000E), ref: 00464E2E

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: b2bd69970239d31a6d9f6cf84c3568400447a9fd52f9630f31553ef6c7d0ffa7
Instruction ID: 7c3a5a19dbfd6f6a1d680248450ee003362e3d4e5fc85f66fddd2f4dbc63076b
Opcode Fuzzy Hash: b2bd69970239d31a6d9f6cf84c3568400447a9fd52f9630f31553ef6c7d0ffa7
Instruction Fuzzy Hash: 4C01A7B1801701ABDF216FB2DC0AB4F3664AF50719F10412FF50496291FB7D89409B9F

Uniqueness

Uniqueness Score: -1.00%

Function 004410BE, Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 004410DC
LoadResource.KERNEL32(?,00000000), ref: 004410EC
LockResource.KERNEL32(00000000), ref: 004410F5
SizeofResource.KERNEL32(?,00000000), ref: 004410FF
FreeResource.KERNEL32(00000000,00000000,00000000), ref: 00441113

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID:
API String ID: 4159136517-0
Opcode ID: f6cf472f74b4f6723dbfae3782e077bedae7235d264c9e1adb3d9031533d4b61
Instruction ID: 07bd7519b682e91b37fc973414505244f30f145468ddee8bc688aa8f8bc4b130
Opcode Fuzzy Hash: f6cf472f74b4f6723dbfae3782e077bedae7235d264c9e1adb3d9031533d4b61
Instruction Fuzzy Hash: 61F0C2322016247FA3121B61AC4CE6BB7DCEF5D7A6B10043BFA01D3221DA688C408B69

Uniqueness

Uniqueness Score: -1.00%

Function 00469CDC, Relevance: 7.5, APIs: 5, Instructions: 43threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00469ABB: _doexit.LIBCMT ref: 00469AC3

___set_flsgetvalue.LIBCMT ref: 00469CE9

Part of subcall function 0046C4CE: TlsGetValue.KERNEL32(0046C611,?,004249E7,?,?,00000000,00431A77,0000000C,00000004,00401F8C,8007000E), ref: 0046C4D4
Part of subcall function 0046C4CE: __decode_pointer.LIBCMT ref: 0046C4E4
Part of subcall function 0046C4CE: TlsSetValue.KERNEL32(00000000,004249E7,?,?,00000000,00431A77,0000000C,00000004,00401F8C,8007000E), ref: 0046C4F1

Part of subcall function 0046C4B3: TlsGetValue.KERNEL32(?,00469CF9,00000000,?,?), ref: 0046C4BD

__freefls@4.LIBCMT ref: 00469D3F

Part of subcall function 0046C4F8: __decode_pointer.LIBCMT ref: 0046C506

GetLastError.KERNEL32(00000000,?,00000000,?,?), ref: 00469D11
RtlExitUserThread.NTDLL(00000000,?,?), ref: 00469D18
GetCurrentThreadId.KERNEL32 ref: 00469D1E

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Value$Thread__decode_pointer$CurrentErrorExitLastUser___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 605283457-0
Opcode ID: 5dad70774ba8d1c2a65cf58afab388bd5f6f2b588894fd4be5be0e72d1df02c1
Instruction ID: 85d13a84f7f37a5bb107e162746456ff4f3a10d3cfc3c59e6654b9058f70ce29
Opcode Fuzzy Hash: 5dad70774ba8d1c2a65cf58afab388bd5f6f2b588894fd4be5be0e72d1df02c1
Instruction Fuzzy Hash: 280192748016019BC704BB61C84656E7BA8AF54309B20843FB94587266EB7CCC42CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0045CB90, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0045CE86

Part of subcall function 004249C8: _malloc.LIBCMT ref: 004249E2

GetWindowRect.USER32(?,?), ref: 0045CE12

Strings

@, xrefs: 0045CCB5

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$EmptyWindow_malloc
String ID: @
API String ID: 299164714-2766056989
Opcode ID: f3df683b1e3cec8a33197ebba5a98e212897669db120c6eea7c743cc66e4d24e
Instruction ID: 71b73ff253a42281b951fb035f2cc4a4f34575b8d9bb8cf31cf99f4b6d1d3303
Opcode Fuzzy Hash: f3df683b1e3cec8a33197ebba5a98e212897669db120c6eea7c743cc66e4d24e
Instruction Fuzzy Hash: 98C13B71900219AFCF05CFA8C885AAEBBB5FF48305F14816AEC19EB252D778AD44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404350, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042F4FD: __EH_prolog3.LIBCMT ref: 0042F504
Part of subcall function 0042F4FD: 72E6AC50.USER32(00000000,00000004,00403B51,?,FBEF3A85), ref: 0042F530

SendMessageA.USER32(?,000007E9,000000FE,00000000), ref: 00404438
SendMessageA.USER32(?,000007E9,FF000000,00000000), ref: 00404478
SendMessageA.USER32(?,000007E9,?,00000000), ref: 004044C6

Strings

x3@, xrefs: 0040437C, 004043DD, 004043F9, 004044D3, 004043E0, 004043FC

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$H_prolog3
String ID: x3@
API String ID: 1885053084-655672410
Opcode ID: f2207ed7c092f701a4cd4c8ba0319c89e6cfd201a436b21d5a72e015e18e1bcd
Instruction ID: 1ffb502b45ae453a676f95645b6b64a3a45d5562df96c808373b72a2e210002f
Opcode Fuzzy Hash: f2207ed7c092f701a4cd4c8ba0319c89e6cfd201a436b21d5a72e015e18e1bcd
Instruction Fuzzy Hash: 285108B5A00218DFDB04DF98D890EADB7B5FB88314F204269E915AB3D5C735AC42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040C970, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040C99B
InvalidateRect.USER32(?,?,00000000), ref: 0040CA16
InvalidateRect.USER32(?,?,00000000), ref: 0040CA9C

Strings

&, xrefs: 0040CA43

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: InvalidateRect$State
String ID: &
API String ID: 836300194-1010288
Opcode ID: db7968eadbbe42664a5a235a6aff312083747365ef0dec69efb88ec82874aa4f
Instruction ID: f2f268a0e3336a337fa8466f079562d6d9a5996ebe712472bd545a7ee5313d40
Opcode Fuzzy Hash: db7968eadbbe42664a5a235a6aff312083747365ef0dec69efb88ec82874aa4f
Instruction Fuzzy Hash: D841A974E01108EFDB54DF94D494BEDB7B1EB88304F1482BAE819AB391C775AA41CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD14, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0042CD2C
_memset.LIBCMT ref: 0042CD8E
LoadBitmapA.USER32(00000000,00007FE3), ref: 0042CDF8

Strings

, xrefs: 0042CD4D

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: BitmapCheckDimensionsLoadMarkMenu_memset
String ID:
API String ID: 3130454499-3916222277
Opcode ID: 81d145e865a725f736fbc2a8b13ce1714dc133ecdc8178e72eba06f2f9b3a071
Instruction ID: 7ef7f35639d612d01385133026d217c14fbf0a19cf72aab7aaee27e1e60450d6
Opcode Fuzzy Hash: 81d145e865a725f736fbc2a8b13ce1714dc133ecdc8178e72eba06f2f9b3a071
Instruction Fuzzy Hash: 0B310672A002159FEB20CF78ECC6ABE7BB5EF44714F55053BE601EB291E6349A04C794

Uniqueness

Uniqueness Score: -1.00%

Function 00485235, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00485257
__calloc_crt.LIBCMT ref: 00485270

Strings

0qK, xrefs: 00485287
@qK, xrefs: 004852A9

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: __calloc_crt
String ID: 0qK$@qK
API String ID: 3494438863-1387440150
Opcode ID: 63aeac0fefb6580380e769162e4e07becd4fb051838972b5a6b6dbc93e12faf6
Instruction ID: 3e1e1c34c6e93c7d9f1d395eafe1cad52e12bd702c0653cfea9a815159b1a1b6
Opcode Fuzzy Hash: 63aeac0fefb6580380e769162e4e07becd4fb051838972b5a6b6dbc93e12faf6
Instruction Fuzzy Hash: 7111E7313085145FF7289E6EBC456AA3386E7D5324B244B6BE501CA3D0EF7898414F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00434A6E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timeCOMMON

Download Yara Rule

APIs

SystemTimeToVariantTime.OLEAUT32(?,?), ref: 00434A8D
_memset.LIBCMT ref: 00434A9D
VariantTimeToSystemTime.OLEAUT32(?,?,!ZC), ref: 00434AB4

Strings

!ZC, xrefs: 00434A97, 00434AAB, 00434AC1, 00434A9C, 00434AAE

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Time$SystemVariant$_memset
String ID: !ZC
API String ID: 583911873-1766805553
Opcode ID: 395959586e89c505616f283d517b552b75d3608be439b16b627ea1c5663b50de
Instruction ID: f8b7c67b3cacdcb2f8c2a96bb61b4a3d8c6e4998e17c679722ec61f9ac5e10b5
Opcode Fuzzy Hash: 395959586e89c505616f283d517b552b75d3608be439b16b627ea1c5663b50de
Instruction Fuzzy Hash: 5F11E529540116A5DB217B98CC40AFBB378EF94B20F80482AFDA196214F774BD82C77C

Uniqueness

Uniqueness Score: -1.00%

Function 00441060, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,000A4F51,?,00441341,?,00000000,00000000,?,00434140,?,00000024,00420938,00000000), ref: 00441078
GlobalFix.KERNEL32(00000000), ref: 00441086
GlobalUnWire.KERNEL32(?), ref: 004410B0

Strings

@AC, xrefs: 00441060

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Global$AllocWire
String ID: @AC
API String ID: 924321537-2305571516
Opcode ID: 050513737f186129490773b7d0fd776faf2e6e8591a1dc5d03efc155f4b6d036
Instruction ID: b0cb9f9d42afbab9d65fbf8499c8c5f677697ca87dfc8f5e4bd60ee33d7355f1
Opcode Fuzzy Hash: 050513737f186129490773b7d0fd776faf2e6e8591a1dc5d03efc155f4b6d036
Instruction Fuzzy Hash: 11F0CDB2600200AFD761AF74CC08D3B77E8EF58301710483EF59AC2120E634C4808725

Uniqueness

Uniqueness Score: -1.00%

Function 00429985, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0043BDA6: RtlEnterCriticalSection.NTDLL(004B9460), ref: 0043BDE2
Part of subcall function 0043BDA6: RtlInitializeCriticalSection.NTDLL(?), ref: 0043BDF1
Part of subcall function 0043BDA6: RtlLeaveCriticalSection.NTDLL(004B9460), ref: 0043BDFE
Part of subcall function 0043BDA6: RtlEnterCriticalSection.NTDLL(?), ref: 0043BE0A

Part of subcall function 0043AAC7: __EH_prolog3_catch.LIBCMT ref: 0043AACE

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 004299C9
FreeLibrary.KERNEL32(?), ref: 004299D9

Strings

hhctrl.ocx, xrefs: 004299AD
HtmlHelpA, xrefs: 004299C3

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 3274081130-63838506
Opcode ID: 1216ea8c0f91c8ee80b09dbb543de245a6082c3ace75d95f38fafcbcff16f12c
Instruction ID: 655d089f2776324fb49fa9590b13040f5d4a958d3e520eec2bec502756e7702c
Opcode Fuzzy Hash: 1216ea8c0f91c8ee80b09dbb543de245a6082c3ace75d95f38fafcbcff16f12c
Instruction Fuzzy Hash: A601D6716047229BDB21AF61E906F0B7BE09F04B65F10882FF18691250DB688C80C76B

Uniqueness

Uniqueness Score: -1.00%

Function 0048E18E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048E195

Part of subcall function 0040E2A0: _strlen.LIBCMT ref: 0040E2BF

__CxxThrowException@8.LIBCMT ref: 0048E1C7

Part of subcall function 00463FFA: RaiseException.KERNEL32(00401012,00401012,?,?,00401012,00401012,00401012), ref: 0046403A

Part of subcall function 0040E1F0: std::exception::exception.LIBCMT ref: 0040E225

Strings

invalid string position, xrefs: 0048E19A
-H, xrefs: 0048E1C0, 0048E1D9

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow_strlenstd::exception::exception
String ID: -H$invalid string position
API String ID: 3092953383-1441538336
Opcode ID: ecf7c4fac1e1e2406d2617e64965b0e900cf266219ac1c2e4e032dea61522bef
Instruction ID: 71f8eaf431d13e78f27be5d3a20f3660e182c9e9cc22523d0114980dc4de5dac
Opcode Fuzzy Hash: ecf7c4fac1e1e2406d2617e64965b0e900cf266219ac1c2e4e032dea61522bef
Instruction Fuzzy Hash: A6E030719002189BCB04FBD1CC05ECEB7B4ABA5315F10482FF60476181EBB89556CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00470861, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00463DFE), ref: 00470866
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00470876

Strings

IsProcessorFeaturePresent, xrefs: 00470870
KERNEL32, xrefs: 00470861

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 023d77308a26664754b3a5318692733d7a97fb22ed12d61ef87ab77324af2bfc
Instruction ID: 736065305e7ec38c5ab6b6b4f1feb95604f7472054090e239ce5d765e8ac4607
Opcode Fuzzy Hash: 023d77308a26664754b3a5318692733d7a97fb22ed12d61ef87ab77324af2bfc
Instruction Fuzzy Hash: E2C012203A5200E6DD6077710C0DF5625041B60B83F298637A409D11C0DE68C04055AF

Uniqueness

Uniqueness Score: -1.00%

Function 00411050, Relevance: 6.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e4a190695bf61d51ef58ca9d091e704c0194152dfb3df4a50cd016102aeae2
Instruction ID: b3211afd6299cd4398194bf36356d6627d0fbeade6ae10928f8d3bab568908d6
Opcode Fuzzy Hash: b5e4a190695bf61d51ef58ca9d091e704c0194152dfb3df4a50cd016102aeae2
Instruction Fuzzy Hash: C4811B70D00208DFCB04DFD8D895ADEBBB5FF48304F20816EE515AB291DB386985CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044CE03, Relevance: 6.2, APIs: 4, Instructions: 173windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0044CE34
GetDesktopWindow.USER32 ref: 0044CE44
GetWindowRect.USER32(?,?), ref: 0044CE5D
GetWindowRect.USER32(?,?), ref: 0044CE69

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: dbb55e26146461e72b92b4f13e416239de42b4d9950d0c53fbbe41f2bae166e4
Instruction ID: 86246d441a6028a17872139a02027161c70f26bade80c263cdd780500ea0176a
Opcode Fuzzy Hash: dbb55e26146461e72b92b4f13e416239de42b4d9950d0c53fbbe41f2bae166e4
Instruction Fuzzy Hash: 82510C75A01209EFDB10DFA8C9C5DAEB7BAFF48304B24445AF505E7250DB78AD04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004546C7, Relevance: 6.1, APIs: 4, Instructions: 132timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004546DE

Part of subcall function 0042CEA1: _wctomb_s.LIBCMT ref: 0042CEB1

GetFileTime.KERNEL32(?,?,?,?), ref: 00454715
GetFileSize.KERNEL32(?,00000000), ref: 0045472A

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: 0201c4b884bfbbf023d69887f4fc1eed64cd362aa73406f1a2cb8059389b4850
Instruction ID: 8976b3bfe382139f4760fb25151f5437201bf8a2d034a8d6225b366c798da218
Opcode Fuzzy Hash: 0201c4b884bfbbf023d69887f4fc1eed64cd362aa73406f1a2cb8059389b4850
Instruction Fuzzy Hash: B3418075500705AFC720DF64C8808ABB7F8BF493157108A2FE5A6D7691E734E989CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00441D52, Relevance: 6.1, APIs: 4, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,FBEF3A85), ref: 00441DFB
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 00441E1D
RegCloseKey.ADVAPI32(?), ref: 00441E2F
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 00441E7C

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: QueryValue$ClosePrivateProfileString
String ID:
API String ID: 1042844925-0
Opcode ID: db6727437e0c637c6598b7bdedfecd88d44943efffebe963a4058d246309be44
Instruction ID: 72b9330047daa9371ee2ad95b99982de2455ab8e9e8e0d9eac1105f32c2f0881
Opcode Fuzzy Hash: db6727437e0c637c6598b7bdedfecd88d44943efffebe963a4058d246309be44
Instruction Fuzzy Hash: BD415EB1900159EBDF11DF95CC41AEFBBB9FF48754F20012BF511A2260D7785A85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00454BF5, Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00454BFC

Part of subcall function 0043E09C: _memset.LIBCMT ref: 0043E0A4

VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 00454C30
VariantClear.OLEAUT32(?), ref: 00454CE1

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Variant$ChangeClearH_prolog3Type_memset
String ID:
API String ID: 3387022819-0
Opcode ID: 26cc4eeb1d387d8d41dd9329997343b38e5980558260e08e6f6e759388d6a06c
Instruction ID: 7a03efcfc08b78416efd63681fa20f054fbc7f1f9b750a1d3317dc82f4579fb3
Opcode Fuzzy Hash: 26cc4eeb1d387d8d41dd9329997343b38e5980558260e08e6f6e759388d6a06c
Instruction Fuzzy Hash: 3A41F770801606EFCB11CF65C4445AEF7B4FFC431AB21891BEC51AB242C73899E5DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004611E7, Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000000), ref: 004611FD

Part of subcall function 0042E014: CreatePatternBrush.GDI32(00000000), ref: 0042E067
Part of subcall function 0042E014: DeleteObject.GDI32(00000000), ref: 0042E073

InflateRect.USER32(?,000000FF,000000FF), ref: 00461296

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Object$BrushCreateDeleteInflatePatternRectStock
String ID:
API String ID: 2707192890-0
Opcode ID: 5c9a0b757da70af7655a6d762abbdcf28e163000c6e0cc8c8ac318ffe71f8d4e
Instruction ID: c15d50bdc217068958da77bc11d64b451a87647ecf50f67b82664e153c26f74b
Opcode Fuzzy Hash: 5c9a0b757da70af7655a6d762abbdcf28e163000c6e0cc8c8ac318ffe71f8d4e
Instruction Fuzzy Hash: 63412971D00619DBCF01DFA8C984AAE77B4EB08310F1502A6ED10FB2A5E3759E41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0042D78C, Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0042D7C0
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0042D825
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0042D86A
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 0042D893

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 92708f413cca1be9c0340e49a2687b5cf3bbdf928b8982b8dadf1f969091f58c
Instruction ID: a63bed9b352399b8e54d0ad3abe4c8ca2571ee8a259c0cd342e4ecf05b439530
Opcode Fuzzy Hash: 92708f413cca1be9c0340e49a2687b5cf3bbdf928b8982b8dadf1f969091f58c
Instruction Fuzzy Hash: 61319E30E00129FBDB25EF51DC81EAE7BA9EF41394F50806BF9058B351CA38AD40CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00485EB6, Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00485EE6
__isleadbyte_l.LIBCMT ref: 00485F1A
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,00484CAC,?,?,00000002), ref: 00485F4B
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,00484CAC,?,?,00000002), ref: 00485FB9

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 39e28b3e32827ddebed97afedf2d21040786c38304538e5a1edfa8e9bb52155f
Instruction ID: 17b1eb904c03ebdc67fe8edc1e2f86ebae076c3563f271155a21f2ffb0fc48e4
Opcode Fuzzy Hash: 39e28b3e32827ddebed97afedf2d21040786c38304538e5a1edfa8e9bb52155f
Instruction Fuzzy Hash: 8B31B331600645EFDB21EF64CC409BE7BA4FF01351F24896AF6649B291E334DE41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043DEFC, Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d74556ac1b1c0ae764be042828ad7735914bb82a65703387d7f9f72a0a2faf8
Instruction ID: bcda654f66abc51a3351f2a3f56f7ff1b71925f481d9a942616c65b16d6edaad
Opcode Fuzzy Hash: 4d74556ac1b1c0ae764be042828ad7735914bb82a65703387d7f9f72a0a2faf8
Instruction Fuzzy Hash: B0317331908906EFD7115B26ECC4936F7A0FB1C354F209D2AE5AB83E10D738F8A29759

Uniqueness

Uniqueness Score: -1.00%

Function 0043C6DB, Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 0043C76C
__msize.LIBCMT ref: 0043C78F
_malloc.LIBCMT ref: 0043C7A7
_malloc.LIBCMT ref: 0043C7BC

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: e3c5cb1e8fcb123f2c8d843a8c1f7d7fc9daea379b2a256263c214cc588c41df
Instruction ID: d4106f9be111ad875dedea37c0f9a188e7a63fa5f178030105d7d033bdb30787
Opcode Fuzzy Hash: e3c5cb1e8fcb123f2c8d843a8c1f7d7fc9daea379b2a256263c214cc588c41df
Instruction Fuzzy Hash: 352184325006129FCB24AF35C8C1A5B77A5AF48754F10D52BEC199A286EB38EC41DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0045CABC, Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F1), ref: 0045CAD6
LoadResource.KERNEL32(?,00000000), ref: 0045CAE9
LockResource.KERNEL32(00000000), ref: 0045CAF7
FreeResource.KERNEL32(?), ref: 0045CB81

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 74e03b956f09f5865fa874826e1eb39bffb3ca36322ab9fdbb19ca3e0b298b9d
Instruction ID: ccc8533c180b0af434af119bee0489cbce839ffcb75445cbf40c2c696194a979
Opcode Fuzzy Hash: 74e03b956f09f5865fa874826e1eb39bffb3ca36322ab9fdbb19ca3e0b298b9d
Instruction Fuzzy Hash: 2C210272200720AECB149BB1DC859BFB7A8EF48716710852FFD42C6251EB78EC40D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00450521, Relevance: 6.1, APIs: 4, Instructions: 79windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00450528
GetParent.USER32(?), ref: 00450572
SendMessageA.USER32(?,00000464,00000104,?), ref: 0045058A

Part of subcall function 00424EC0: _strlen.LIBCMT ref: 00424ED3

PathFindExtensionA.SHLWAPI(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 004505A4

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ExtensionFindH_prolog3MessageParentPathSend_strlen
String ID:
API String ID: 3113102702-0
Opcode ID: 9e98c78835fe26bc93d9db64d8f561895e9a340704ace5a40e634b707efac433
Instruction ID: 023245a0748d2706f34cfcbf5366c59365e955726b7b6a2b5b45fd6b8ed4af15
Opcode Fuzzy Hash: 9e98c78835fe26bc93d9db64d8f561895e9a340704ace5a40e634b707efac433
Instruction Fuzzy Hash: 7221AE75900619EBCF20EFA1C8909BE77B1BF40309B51092FF95267292EB389D44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00438843, Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0043884A

Part of subcall function 0043871A: GetCurrentThreadId.KERNEL32 ref: 0043872D
Part of subcall function 0043871A: SetWindowsHookExA.USER32(000000FF,Function_00038586,00000000,00000000), ref: 0043873D

SetEvent.KERNEL32(?,00000060), ref: 004388F7
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00438900
CloseHandle.KERNEL32(?), ref: 00438907

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventH_prolog3_catchHandleHookObjectSingleThreadWaitWindows
String ID:
API String ID: 1532457625-0
Opcode ID: 0b14790fc297515fbac475d2452db9f3d4a69c09a8f7ab688fbdf9220e8e5cc6
Instruction ID: 1307dc35973fe1d346d243607c3a9985400146fb8edcf951f99fa32aa4de6eab
Opcode Fuzzy Hash: 0b14790fc297515fbac475d2452db9f3d4a69c09a8f7ab688fbdf9220e8e5cc6
Instruction Fuzzy Hash: 4131AC70A00702DFCB14EFA1C98595EBBB0BF08314F55556EF04A9B2A2DF38E941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004408BB, Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,00000001,00000001,00000001,00000000,00000000), ref: 00440906
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 00440918
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 0044092A
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 0044093C

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 4d721e6ca92c372fc1d8c5f8436f72179271ad984dcb6cf82738da48c7dd15a6
Instruction ID: 45b35911d90a7315f9f4ead68b315be15451dff3ba83db43aa3190d7e0820280
Opcode Fuzzy Hash: 4d721e6ca92c372fc1d8c5f8436f72179271ad984dcb6cf82738da48c7dd15a6
Instruction Fuzzy Hash: 8C115EB224060C7FF250E652CD81FA7BB9CEB4EB88F820416F705D6481D2A2F95487B5

Uniqueness

Uniqueness Score: -1.00%

Function 00445EA8, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

CharNextA.USER32(?), ref: 00445EFF

Part of subcall function 0046ACA1: __ismbcspace_l.LIBCMT ref: 0046ACA7

CharNextA.USER32(00000000), ref: 00445F1C
_strtol.LIBCMT ref: 00445F47
_strtoul.LIBCMT ref: 00445F4E

Part of subcall function 0046AAC7: strtoxl.LIBCMT ref: 0046AAE7

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
String ID:
API String ID: 4211061542-0
Opcode ID: f8ee8be903d3754c2f1c5fa107a8dbad707a1345717a05f8be56d3c5013667c5
Instruction ID: 379b490a37821021651a72985a3908cf4107ab88c3a1920f9106061103f589f6
Opcode Fuzzy Hash: f8ee8be903d3754c2f1c5fa107a8dbad707a1345717a05f8be56d3c5013667c5
Instruction Fuzzy Hash: 18212B725005055BEF20AB758C41BAAB7E89F14304F240067F584D6242EB38DE459B6F

Uniqueness

Uniqueness Score: -1.00%

Function 00401420, Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401250: IsWindow.USER32(?), ref: 00401269

GetParent.USER32(?), ref: 0040144F
SendMessageA.USER32(?,000007EB,00000000,?), ref: 00401483
SendMessageA.USER32(?,000007EC,00000000,?), ref: 004014A8
SendMessageA.USER32(?,000007E9,?,?), ref: 004014E7

Part of subcall function 0042D179: GetDlgCtrlID.USER32(?), ref: 0042D182

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$CtrlParentWindow
String ID:
API String ID: 2441140303-0
Opcode ID: 943249db0c93f91244f337b570439ac906e9213def5a6b833c68e8b2be77b42d
Instruction ID: a4d3d8d48ae19fa94bbc772e7c0cbe09fb406b6d4864035dea478aa0ec39b53d
Opcode Fuzzy Hash: 943249db0c93f91244f337b570439ac906e9213def5a6b833c68e8b2be77b42d
Instruction Fuzzy Hash: F531BAB5E00109EFDB04DFD5D985DAEBBB5BB48300F10819AE915AB391C738A941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00431A64, Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00431A6B

Part of subcall function 004249C8: _malloc.LIBCMT ref: 004249E2

__CxxThrowException@8.LIBCMT ref: 00431AA1
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,8007000E,00000000,00000000,00000000,?,8007000E,004AAFE0,00000004,00401F8C,8007000E), ref: 00431ACA

Part of subcall function 0042CEA1: _wctomb_s.LIBCMT ref: 0042CEB1

LocalFree.KERNEL32(8007000E,8007000E), ref: 00431AF3

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: c65e3328761b578921d78a4819cb3a79d44da375c6b8bc07865f568b4a8bcf95
Instruction ID: 7e780a0ab0c578d68157a8d5801196e7644ec91e1e8331bbea0cef7e3b2950d9
Opcode Fuzzy Hash: c65e3328761b578921d78a4819cb3a79d44da375c6b8bc07865f568b4a8bcf95
Instruction Fuzzy Hash: C111C671604249EFDF00EFA4DC81DAE3BA8EF08355F10853EF925CA2A1E7708950CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00461346, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,?), ref: 0046136F
OffsetRect.USER32(?,?,?), ref: 00461379
OffsetRect.USER32(?,?,?), ref: 00461383
OffsetRect.USER32(?,?,?), ref: 0046138D

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: cfc93e900b697d9ac40d120beffae319b3d7e65275d79124d85474189bbe2539
Instruction ID: 1405d157b329de2851891666ad438a7bb2cb4b5f829aebd41ac3d32c87f0b43d
Opcode Fuzzy Hash: cfc93e900b697d9ac40d120beffae319b3d7e65275d79124d85474189bbe2539
Instruction Fuzzy Hash: 1D110C71600749AFDB11DFA9C984D9BB7ECEB88354B10482EF54AD3610E674FA409B60

Uniqueness

Uniqueness Score: -1.00%

Function 00439897, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 004398BB
LoadResource.KERNEL32(?,00000000), ref: 004398C7
LockResource.KERNEL32(00000000), ref: 004398D5
FreeResource.KERNEL32(00000000), ref: 00439903

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 066e1eb420aaec65073a7c23cfa5db3c931526298b17cf883deaec04aa7fafaa
Instruction ID: fa98a236a5ff1aaa0a5e10748cdeb812764157468728b8207cb9af222e8a7142
Opcode Fuzzy Hash: 066e1eb420aaec65073a7c23cfa5db3c931526298b17cf883deaec04aa7fafaa
Instruction Fuzzy Hash: 93113675200219EFCB119F95C848BAEBBA8EF08365F14807AF90597360DBB89D40CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00441B51, Relevance: 6.1, APIs: 4, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 00441B8A
RegCloseKey.ADVAPI32(00000000), ref: 00441B93
_swprintf.LIBCMT ref: 00441BB0
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00441BC1

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 156d153c6d166a61b7cae319c588a44c6e232f9d31b74e5eb4c2b994a918a868
Instruction ID: 16e09a9e26e0cbc6721a3f9a295af4d2d8a150c940753c540b5820e2cd27f870
Opcode Fuzzy Hash: 156d153c6d166a61b7cae319c588a44c6e232f9d31b74e5eb4c2b994a918a868
Instruction Fuzzy Hash: A2018472501209BBDB119F659C41FBF77ACEF49B14F11042BB901A7150EA78ED1487A9

Uniqueness

Uniqueness Score: -1.00%

Function 0042C53B, Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042CF6B: GetDlgItem.USER32(00401012,?), ref: 0042CF78

SendMessageA.USER32(?,00000188,00000000,00000000), ref: 0042C573
SendMessageA.USER32(?,0000018A,00000000,00000000), ref: 0042C587
SendMessageA.USER32(?,00000189,00000000,00000000), ref: 0042C59C
SendMessageA.USER32(?,0000018C,000000FF,?), ref: 0042C5C4

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 9f5f3b69665e6f7c9fb4b4d76de780066ddaf37e43d7e1caca36a940fbd3da8d
Instruction ID: 3a1b86dcc0ed93acf244c646cfc01eb01e8401e4543fcb1c44d4aff15e801c51
Opcode Fuzzy Hash: 9f5f3b69665e6f7c9fb4b4d76de780066ddaf37e43d7e1caca36a940fbd3da8d
Instruction Fuzzy Hash: F5110432340128BBCF01AF55DC01FAE3B29EF84720F50422BF9255B1E0CB74A951CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0045214C, Relevance: 6.1, APIs: 4, Instructions: 53fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00452175
DragQueryFile.SHELL32(?,000000FF,00000000,00000000), ref: 0045218E
DragQueryFile.SHELL32(?,?,?,00000104), ref: 004521B2
DragFinish.SHELL32(?), ref: 004521CE

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: d4565c15ff03cd1c3fc500859f0848bf6e0838e9c38cc3ee96340d707c7db76e
Instruction ID: 17fd6e3e6ebb2416d8d03e040f5a8eb93397542fa8b413dc664f2326a4bc6fff
Opcode Fuzzy Hash: d4565c15ff03cd1c3fc500859f0848bf6e0838e9c38cc3ee96340d707c7db76e
Instruction Fuzzy Hash: EB1151B19001189FDB20AFB4DC85FAEBBB8FF08315F10452BE525A7192DB74A4488F64

Uniqueness

Uniqueness Score: -1.00%

Function 0044A0A7, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,00000000,?), ref: 0044A0E6
EqualRect.USER32(?,00000000), ref: 0044A0F3
IsRectEmpty.USER32(?), ref: 0044A0FD
InvalidateRect.USER32(?,?,?), ref: 0044A11A

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: 139d454e18f1f0cf9917074765f7fc3a7b9f49c73f54dcae44b441e03ca6e523
Instruction ID: f21cbab1004088333047ee71a6ccff21f6ce4369d95818b6679da207cc83d416
Opcode Fuzzy Hash: 139d454e18f1f0cf9917074765f7fc3a7b9f49c73f54dcae44b441e03ca6e523
Instruction Fuzzy Hash: 2B112A3290010AEFDF01DF94D889EDEBBB9FF18305F0040A2FA04A6111D3759A5A8FA5

Uniqueness

Uniqueness Score: -1.00%

Function 004544C3, Relevance: 6.1, APIs: 4, Instructions: 52timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00454527
GetLastError.KERNEL32(00000000), ref: 00454539
LocalFileTimeToFileTime.KERNEL32(?,00000000), ref: 00454548
GetLastError.KERNEL32(00000000), ref: 00454553

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: e0adc2d5adde247f8e7929a7dff9872a650349a88b0a68c69bb0bc3607923057
Instruction ID: 5dc48cf50a53babc959e1c06732a2e5b027c142d0f1d2b31e07c805bd38a231f
Opcode Fuzzy Hash: e0adc2d5adde247f8e7929a7dff9872a650349a88b0a68c69bb0bc3607923057
Instruction Fuzzy Hash: 39016525E10219B6CF00BFF588056AE777DAF44709F00505BFD01AB252EA789688879D

Uniqueness

Uniqueness Score: -1.00%

Function 0043C9A5, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetAtomNameA.KERNEL32(?,?,00000100), ref: 0043C9C9
GetLastError.KERNEL32 ref: 0043C9E0
GlobalGetAtomNameA.KERNEL32(?,?,00000100), ref: 0043C9FB
GetLastError.KERNEL32 ref: 0043CA05

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AtomErrorLastName$Global
String ID:
API String ID: 815022922-0
Opcode ID: 1ca7e5a3df887b80fdead4ac110c0b1ae26ba78df48f2951576db00d340d625b
Instruction ID: 4a83adff452a75ad43659787e68075365a0a42097cddb201db37b82c4a7290d2
Opcode Fuzzy Hash: 1ca7e5a3df887b80fdead4ac110c0b1ae26ba78df48f2951576db00d340d625b
Instruction Fuzzy Hash: 0D0184717101486BCB11EB68ECC0BAF77AC9B0C785F241873A412F2150E678DD4697A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044503E, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 004249C8: _malloc.LIBCMT ref: 004249E2

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00445070
GetCurrentProcess.KERNEL32(?,00000000), ref: 00445076
DuplicateHandle.KERNEL32(00000000), ref: 00445079
GetLastError.KERNEL32(?), ref: 00445094

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: 286727b2298a7f8b7136f89a637692b41814f13a1fb7bd073dab5c60916e43c6
Instruction ID: 541e39a90631a0a91185e0583ad51a8fad0cce6c8e86129984d7d7392386dc07
Opcode Fuzzy Hash: 286727b2298a7f8b7136f89a637692b41814f13a1fb7bd073dab5c60916e43c6
Instruction Fuzzy Hash: 69018479700604BBEB119BB5DC49F1B7BA9DF84311F144467F905CB242DA75DC408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042CBA9, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00000000,?), ref: 0042CBE1

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

GetFocus.USER32 ref: 0042CBF8
GetParent.USER32(?), ref: 0042CC06
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 0042CC19

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: EnableException@8FocusItemMenuMessageParentSendThrow
String ID:
API String ID: 4211600527-0
Opcode ID: 0d15e84ac152bdb633637d9c667167085992b9161e5e19afbb2653aa6efa2924
Instruction ID: ef3db16bd9c391a9226ccac09ebbde23f358cd921fe9e9ccc2efac26721083b2
Opcode Fuzzy Hash: 0d15e84ac152bdb633637d9c667167085992b9161e5e19afbb2653aa6efa2924
Instruction Fuzzy Hash: 7911CE71600A10EFCB21AF21ECC5C2BB7B5FF98315B908A3FE15A42960C734AC41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00428E0E, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(00000000), ref: 00428E1C
GetTopWindow.USER32(00000000), ref: 00428E5B
GetWindow.USER32(00000000,00000002), ref: 00428E79

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 8eebb820279975a8ba4bf984a442185b0430bc8390179e88453356644b553062
Instruction ID: 17d97040cb3bc83f82ab139f72cf36bd86566f70d19576797781541536aca2fc
Opcode Fuzzy Hash: 8eebb820279975a8ba4bf984a442185b0430bc8390179e88453356644b553062
Instruction Fuzzy Hash: D901567210252AFBCF135F91AC05EDF3B26EF14354F45402AFA04A4120CB39C931DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042857F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0042858A
GetTopWindow.USER32(00000000), ref: 0042859D

Part of subcall function 0042857F: GetWindow.USER32(00000000,00000002), ref: 004285E4

GetTopWindow.USER32(?), ref: 004285CD

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: bf2175105902e43a189ed61f0576099eca0340aed452f53592f6313e02122481
Instruction ID: 495852f1420ec8137339215e64239f936d8a9b5ad03ffdbdb67d6e7962144ae4
Opcode Fuzzy Hash: bf2175105902e43a189ed61f0576099eca0340aed452f53592f6313e02122481
Instruction Fuzzy Hash: B3017132203636B7CF232E61AC00E9F3A54AF71360B84402AFC0455211EF39CA919AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004405FB, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0044060F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0043D42A,?,?,?,004AC62C,00000008), ref: 00440627
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0044062F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0043D42A,?,?,?,004AC62C,00000008), ref: 0044064E

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 1b0dd1aca19002d4e34209b491b7c01766521b3cdaa241a2d1fa6d7f25102649
Instruction ID: 05f101b5a179b91c296078595210f6416541d882e2330fda67a00c137259d1c7
Opcode Fuzzy Hash: 1b0dd1aca19002d4e34209b491b7c01766521b3cdaa241a2d1fa6d7f25102649
Instruction Fuzzy Hash: 38F062711062747F93212B625C4CCABBF9CEE9A2B5B11052BF64992100C679A810C7F9

Uniqueness

Uniqueness Score: -1.00%

Function 00470736, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0047075A

Part of subcall function 0047054C: __fltout2.LIBCMT ref: 00470576

__cftog_l.LIBCMT ref: 00470780
__cftoe_l.LIBCMT ref: 004707B2

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: f21a8b7f24a1b2d00343f0b603ae94f06ec36108a82eb02af9b45acdd94f1f67
Instruction ID: aa35ce467ee10a42a45101e1a5c1d958a4877bde837b71d1c567bb47a8dca0e4
Opcode Fuzzy Hash: f21a8b7f24a1b2d00343f0b603ae94f06ec36108a82eb02af9b45acdd94f1f67
Instruction Fuzzy Hash: A8014B7200114AFBCF266E99DC418EE3F62BB18354F588416FA5C99131D33AD9B1AF85

Uniqueness

Uniqueness Score: -1.00%

Function 0046D818, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 0046C685: __getptd_noexit.LIBCMT ref: 0046C686
Part of subcall function 0046C685: __amsg_exit.LIBCMT ref: 0046C693

__amsg_exit.LIBCMT ref: 0046D844
__lock.LIBCMT ref: 0046D854
InterlockedDecrement.KERNEL32(?), ref: 0046D871
InterlockedIncrement.KERNEL32(02311300), ref: 0046D89C

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 4c075ef5e9c23c533f70433693bbfb1f08b9e8a7d73aecd58afc5700ef3706af
Instruction ID: 1969d825221d7ab00130ae5f386f729f88b68df0f4834334d2d41559b7fda8ba
Opcode Fuzzy Hash: 4c075ef5e9c23c533f70433693bbfb1f08b9e8a7d73aecd58afc5700ef3706af
Instruction Fuzzy Hash: 1E018E31E0161197DB21BB66984AB5A73A0BB44715F19023BE820A7290EB3C6D41CBDF

Uniqueness

Uniqueness Score: -1.00%

Function 00426266, Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 004262A4
SetBkColor.GDI32(00000000,00000000), ref: 004262B0
GetSysColor.USER32(00000008), ref: 004262C0
SetTextColor.GDI32(00000000,?), ref: 004262CA

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: dcc7454183c0c083a2eda933a921a6e0b3fe2640e6be5b5c83fe1bf8042a0053
Instruction ID: 38ff7d913656bcf6610e3dfd52c3d81a1c747d2f2d04b41a2501bb6d16f27043
Opcode Fuzzy Hash: dcc7454183c0c083a2eda933a921a6e0b3fe2640e6be5b5c83fe1bf8042a0053
Instruction Fuzzy Hash: 0F014F30600128EBDF226F64EC49BAF3B69EB05355FA14562F911D01E0D774CD90CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004650BE, Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 004650C6

Part of subcall function 00474A9A: __NMSG_WRITE.LIBCMT ref: 00474AC1
Part of subcall function 00474A9A: __NMSG_WRITE.LIBCMT ref: 00474ACB

__NMSG_WRITE.LIBCMT ref: 004650CD

Part of subcall function 004748DA: _strcpy_s.LIBCMT ref: 00474946
Part of subcall function 004748DA: __invoke_watson.LIBCMT ref: 00474957
Part of subcall function 004748DA: GetModuleFileNameA.KERNEL32(00000000,004B9B19,00000104), ref: 00474973
Part of subcall function 004748DA: _strcpy_s.LIBCMT ref: 00474988
Part of subcall function 004748DA: __invoke_watson.LIBCMT ref: 0047499B
Part of subcall function 004748DA: _strlen.LIBCMT ref: 004749A4
Part of subcall function 004748DA: _strlen.LIBCMT ref: 004749B1
Part of subcall function 004748DA: __invoke_watson.LIBCMT ref: 004749DE

Part of subcall function 00469756: ___crtCorExitProcess.LIBCMT ref: 0046975A
Part of subcall function 00469756: ExitProcess.KERNEL32 ref: 00469764

RtlAllocateHeap.NTDLL(00000000,?), ref: 004650FA
RtlAllocateHeap.NTDLL(00000000,?), ref: 0046512A

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: __invoke_watson$AllocateExitHeapProcess_strcpy_s_strlen$FileModuleName___crt
String ID:
API String ID: 4108966708-0
Opcode ID: 326a781bc4fa56e4a868cf088f87685015de0b78fa8b6637b996491e16a14835
Instruction ID: 86937d3a613a40ad8db8b11f7a7d392a7d703254230d795f3640fd90c4beeb48
Opcode Fuzzy Hash: 326a781bc4fa56e4a868cf088f87685015de0b78fa8b6637b996491e16a14835
Instruction Fuzzy Hash: FAF0F631D466116BEA216B10AC42BEB3748EF12324F30003BFD44E53D1FB699C40869F

Uniqueness

Uniqueness Score: -1.00%

Function 0043442B, Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 00434445
LoadResource.KERNEL32(?,00000000), ref: 0043444D
LockResource.KERNEL32(00000000), ref: 0043445A
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 00434472

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 9061bf24b95ec7c6b5fddfcfeb5b54ab02f6f45e730fc84ec3589202e0431800
Instruction ID: a9057abdaddc79e278a1614f3b42f67c4de011e5b58948a18ff4c67e22de7f58
Opcode Fuzzy Hash: 9061bf24b95ec7c6b5fddfcfeb5b54ab02f6f45e730fc84ec3589202e0431800
Instruction Fuzzy Hash: DCF08936200614BFC7526BA59C4DD9FBBBCEF99765B11403AF605D3211D6789D008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00440192, Relevance: 6.0, APIs: 4, Instructions: 32memorystringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044019C
VariantClear.OLEAUT32 ref: 004401A4
lstrlen.KERNEL32(?,?,?,?,00000224), ref: 004401C2
SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 004401CA

Part of subcall function 00432B1B: __CxxThrowException@8.LIBCMT ref: 00432B2F

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocByteClearException@8H_prolog3StringThrowVariantlstrlen
String ID:
API String ID: 103272278-0
Opcode ID: d040c2ec066593751daca99b8f99ae91301846baa4d9cce49aa0dfb500648f91
Instruction ID: e59f45ceb41a4f8c71a9e2f6cfe17f25c1e47f827930aaf9c6850e6970e2702e
Opcode Fuzzy Hash: d040c2ec066593751daca99b8f99ae91301846baa4d9cce49aa0dfb500648f91
Instruction Fuzzy Hash: 10F0C8308107009FD721FF62C84976AB3B4FF10315F20806FE50563261EBBC6984CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0043439C, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(00000000,00000001), ref: 004343BC
GetActiveWindow.USER32 ref: 004343C7
SetActiveWindow.USER32(00000000,?,00000024,00420938,00000000), ref: 004343D5
FreeResource.KERNEL32(628467F9,?,00000024,00420938,00000000), ref: 004343F1

Part of subcall function 0042D231: EnableWindow.USER32(?,00000000), ref: 0042D23E

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: e2e8b8017db15dbaf2c5795d5618923302bd839f08d5ed25d9a3ad88f5d5103a
Instruction ID: 4601c560c21bb3f3bf480c7127d23ccc4860222e8e89f585aa5708ed687ebb34
Opcode Fuzzy Hash: e2e8b8017db15dbaf2c5795d5618923302bd839f08d5ed25d9a3ad88f5d5103a
Instruction Fuzzy Hash: 44F03C30A00B08CFCF22AF64C8455AEB7B2BF8C702F60156AE94173261CB7A6D40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004059F0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 404windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000143,00000000,?), ref: 00405FB2
SendMessageA.USER32(?,00000030,?,00000001), ref: 00406016

Strings

5JC, xrefs: 00405C66

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: 5JC
API String ID: 3850602802-950159820
Opcode ID: d7f8e6d86d6321d09b3e4198fef8a82ff674f47514dff012f5847564d5a4c52c
Instruction ID: c442ed8383761078f49b04b0d92f221006bc80f40a72886d3b1f17aeabb82f0b
Opcode Fuzzy Hash: d7f8e6d86d6321d09b3e4198fef8a82ff674f47514dff012f5847564d5a4c52c
Instruction Fuzzy Hash: 1D12E5B4A00619DFDB14CF94C991BAEB7B1FF48304F2082AAE5196B381D7786E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0044940C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00449413

Strings

@, xrefs: 00449476

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: 1ad3e46a06e1e811379727d75b166ce654c1e44d2d785171ae27fbd146cb7451
Instruction ID: 657a31a04174038c0b32509abe44ddb19a2889c4678362e3b189815da2f8fcb8
Opcode Fuzzy Hash: 1ad3e46a06e1e811379727d75b166ce654c1e44d2d785171ae27fbd146cb7451
Instruction Fuzzy Hash: 2751D671A002099FDB04CFA9C984AAEB7F9BF48304F24456EE516EB250E778AD45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406050, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00406124

Strings

%-5.1f, xrefs: 0040610D, 0040611F, 00406133
MS Sans Serif, xrefs: 00406166

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: _strlen
String ID: %-5.1f$MS Sans Serif
API String ID: 4218353326-966146429
Opcode ID: 067eda6f4b326c288def9c5c2ba3be0f6583191114fa82d34a959ac3c2d9be25
Instruction ID: 31ba7f2cc2b4c9ea4047dea39ae350100d444884f3c6af1f0477c4b370598301
Opcode Fuzzy Hash: 067eda6f4b326c288def9c5c2ba3be0f6583191114fa82d34a959ac3c2d9be25
Instruction Fuzzy Hash: 574118B0E14248DFDB24DFA8C855B9EBBB1BF48304F20426EE4156B382D7759906CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00461E2F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00461E36
RegOpenKeyExA.ADVAPI32(80000000,CLSID,00000000,00020019,?,00000000,00000000,00000010,004623F5,?,?,0000000A,80000000,?,?,?), ref: 00461E79

Strings

CLSID, xrefs: 00461E73

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: H_prolog3Open
String ID: CLSID
API String ID: 94179280-910414637
Opcode ID: 0bb85735798f87c4a8465942f864471554c8946fd2d49feec1fd42e615894081
Instruction ID: 604dab8523714af9fc25cc96ef5b71831e6a1ba9f552e9f15618a60701bc3b51
Opcode Fuzzy Hash: 0bb85735798f87c4a8465942f864471554c8946fd2d49feec1fd42e615894081
Instruction Fuzzy Hash: D0216371D0024ADBDF10EFA5C941DAF7774AF14318F14452FF91163252DB389A44CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00441314, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

@AC, xrefs: 0044134C, 00441367, 00441382

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID:
String ID: @AC
API String ID: 0-2305571516
Opcode ID: aee4a60c0159487d0a4ea945557991468d39f9ebe399f8c85a4235db9f48195c
Instruction ID: f7607aa6a93394a18d6f31912c5adfad267a581af02e9918bff76dbb45e35867
Opcode Fuzzy Hash: aee4a60c0159487d0a4ea945557991468d39f9ebe399f8c85a4235db9f48195c
Instruction Fuzzy Hash: D30188723002105F73206F2A988593FF3ECDEA4766720483FF955C3611EE789C814768

Uniqueness

Uniqueness Score: -1.00%

Function 0044583B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00445842

Part of subcall function 00445737: _swprintf.LIBCMT ref: 0044579D

Part of subcall function 004450C3: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 004450FB
Part of subcall function 004450C3: RegOpenKeyA.ADVAPI32(?,?,?), ref: 0044510F
Part of subcall function 004450C3: RegOpenKeyA.ADVAPI32(?,InProcServer32,?), ref: 0044512A
Part of subcall function 004450C3: RegQueryValueExA.ADVAPI32(?,00496010,00000000,?,?,?), ref: 00445144
Part of subcall function 004450C3: RegCloseKey.ADVAPI32(?), ref: 00445154
Part of subcall function 004450C3: RegCloseKey.ADVAPI32(?), ref: 00445159
Part of subcall function 004450C3: RegCloseKey.ADVAPI32(?), ref: 0044515E

GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 004458D2

Strings

DllGetClassObject, xrefs: 004458CC

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseOpen$AddressH_prolog3ProcQueryValue_swprintf
String ID: DllGetClassObject
API String ID: 2239898804-1075368562
Opcode ID: 4e787c323ac769f2d4a056c0611560d3e60b22565b70e71a03fdaa9b70e0fdd8
Instruction ID: a794d2d534666754aa7abe8af3bbce3f4a0c6bd1f1cfe412c6ee318ab6a195ac
Opcode Fuzzy Hash: 4e787c323ac769f2d4a056c0611560d3e60b22565b70e71a03fdaa9b70e0fdd8
Instruction Fuzzy Hash: 321160316006169BEF00FFA5CC11BAE3764BF54328F14452EB821A7292DB7899A4D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0045D28C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0045D2EF
ShowWindow.USER32(?,?), ref: 0045D315

Strings

P, xrefs: 0045D2B1

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$LongShow
String ID: P
API String ID: 2659037557-3110715001
Opcode ID: 9a74219e549c1814afe73746446b72abcc2f01fcad658fa5caee6c3dadc348d4
Instruction ID: d74173e11e566cbbbcd4f21fd73462e9950fbcdffb8cd5584fdfb3fcd8821a64
Opcode Fuzzy Hash: 9a74219e549c1814afe73746446b72abcc2f01fcad658fa5caee6c3dadc348d4
Instruction Fuzzy Hash: 6D014931A10514ABDF185BA4DC1ADBEBB71FF84312F14023EF902D6291DE7898048B58

Uniqueness

Uniqueness Score: -1.00%

Function 004010E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000C), ref: 00401147

Part of subcall function 00401E90: _strlen.LIBCMT ref: 00401F34

Strings

More Colors..., xrefs: 0040116D
Automatic, xrefs: 00401156

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Color_strlen
String ID: Automatic$More Colors...
API String ID: 1064490023-3690755981
Opcode ID: 631cb9d8918456e86693719f4350110fcca0815af61d9d8c4413e4a19a7ee708
Instruction ID: d45c9e48d2121ee65c9eecce2b61658fcc62670a10b56eeee4266855e5c815ed
Opcode Fuzzy Hash: 631cb9d8918456e86693719f4350110fcca0815af61d9d8c4413e4a19a7ee708
Instruction Fuzzy Hash: 4F115870A00618DFDB25DF94CA40B9DBBB1EB05314F2042EAE9197B381C7396E40CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0045C9A1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00410780: GetModuleHandleA.KERNEL32(?), ref: 0041079F
Part of subcall function 00410780: LoadLibraryA.KERNEL32(?), ref: 004107C1

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0045C9C8
_memset.LIBCMT ref: 0045C9E1

Strings

DllGetVersion, xrefs: 0045C9C2

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc_memset
String ID: DllGetVersion
API String ID: 3385804498-2861820592
Opcode ID: 0823b270399e34fa29b057b34e1b56606b1424e32174dac4cc00e4763a1388b6
Instruction ID: d03f171c391a683c4015b40ab6c60b7bec560f59dcae7279c4f9856803d7822b
Opcode Fuzzy Hash: 0823b270399e34fa29b057b34e1b56606b1424e32174dac4cc00e4763a1388b6
Instruction Fuzzy Hash: C1F0A9B1E003199BD701EBADDC85B9A77E85B04759F500636F910F3291D778DD0887B9

Uniqueness

Uniqueness Score: -1.00%

Function 00441394, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,8B,000000FF,00000000,00000020,00000020,00000000,00000000,?,004340EB,?,00000000,628467F9,00000000,0007C000), ref: 004413E2

Strings

$8B, xrefs: 004413E8
8B, xrefs: 00441395, 00441399, 004413A6, 004413DD

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: $8B$8B
API String ID: 626452242-3398833573
Opcode ID: a1692d35d55cab40f6a3a3e788463807a8356e9319b0e87514dbe7bd071902d0
Instruction ID: 68d2655dae7e0092a723fa4eeafd81944b3063fdecce84f10f1786e8cbcfe575
Opcode Fuzzy Hash: a1692d35d55cab40f6a3a3e788463807a8356e9319b0e87514dbe7bd071902d0
Instruction Fuzzy Hash: E1F02B3260C321AAE714BB64FC02F9B7364DF85724F20820EF221572E1DB706442C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0043470C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00434713

Part of subcall function 00433B33: _memset.LIBCMT ref: 00433B4A

_memset.LIBCMT ref: 00434739

Strings

)EC, xrefs: 00434733

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: _memset$H_prolog3
String ID: )EC
API String ID: 2144794740-2852523799
Opcode ID: 7841009a618b36c972622d60d005d63cac3d33ba752dc62e41935d434b2a6524
Instruction ID: 4b2ea22b8c2db0ed0eccd7b08b28d508a40c611de8947220d3614ed452790051
Opcode Fuzzy Hash: 7841009a618b36c972622d60d005d63cac3d33ba752dc62e41935d434b2a6524
Instruction Fuzzy Hash: 3601A4B1900B01DFD710DF68C80278ABBF0BF44718F14881EE59D9B241EBB97504CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00450EE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00450EEF

Part of subcall function 004249C8: _malloc.LIBCMT ref: 004249E2

__CxxThrowException@8.LIBCMT ref: 00450F28

Part of subcall function 00445537: __EH_prolog3.LIBCMT ref: 0044553E

Strings

.RD, xrefs: 00450F35

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: H_prolog3$Exception@8Throw_malloc
String ID: .RD
API String ID: 623675022-883820711
Opcode ID: 74151e207a5f1a19da87351fe42861a54f88418b7ff912d6137d569ce1609356
Instruction ID: 9653af071c4bfa32b984f2234c2b67572b391a44b3a3e06840262eaeaee94d74
Opcode Fuzzy Hash: 74151e207a5f1a19da87351fe42861a54f88418b7ff912d6137d569ce1609356
Instruction Fuzzy Hash: F9F0C231904309BFCF04EFA0CC01A9E7EA1BF04305F10892EF518920A2D7788650DB15

Uniqueness

Uniqueness Score: -1.00%

Function 0042501A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042503B
GetVersionExA.KERNEL32(?), ref: 00425054

Strings

\RB, xrefs: 0042505A

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Version_memset
String ID: \RB
API String ID: 963298953-2327318956
Opcode ID: b06f4a6586e26324c537e09d81e5cb62fe89db91e2301a43f3921e9361467154
Instruction ID: d45c9c83b3ebef515b2df1ff35f65b7a261729b360f5a67bb31ad3e1cd81cead
Opcode Fuzzy Hash: b06f4a6586e26324c537e09d81e5cb62fe89db91e2301a43f3921e9361467154
Instruction Fuzzy Hash: DBE09BB59103089FDB60EF70DD46B4DB3F89B04704F5040B9950DD62C2EA745B8C8F45

Uniqueness

Uniqueness Score: -1.00%

Function 0042D51C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00051A74,8B,$8B,?,00000000,?,00000000,?,00434381,00000000,00000000,00000000,00000000,00000000,00000097,00000000), ref: 0042D542

Strings

8B, xrefs: 0042D525, 0042D53E
$8B, xrefs: 0042D53B

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window
String ID: $8B$8B
API String ID: 2353593579-3398833573
Opcode ID: 01dc530e6787bd64fa4fb210ac4eccb28f375020a658b587b21d98013ee9cb39
Instruction ID: 82fdfb430973a216da921eda889ec2e39c7eecb80a5d7ec18cf41d6a96d95625
Opcode Fuzzy Hash: 01dc530e6787bd64fa4fb210ac4eccb28f375020a658b587b21d98013ee9cb39
Instruction Fuzzy Hash: 54E0C932200109EFDB018F90E844EBA3BA5FB08304F5440A9FA044A122C732D871EF54

Uniqueness

Uniqueness Score: -1.00%

Function 00485306, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00485323

Part of subcall function 004738B0: __mtinitlocknum.LIBCMT ref: 004738C4
Part of subcall function 004738B0: __amsg_exit.LIBCMT ref: 004738D0
Part of subcall function 004738B0: RtlEnterCriticalSection.NTDLL(?), ref: 004738D8

RtlEnterCriticalSection.NTDLL(?), ref: 0048532E

Strings

0qK, xrefs: 0048530A

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
String ID: 0qK
API String ID: 3996875869-201387053
Opcode ID: 69a13684a73d32e6954539c31b9c93f39a25b7fc2b0bf6f25b2faf958f54e35c
Instruction ID: 4e618067fdba670ebdd38684a80f14baaa3e52de34860d1fb056db24f8adae8f
Opcode Fuzzy Hash: 69a13684a73d32e6954539c31b9c93f39a25b7fc2b0bf6f25b2faf958f54e35c
Instruction Fuzzy Hash: 89D023B150050353DF2836755D4594E22C8D6803433558C3BFC41C1781C6FCD440511E

Uniqueness

Uniqueness Score: -1.00%

Function 00440836, Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,00000001,?,00000001), ref: 00440880
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 00440890
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 004408A0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000001), ref: 004408B0

Memory Dump Source

Source File: 00000000.00000002.217645187.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.217641291.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217729450.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217734732.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217738404.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000000.00000002.217743327.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000000.00000002.217747515.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 34905a60258e267033891654fce2c2b9631af5509893935f9be4b1a11f365f60
Instruction ID: f5b7847ec3e3bd656c91a83be2fb56ff3916769aaa799777b690de1bbeccda56
Opcode Fuzzy Hash: 34905a60258e267033891654fce2c2b9631af5509893935f9be4b1a11f365f60
Instruction Fuzzy Hash: 5E115E7224460C7EF250A6E1DD85F77B39CEB4DB45F100816BB49D6480E660F9048775

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aeevts.exe PID: 6096 Parent PID: 5732 aeevts.exeCOMMON

Executed Functions

Function 004204F0, Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 270memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004203C0: RegOpenKeyExW.KERNELBASE(80000001,00020019,00000000,00020019,?,F713F8EB), ref: 0042041B

Part of subcall function 00420BF0: _memcpy_s.LIBCMT ref: 00420C40

Part of subcall function 00420AB0: _memcpy_s.LIBCMT ref: 00420B9B

Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411CB8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411CC0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411CC8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411CD0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411CD8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411CE0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411CE8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411CF0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411CF8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D00
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D08
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D10
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D18
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D20
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D28
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D30
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D38
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D40
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D48
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D50
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D58
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D60
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D68
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D70
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D78
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D80
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411D88
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411D90
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411D98
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411DA0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411DA8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411DB0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411DB8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411DC0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411DC8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411DD0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411DD8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411DE0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411DE8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411DF0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411DF8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E00
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E08
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E10
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E18
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E20
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E28
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E30

Part of subcall function 004202B0: _strlen.LIBCMT ref: 00420362

Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E38
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E40
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E48
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E50
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E58
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E60
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E68
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E70
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E78
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E80
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411E88
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411E90
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411E98
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411EA0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411EA8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411EB0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411EB8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411EC0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411EC8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411ED0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411ED8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411EE0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411EE8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411EF0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411EF8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F00
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F08
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F10
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F18
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F20
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F28
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F30
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F38
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F40
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F48
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F50
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F58
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F60
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F68
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F70
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F78
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F80
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411F88
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411F90
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411F98
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411FA0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411FA8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411FB0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411FB8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411FC0

Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411FC8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411FD0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411FD8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411FE0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00411FE8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00411FF0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00411FF8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412000
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412008
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412010
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412018
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412020
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412028
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412030
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412038
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412040
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412048
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412050
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412058
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412060
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412068
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412070
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412078
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412080
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412088
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412090
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412098
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004120A0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004120A8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004120B0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004120B8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004120C0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004120C8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004120D0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004120D8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004120E0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004120E8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004120F0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004120F8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412100
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412108
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412110
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412118
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412120
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412128
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412130
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412138
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412140
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412148
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412150

Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412158
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412160
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412168
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412170
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412178
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412180
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412188
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412190
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412198
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004121A0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004121A8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004121B0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004121B8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004121C0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004121C8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004121D0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004121D8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004121E0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004121E8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004121F0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004121F8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412200
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412208
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412210
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412218
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412220
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412228
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412230
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412238
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412240
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412248
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412250
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412258
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412260
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412268
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412270
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412278
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412280
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412288
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412290
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412298
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004122A0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004122A8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004122B0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004122B8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004122C0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004122C8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004122D0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004122D8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004122E0

Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004122E8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004122F0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004122F8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412300
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412308
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412310
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412318
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412320
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412328
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412330
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412338
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412340
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412348
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412350
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412358
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412360
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412368
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412370
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412378
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412380
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412388
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412390
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412398
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004123A0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004123A8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004123B0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004123B8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004123C0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004123C8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004123D0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004123D8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004123E0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004123E8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004123F0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004123F8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412400
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412408
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412410
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412418
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412420
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412428
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412430
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412438
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412440
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412448
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412450
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412458
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412460
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412468
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412470

Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412478
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412480
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412488
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412490
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412498
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004124A0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004124A8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004124B0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004124B8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004124C0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004124C8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004124D0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004124D8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004124E0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004124E8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004124F0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004124F8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412500
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412508
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412510
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412518
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412520
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412528
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412530
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412538
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412540
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412548
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412550
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412558
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412560
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412568
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412570
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412578
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412580
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412588
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 00412590
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 00412598
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004125A0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004125A8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004125B0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004125B8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004125C0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004125C8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004125D0
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004125D8
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004125E0
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 004125E8
Part of subcall function 00411CB0: GetKeyState.USER32(0000000D), ref: 004125F0
Part of subcall function 00411CB0: GetKeyState.USER32(00000027), ref: 004125F8
Part of subcall function 00411CB0: GetKeyState.USER32(0000002D), ref: 00412600

FindResourceA.KERNEL32(00000000,00051A74,BRESSMON), ref: 00420858
VirtualAllocExNuma.KERNELBASE(00000000), ref: 004208AB

Part of subcall function 004119D0: GetKeyState.USER32(0000002D), ref: 00411B64
Part of subcall function 004119D0: GetKeyState.USER32(0000000D), ref: 00411B6C
Part of subcall function 004119D0: GetKeyState.USER32(00000027), ref: 00411B74
Part of subcall function 004119D0: GetKeyState.USER32(0000002D), ref: 00411B7C

Part of subcall function 00421300: LoadIconA.USER32(0042091A,00000080), ref: 004213BE

Part of subcall function 0043423D: __EH_prolog3_catch.LIBCMT ref: 00434244
Part of subcall function 0043423D: FindResourceA.KERNEL32(?,?,00000005), ref: 00434277
Part of subcall function 0043423D: LoadResource.KERNEL32(?,00000000), ref: 0043427F
Part of subcall function 0043423D: LockResource.KERNEL32(628467F9,00000024,00420938,00000000), ref: 00434290

Strings

@lI, xrefs: 00420784, 004207A6, 004207CB, 004207F0, 00420812, 00420831, 0042078A, 004207AC, 004207D1, 004207F6, 00420818, 00420837
Console, xrefs: 00420524
KERNEL32.DLL, xrefs: 0042057B
8jI, xrefs: 004206DE, 004208E3
^", xrefs: 00420559
Fuck Sophos, xrefs: 0042053B
BRESSMON, xrefs: 0042084C
QO, xrefs: 00420574

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: State$Resource$FindLoad_memcpy_s$AllocH_prolog3_catchIconLockNumaOpenVirtual_strlen
String ID: 8jI$@lI$BRESSMON$Console$Fuck Sophos$KERNEL32.DLL$QO$^"
API String ID: 627226005-3970943249
Opcode ID: f22c9730643b7756b3a20709b895979a51cb8869e764964b83260d751c7d8538
Instruction ID: 28d8c610258704822d2c56de676a98e4425bfe340b7e3afdb808a948f0630b27
Opcode Fuzzy Hash: f22c9730643b7756b3a20709b895979a51cb8869e764964b83260d751c7d8538
Instruction Fuzzy Hash: 37C14DB0D402289FDB24DF64DC5ABDEBBB4BB44304F1041EAE508A7292DB755B84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00450942, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00450985
PathFindExtensionA.KERNELBASE(?), ref: 0045099F
__strdup.LIBCMT ref: 004509E1
__strdup.LIBCMT ref: 00450A1A
__strdup.LIBCMT ref: 00450A5E
_strcat_s.LIBCMT ref: 00450A84
__strdup.LIBCMT ref: 00450A96

Strings

.INI, xrefs: 00450A77
.HLP, xrefs: 00450A46
.CHM, xrefs: 00450A3F

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: __strdup$ExtensionFileFindModuleNamePath_strcat_s
String ID: .CHM$.HLP$.INI
API String ID: 1153805871-4017452060
Opcode ID: 57dafd0c2345ca13c716e483e5e28e98ad2bcfdff3d937972c125f05c621c4c4
Instruction ID: e152d328a9782d2fbb0655f3a93d4856c3c47a001cb3f732594ca68d6527186b
Opcode Fuzzy Hash: 57dafd0c2345ca13c716e483e5e28e98ad2bcfdff3d937972c125f05c621c4c4
Instruction Fuzzy Hash: 01415FB55003089FEB30EF66CC85B9B77E8BF14305F00482BE945D6242EB78E948CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0043ABF3, Relevance: 16.6, APIs: 11, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(004B92A4), ref: 0043AC02
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,004B9288,0043B058,00000004,00436EA6,004263DA,00436F0F,0042819F,00000000,0042820B,00000001), ref: 0043AC58
GlobalHandle.KERNEL32(0054E430), ref: 0043AC61
GlobalUnWire.KERNEL32(00000000), ref: 0043AC6A
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0043AC81
GlobalHandle.KERNEL32(0054E430), ref: 0043AC93
GlobalFix.KERNEL32(00000000), ref: 0043AC9A
RtlLeaveCriticalSection.NTDLL(?), ref: 0043ACA4
GlobalFix.KERNEL32(00000000), ref: 0043ACB0
_memset.LIBCMT ref: 0043ACC9
RtlLeaveCriticalSection.NTDLL(?), ref: 0043ACF5

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Global$CriticalSection$AllocHandleLeave$EnterWire_memset
String ID:
API String ID: 9613507-0
Opcode ID: 60a6bd20c22d4e19049fde06165cdbf6700089dc543a5a62e2ed017185475871
Instruction ID: e2acf13cf94ea486f614e5ab0777da4e905886f84245dce22b7c56829da3bc2b
Opcode Fuzzy Hash: 60a6bd20c22d4e19049fde06165cdbf6700089dc543a5a62e2ed017185475871
Instruction Fuzzy Hash: B531A931240B04AFD7259F34DC48A2AB7E8FB58345F20692FF992C7651EB78F8148B19

Uniqueness

Uniqueness Score: -1.00%

Function 0043C8BF, Relevance: 12.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 0043C8CC
GetSystemMetrics.USER32(0000000C), ref: 0043C8D3
GetSystemMetrics.USER32(00000002), ref: 0043C8DA
GetSystemMetrics.USER32(00000003), ref: 0043C8E4
GetDC.USER32(00000000), ref: 0043C8EE
GetDeviceCaps.GDI32(00000000,00000058), ref: 0043C8FF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0043C907
ReleaseDC.USER32(00000000,00000000), ref: 0043C90F

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: 97191096b00d77558c05f8ff526960d5c2c821391b050ff4e16237b8a0a0d0c5
Instruction ID: 8f4a2c6853b47d531706ec53ad1d093e90908563051e19cdb58132eaef453e8b
Opcode Fuzzy Hash: 97191096b00d77558c05f8ff526960d5c2c821391b050ff4e16237b8a0a0d0c5
Instruction Fuzzy Hash: 43F01D71A40B04AFE7206BB19C4AF277BB4EB91B11F11497AE6418B2D0D6B598018F54

Uniqueness

Uniqueness Score: -1.00%

Function 00450AC1, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000), ref: 00450ACA
SetErrorMode.KERNELBASE(00000000), ref: 00450AD2

Part of subcall function 004362AE: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004362EF
Part of subcall function 004362AE: SetLastError.KERNEL32(0000006F), ref: 00436309

GetModuleHandleA.KERNEL32(user32.dll), ref: 00450B24
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00450B34

Part of subcall function 00450942: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00450985
Part of subcall function 00450942: PathFindExtensionA.KERNELBASE(?), ref: 0045099F
Part of subcall function 00450942: __strdup.LIBCMT ref: 004509E1

Strings

NotifyWinEvent, xrefs: 00450B2E
user32.dll, xrefs: 00450B1F

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ErrorModule$FileModeName$AddressExtensionFindHandleLastPathProc__strdup
String ID: NotifyWinEvent$user32.dll
API String ID: 2454351968-597752486
Opcode ID: ec34f68550c7bab1aabb0d8ef77cb10f4a69e5d165261d1c4140b0de9de310a8
Instruction ID: 846f55b9a043e0f090bf512711f9740b481fa0ef53553220280576750a1f20e4
Opcode Fuzzy Hash: ec34f68550c7bab1aabb0d8ef77cb10f4a69e5d165261d1c4140b0de9de310a8
Instruction Fuzzy Hash: 84017CB4A102115FCB50EF75C84AA1A3BE8AF58715F16846FB44487262CB38D848CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004370B4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,004B4E6C,00000000,00000001,?), ref: 004370F7
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 00437117
RegCloseKey.ADVAPI32(?), ref: 0043715B

Strings

lNK, xrefs: 004370DD

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: lNK
API String ID: 3677997916-829952453
Opcode ID: 926f0717ac76e5b8c098fe0a98bef25dbc97c5dafafaab7653eebb67bd9faf12
Instruction ID: 9327fd2eab7472b8b4679cac3d111e8646d149e96cec5fba28668fa16a9c5724
Opcode Fuzzy Hash: 926f0717ac76e5b8c098fe0a98bef25dbc97c5dafafaab7653eebb67bd9faf12
Instruction Fuzzy Hash: C02137B2D04208EFDF25CF85C885AAEFBB8FF94301F2050ABE481A6310D3749A40DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004362AE, Relevance: 3.1, APIs: 2, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 004361D1: GetModuleHandleA.KERNEL32(KERNEL32), ref: 004361DF

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004362EF
SetLastError.KERNEL32(0000006F), ref: 00436309

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Module$ErrorFileHandleLastName
String ID:
API String ID: 613274587-0
Opcode ID: 203ae505bdb90cc8074560aa833afbacde3b547578d442adef1d2979f8b38998
Instruction ID: 5e2a219e443b85b366c628ed7903ebaf8665594a45b56253709aff8edcfd3d58
Opcode Fuzzy Hash: 203ae505bdb90cc8074560aa833afbacde3b547578d442adef1d2979f8b38998
Instruction Fuzzy Hash: F1214F719003099EDB70EFA9D8447EFB7B8BB09318F11822EE8699A1C1DB785548CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0047364E, Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00465721,00000001), ref: 0047365F
HeapDestroy.KERNEL32 ref: 00473695

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: 853fb3dd6d985ecc2da1b0663cf20fc8c480ebd2d1f2776c26351d468cdbf7d1
Instruction ID: 5a6bd0caa0af8c9ba51958b858ecb0b934c87a70ea17b92affc1d19ef66e5c48
Opcode Fuzzy Hash: 853fb3dd6d985ecc2da1b0663cf20fc8c480ebd2d1f2776c26351d468cdbf7d1
Instruction Fuzzy Hash: E0E06DB0612301AFEB615F319C097BA7694EB5274BF10893BF105C43A0EBA98A51FB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0043871A, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0043872D
SetWindowsHookExA.USER32(000000FF,Function_00038586,00000000,00000000), ref: 0043873D

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CurrentHookThreadWindows
String ID:
API String ID: 1904029216-0
Opcode ID: 6c76bb69da60c37322477c080248d22df1013da82aa6d5a40da6090b00ecc20d
Instruction ID: 58e7bcf6d398a9cd06a5f60b95b17d72379c8291a62482560945d420e8dc7bc2
Opcode Fuzzy Hash: 6c76bb69da60c37322477c080248d22df1013da82aa6d5a40da6090b00ecc20d
Instruction Fuzzy Hash: 10D05E718056183EEB212B706C0DB5A7A904B1C360F25536BF410921D1CA6848404B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004203C0, Relevance: 1.6, APIs: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00020019,00000000,00020019,?,F713F8EB), ref: 0042041B

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8902ab82161f437cd902d8d2e6cf86e3b96349bb478a030790a9ad83640b92f3
Instruction ID: 9378b56a913bf7dc4b63e55889d6f8b93d445e0b68a24e78eaa85000958afa91
Opcode Fuzzy Hash: 8902ab82161f437cd902d8d2e6cf86e3b96349bb478a030790a9ad83640b92f3
Instruction Fuzzy Hash: 6211C170A04248EFDB10DF94D841BEEBBB0EB04724F10821AF9256B3C2C7B95605CB95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A270, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 346windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042F61B: __EH_prolog3.LIBCMT ref: 0042F622
Part of subcall function 0042F61B: BeginPaint.USER32(?,?,00000004,00403460,?,F713F8EB), ref: 0042F64E

Part of subcall function 0040A8A0: CreateCompatibleDC.GDI32(?), ref: 0040A971
Part of subcall function 0040A8A0: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0040A9C1

GetClientRect.USER32(?,?), ref: 0040A2E3
DNameNode::DNameNode.LIBCMTD ref: 0040A2EF
IsWindowVisible.USER32(?), ref: 0040A37C
GetDC.USER32(?), ref: 0040A416
CreateCompatibleDC.GDI32(?), ref: 0040A453
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0040A47D
BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 0040A517
ReleaseDC.USER32(?,?), ref: 0040A548
GetSysColor.USER32(0000000F), ref: 0040A575
CreateRectRgn.GDI32(?,?,?,?), ref: 0040A66E
IsWindowVisible.USER32(?), ref: 0040A6EB
BitBlt.GDI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 0040A78F
InvalidateRect.USER32(?,00000000,00000001), ref: 0040A7FA

Strings

0iI, xrefs: 0040A484, 0040A48F
iI, xrefs: 0040A675, 0040A67D, 0040A680

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Create$Compatible$Rect$BitmapNameVisibleWindow$BeginClientColorH_prolog3InvalidateNodeNode::PaintRelease
String ID: iI$0iI
API String ID: 290123182-2563602027
Opcode ID: 8fa47df8f02ab3e7f3b5312e5676ca93afd868c86ae82339c73acd550e6c93f1
Instruction ID: a5f2e8ce51b53b4e0e2fd97db3d16e67a1ecd7d8008d5d169ef1374511310b9a
Opcode Fuzzy Hash: 8fa47df8f02ab3e7f3b5312e5676ca93afd868c86ae82339c73acd550e6c93f1
Instruction Fuzzy Hash: FF023270A01228DFDB24DB55CC94BDAB7B5BF49304F1081EAE50DAB291CB74AE84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004441D1, Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 483windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004441D8
IsIconic.USER32(?), ref: 00444420
SetForegroundWindow.USER32(?), ref: 00444442
SendMessageA.USER32(?,00000111,0000E108,00000000), ref: 00444760
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 004447A2

Strings

[printto(", xrefs: 004442C6
[print(", xrefs: 0044426D
[open(", xrefs: 00444211
",", xrefs: 00444496, 0044449B, 00444573, 0044464B

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Message$ForegroundH_prolog3IconicPostSendWindow
String ID: ","$[open("$[print("$[printto("
API String ID: 3303669223-3790869113
Opcode ID: 80bef68be650fb9280e84282c6a522f432f6bc73d9bcb1ca62a013c514ebbc57
Instruction ID: e2902cee9f32c3bc013ba18211be509e1ace9a7a8bb546de2190923f7aa83874
Opcode Fuzzy Hash: 80bef68be650fb9280e84282c6a522f432f6bc73d9bcb1ca62a013c514ebbc57
Instruction Fuzzy Hash: F912B471900148AFDB04EFB5C845FEE7BB4AF04318F04825EF556AB2D2DB789A44C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00460294, Relevance: 15.1, APIs: 10, Instructions: 96nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,00000046,00000000,?), ref: 004602A9
GetWindowRect.USER32(?,?), ref: 004602C1
SetRect.USER32(?,?,00000000,?,?), ref: 00460300
InvalidateRect.USER32(?,?,00000001), ref: 0046030F
SetRect.USER32(?,?,00000000,?,?), ref: 00460326
InvalidateRect.USER32(?,?,00000001), ref: 00460335
SetRect.USER32(?,00000000,?,?,?), ref: 00460365
InvalidateRect.USER32(?,?,00000001), ref: 00460370
SetRect.USER32(?,00000000,?,?,?), ref: 00460387
InvalidateRect.USER32(?,?,00000001), ref: 00460392

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Invalidate$Window$NtdllProc_
String ID:
API String ID: 1652583904-0
Opcode ID: 385edbd70a18fadcac8e3427365bb059f2ef12fc4736ae8b9c45ce590d3980c9
Instruction ID: 407d50c58f8772814aa42725c578cd41ae09de308f76131f82ece4ddd533c623
Opcode Fuzzy Hash: 385edbd70a18fadcac8e3427365bb059f2ef12fc4736ae8b9c45ce590d3980c9
Instruction Fuzzy Hash: 6A31F876900609BFDB05CFA4DD48EAA7B7CFB08300F500166FA05A65A0D770AE54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004226C0, Relevance: 9.1, APIs: 6, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004226E3

Part of subcall function 0042F61B: __EH_prolog3.LIBCMT ref: 0042F622
Part of subcall function 0042F61B: BeginPaint.USER32(?,?,00000004,00403460,?,F713F8EB), ref: 0042F64E

SendMessageA.USER32(?,00000027,?,00000000), ref: 00422731
GetSystemMetrics.USER32(0000000B), ref: 00422739
GetSystemMetrics.USER32(0000000C), ref: 00422744
GetClientRect.USER32(?,?), ref: 0042275B
DrawIcon.USER32(?,?,?,?), ref: 004227AE

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$BeginClientDrawH_prolog3IconIconicMessagePaintRectSend
String ID:
API String ID: 1007970657-0
Opcode ID: c4775e1b0057be5be56597757b0758ac09018714619a6a2af68f45414290b3f7
Instruction ID: cb4eabbd25a76ecc2f7b7f655f634345c77bf9840e70a3d59a4f74e0e289060c
Opcode Fuzzy Hash: c4775e1b0057be5be56597757b0758ac09018714619a6a2af68f45414290b3f7
Instruction Fuzzy Hash: 5B313075A00119DFDB24DFA8D944F9EB7B4FF48300F5082AAE549E7241DA30AA44CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0043255B, Relevance: 6.2, APIs: 4, Instructions: 209stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00432562
lstrlenW.KERNEL32(?,0000F094,00000000), ref: 0043260A
__snprintf_s.LIBCMT ref: 0043264B

Part of subcall function 00465CF1: __getptd_noexit.LIBCMT ref: 00465CF1

CreateBindCtx.OLE32(00000000,?), ref: 004326BE

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: BindCreateH_prolog3___getptd_noexit__snprintf_slstrlen
String ID:
API String ID: 3427527274-0
Opcode ID: a0bc7940a659429db96e58eb6f52ef393b0811fbc4d56d6921694b3da0e8c578
Instruction ID: 96cf41e50bdfd332d0aeceac6a5c2fa2a9e46b472b69865fae0fad40055bc79e
Opcode Fuzzy Hash: a0bc7940a659429db96e58eb6f52ef393b0811fbc4d56d6921694b3da0e8c578
Instruction Fuzzy Hash: 41713571900209AFCF11EFA9C9859EEBBB9FF48300F14515AF901BB261DB799911DF24

Uniqueness

Uniqueness Score: -1.00%

Function 0042A331, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042A33B

Part of subcall function 0043B004: __EH_prolog3.LIBCMT ref: 0043B00B

CallNextHookEx.USER32(?,?,?,?), ref: 0042A37F

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

GetClassLongA.USER32(?,000000E6), ref: 0042A3C3
GlobalGetAtomNameA.KERNEL32 ref: 0042A3ED
SetWindowLongA.USER32(?,000000FC,Function_00028BEF), ref: 0042A442
_memset.LIBCMT ref: 0042A48C
GetClassLongA.USER32(?,000000E0), ref: 0042A4BC
GetClassNameA.USER32(?,?,00000100), ref: 0042A4DD
GetWindowLongA.USER32(?,000000FC), ref: 0042A501
GetPropA.USER32(?,AfxOldWndProc423), ref: 0042A51B
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 0042A526
GetPropA.USER32(?,AfxOldWndProc423), ref: 0042A52E
GlobalAddAtomA.KERNEL32(AfxOldWndProc423), ref: 0042A536
SetWindowLongA.USER32(?,000000FC,Function_0002A1ED), ref: 0042A544
CallNextHookEx.USER32(?,00000003,?,?), ref: 0042A55C
UnhookWindowsHookEx.USER32(?), ref: 0042A570

Strings

ime, xrefs: 0042A3F6
#32768, xrefs: 0042A49E, 0042A4A3, 0042A4ED
AfxOldWndProc423, xrefs: 0042A514, 0042A519, 0042A524, 0042A52C, 0042A535

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$Exception@8H_prolog3H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 867647115-4034971020
Opcode ID: 73982f17cc36d2f013fe1e905a3d4d504a4f4abae111ffd8d770bfa0b9a947d7
Instruction ID: 499761b1f5bf5645989e73fd14c2c6e9b9c300b16c1c6bc20af451b6293831c7
Opcode Fuzzy Hash: 73982f17cc36d2f013fe1e905a3d4d504a4f4abae111ffd8d770bfa0b9a947d7
Instruction Fuzzy Hash: E3610A71600235AFCB21AF61EC09BAF7B78EF14325F500166FA05A6291C778DE91CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004302A4, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 244windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004302AB
CreateCompatibleDC.GDI32(00000000), ref: 004302FD
CreateCompatibleDC.GDI32(00000000), ref: 00430311
CreateCompatibleDC.GDI32(00000000), ref: 00430325
GetObjectA.GDI32(00000004,00000018,?), ref: 00430344

Part of subcall function 0042F80C: CreateBitmap.GDI32(?,?,?,?,?), ref: 0042F821

CreateBitmap.GDI32(00000008,00000008,00000001,00000001,00498514), ref: 0043038F

Part of subcall function 0042F7D9: CreatePatternBrush.GDI32(?), ref: 0042F7E8

Part of subcall function 0042F784: DeleteObject.GDI32(00000000), ref: 0042F793

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004303B7

Part of subcall function 0042F871: SelectObject.GDI32(?,?), ref: 0042F879

GetPixel.GDI32(?,00000000,00000000), ref: 004303F7

Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E5F5
Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E603

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00430423
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 00430447
FillRect.USER32(?,?,?), ref: 004304AB
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 004304DB
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 004304F2
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00430505

Strings

\I, xrefs: 00430537, 0043039E
0iI, xrefs: 00430546, 00430392, 0043039A, 004303A6, 004303BA, 0043039D
wB, xrefs: 004302B2

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Create$BitmapCompatibleObject$Color$BrushDeleteFillH_prolog3PatternPixelRectSelect
String ID: 0iI$wB$\I
API String ID: 3964690028-2814042032
Opcode ID: 1adcd9f24de79e74118a777d421bb0be50624f06a4af3255cc6a06b3fa039e5d
Instruction ID: 91168940268c9d8a5546851508e18be2bb985b01754f22cd82b4ddd7f4c697f5
Opcode Fuzzy Hash: 1adcd9f24de79e74118a777d421bb0be50624f06a4af3255cc6a06b3fa039e5d
Instruction Fuzzy Hash: F391F171D00518AEDF11EFA6DC819AEBBB9FF18344FA0813AF505A2162DB358E05DF24

Uniqueness

Uniqueness Score: -1.00%

Function 0044E55A, Relevance: 26.0, APIs: 17, Instructions: 452windowkeyboardCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0044E5AD
IsWindowEnabled.USER32(?), ref: 0044E609
__EH_prolog3_catch.LIBCMT ref: 0044E657
GetFocus.USER32 ref: 0044E677
GetParent.USER32(?), ref: 0044E6C2
GetParent.USER32(?), ref: 0044E6D2
GetKeyState.USER32(00000012), ref: 0044E790
IsDialogMessage.USER32(?,?), ref: 0044E844
GetFocus.USER32 ref: 0044E857
GetFocus.USER32 ref: 0044E864
IsWindow.USER32(?), ref: 0044E87C
GetFocus.USER32 ref: 0044E888
IsWindow.USER32(?), ref: 0044E89E
GetFocus.USER32 ref: 0044E8A4
GetKeyState.USER32(00000010), ref: 0044E8CD
MessageBeep.USER32(00000000), ref: 0044E9C4

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: 82b3af95aecdc3c64c8c66b8b1109eea5db241706e8a53fd015ed2149d75c2ce
Instruction ID: 63f18a325ef36462573c898fe22aa6b3f53fb9ba84cbda3cdd3129b4ca924c76
Opcode Fuzzy Hash: 82b3af95aecdc3c64c8c66b8b1109eea5db241706e8a53fd015ed2149d75c2ce
Instruction Fuzzy Hash: E9F1BC31A00215ABFF21AFA7C845ABEBBA5FF50314F55402BE815A72A1DB3CDC41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00430584, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 202windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0043058B

Part of subcall function 0042F834: CreateCompatibleDC.GDI32(?), ref: 0042F843

GetObjectA.GDI32(00000003,00000018,?), ref: 004305FB
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,00498524), ref: 0043061C

Part of subcall function 0042F7D9: CreatePatternBrush.GDI32(?), ref: 0042F7E8

CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00430646

Part of subcall function 0042F871: SelectObject.GDI32(?,?), ref: 0042F879

GetPixel.GDI32(?,00000000,00000000), ref: 00430686

Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E5F5
Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E603

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004306B3
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 004306D7
FillRect.USER32(00000003,?,?), ref: 00430724

Part of subcall function 0042ED21: BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 0042ED47

Strings

0iI, xrefs: 004306E4
\I, xrefs: 004307B3, 0043062B
wB, xrefs: 00430592
0iI, xrefs: 004307C2, 0043061F, 00430627, 00430633, 00430649, 0043062A

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Create$BitmapColorObject$BrushCompatibleFillH_prolog3PatternPixelRectSelect
String ID: 0iI$0iI$wB$\I
API String ID: 1458925443-2140233288
Opcode ID: 8067348be2bace1e674a51faef78af393769356911e534233f3a737049054a04
Instruction ID: 110fad3c76ad8e1cd43b7353e9a83c7aeb14935e3bfbe93795b9b330122dfed8
Opcode Fuzzy Hash: 8067348be2bace1e674a51faef78af393769356911e534233f3a737049054a04
Instruction Fuzzy Hash: A8811371A0021CAFDF11EF96DD85DEEBBBAFF08304F50402AF505A6261DB359A14DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042E0B7, Relevance: 19.7, APIs: 13, Instructions: 231windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042E0BE

Part of subcall function 0042DE24: CreateRectRgnIndirect.GDI32(?), ref: 0042DE2B

CopyRect.USER32(?,?), ref: 0042E0F7
InflateRect.USER32(?,?,?), ref: 0042E10D
IntersectRect.USER32(?,?,?), ref: 0042E11B
CreateRectRgnIndirect.GDI32(?), ref: 0042E125
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042E138

Part of subcall function 0042DE58: CombineRgn.GDI32(?,?,00000002,?), ref: 0042DE7B

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042E1A4
CopyRect.USER32(?,?), ref: 0042E1C1
InflateRect.USER32(?,?,?), ref: 0042E1D7
IntersectRect.USER32(?,?,?), ref: 0042E1E5
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042E21B

Part of subcall function 0042E014: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 0042E05A
Part of subcall function 0042E014: CreatePatternBrush.GDI32(00000000), ref: 0042E067
Part of subcall function 0042E014: DeleteObject.GDI32(00000000), ref: 0042E073

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 0042E290

Part of subcall function 0042F90A: SelectObject.GDI32(?,00000000), ref: 0042F92C
Part of subcall function 0042F90A: SelectObject.GDI32(?,?), ref: 0042F942

PatBlt.GDI32(00000004,?,?,?,?,005A0049), ref: 0042E2E3

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3Pattern
String ID:
API String ID: 3342639795-0
Opcode ID: aa68fd6fd8ef8442c081ef009ed5e14ffa9a24ab2af976772d0b64a42f5b89e0
Instruction ID: c149187e7549750f4c2a0f0e379a0031e31000bc3c02936a9b7c84e8d2a2376e
Opcode Fuzzy Hash: aa68fd6fd8ef8442c081ef009ed5e14ffa9a24ab2af976772d0b64a42f5b89e0
Instruction Fuzzy Hash: 17912771A0011DEFCF01EFA5D9859EEBBB8BF18304F90416AF505A7250DB38AE05CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00442676, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 230windowstringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00442695

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

DeleteMenu.USER32(?,?,00000000,0000001C), ref: 00442715
GetCurrentDirectoryA.KERNEL32(00000104,00000000,0000001C), ref: 0044272B
lstrlen.KERNEL32(00000000), ref: 00442745
_strcpy_s.LIBCMT ref: 00442837
_swprintf.LIBCMT ref: 00442852
InsertMenuA.USER32(?,00000000,00000400,00000000), ref: 004428A3
GetMenuItemCount.USER32(?), ref: 004428DB

Strings

1&0 , xrefs: 0044282A
&%d , xrefs: 00442845
%d , xrefs: 00442821

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$CountCurrentDeleteDirectoryException@8H_prolog3InsertItemThrow_strcpy_s_swprintflstrlen
String ID: %d $&%d $1&0
API String ID: 3885313219-3595371996
Opcode ID: ac8198ef75e2976b51245f14a098b090110f20a52acbe8d1021ad1fbd4cf17d1
Instruction ID: aee3482aec6ca39b170370058d95a2fd56db2cdb34d447c800835202d058f695
Opcode Fuzzy Hash: ac8198ef75e2976b51245f14a098b090110f20a52acbe8d1021ad1fbd4cf17d1
Instruction Fuzzy Hash: 8591D270A00209DFDB14DFA4C981BBEB7B4FF08304F10412EF95697282DBB8A945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00430071, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 183windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00430078
GetSysColor.USER32(00000014), ref: 004300B5

Part of subcall function 0042FD14: __EH_prolog3.LIBCMT ref: 0042FD1B
Part of subcall function 0042FD14: CreateSolidBrush.GDI32(?), ref: 0042FD36

GetSysColor.USER32(00000010), ref: 004300C6

Part of subcall function 0042F834: CreateCompatibleDC.GDI32(?), ref: 0042F843

GetObjectA.GDI32(00000004,00000018,?), ref: 00430106
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043011F

Part of subcall function 0042F871: SelectObject.GDI32(?,?), ref: 0042F879

GetPixel.GDI32(?,00000000,00000000), ref: 00430166

Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E5F5
Part of subcall function 0042E5DB: SetBkColor.GDI32(?,?), ref: 0042E603

BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00430193
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 004301B7

Part of subcall function 0042E353: SetBkColor.GDI32(00000000,?), ref: 0042E362
Part of subcall function 0042E353: ExtTextOutA.GDI32(00000000,00000000,00000000,00000002,000000FE,00000000,00000000,00000000), ref: 0042E394

Part of subcall function 0042F90A: SelectObject.GDI32(?,00000000), ref: 0042F92C
Part of subcall function 0042F90A: SelectObject.GDI32(?,?), ref: 0042F942

Part of subcall function 0042ED21: BitBlt.GDI32(?,?,?,?,?,?,?,?,?), ref: 0042ED47

Strings

0iI, xrefs: 004301B9
wB, xrefs: 0043007F
0iI, xrefs: 00430276, 00430126

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Color$Object$CreateSelect$H_prolog3$BitmapBrushCompatiblePixelSolidText
String ID: 0iI$0iI$wB
API String ID: 2841110477-942363113
Opcode ID: 0900d93e5530260d9fabd8d1422d3e7a3f6d03afb6f2bd4f3c2b8b3d7ab43a82
Instruction ID: 80bfc1c15978f71c2c866403cdb6cebd9129e582f79e580015248d5566d36213
Opcode Fuzzy Hash: 0900d93e5530260d9fabd8d1422d3e7a3f6d03afb6f2bd4f3c2b8b3d7ab43a82
Instruction Fuzzy Hash: 5E613371A00118AFDF02EFD1DD91AEEBF79EF08304F90402AF505A6261CB359A55DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0045455E, Relevance: 18.1, APIs: 12, Instructions: 121filetimeCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 00454572
GetLastError.KERNEL32(?), ref: 00454589
SetFileAttributesA.KERNEL32(?,?), ref: 004545A7
GetLastError.KERNEL32(?), ref: 004545B4
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 0045461E
GetLastError.KERNEL32(?), ref: 0045462E
SetFileTime.KERNEL32(00000000,?,?,?), ref: 00454641
GetLastError.KERNEL32(?), ref: 0045464E
CloseHandle.KERNEL32(00000000), ref: 00454657
GetLastError.KERNEL32(?), ref: 00454664
SetFileAttributesA.KERNEL32(?,?), ref: 0045467F
GetLastError.KERNEL32(?), ref: 0045468C

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ErrorLast$File$Attributes$CloseCreateHandleTime
String ID:
API String ID: 3867745407-0
Opcode ID: c3ea9bbbf0563371f2a04e578cf53339922c218aed8040f2efd7e5ff1f779a26
Instruction ID: 867b42768f93d0b9de139925877ef4b9d275edb4965efe40d64b1a4efea75cc0
Opcode Fuzzy Hash: c3ea9bbbf0563371f2a04e578cf53339922c218aed8040f2efd7e5ff1f779a26
Instruction Fuzzy Hash: D4418371900208BBCB21AFA1DD44E9F7FB8EF44319F10446AF8159A152D738AA84DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004361D2, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32), ref: 004361DF
GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 00436200
GetProcAddress.KERNEL32(ReleaseActCtx), ref: 00436212
GetProcAddress.KERNEL32(ActivateActCtx), ref: 00436224
GetProcAddress.KERNEL32(DeactivateActCtx), ref: 00436236

Strings

KERNEL32, xrefs: 004361DA
DeactivateActCtx, xrefs: 00436226
ActivateActCtx, xrefs: 00436214
ReleaseActCtx, xrefs: 00436202
CreateActCtxW, xrefs: 004361FA

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-2424895508
Opcode ID: 169955e2fa58e1b057438599d254ba8111878c595b0cf4ff5b710bbd0ea05eae
Instruction ID: a8738d942849b9358f56c854035916489acea440a0dfff84b8e6a3f67ccc025b
Opcode Fuzzy Hash: 169955e2fa58e1b057438599d254ba8111878c595b0cf4ff5b710bbd0ea05eae
Instruction Fuzzy Hash: 8EF0F870D55324BFCF19EF7DAC19A863EA4EA157003208ABBAB04D2371DBB848408F4D

Uniqueness

Uniqueness Score: -1.00%

Function 0043423D, Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00434244
FindResourceA.KERNEL32(?,?,00000005), ref: 00434277
LoadResource.KERNEL32(?,00000000), ref: 0043427F
LockResource.KERNEL32(628467F9,00000024,00420938,00000000), ref: 00434290
GetDesktopWindow.USER32 ref: 004342C3
IsWindowEnabled.USER32(00000000), ref: 004342D1
EnableWindow.USER32(00000000,00000000), ref: 004342E0

Part of subcall function 0042D216: IsWindowEnabled.USER32(?), ref: 0042D21F

Part of subcall function 0042D231: EnableWindow.USER32(?,00000000), ref: 0042D23E

EnableWindow.USER32(00000000,00000001), ref: 004343BC
GetActiveWindow.USER32 ref: 004343C7
SetActiveWindow.USER32(00000000,?,00000024,00420938,00000000), ref: 004343D5
FreeResource.KERNEL32(628467F9,?,00000024,00420938,00000000), ref: 004343F1

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: ba77e99a7422cc0034ba54e50669e459d15d1efcdfdf9e9cfe03b78629492daf
Instruction ID: c9ebe7ec55a414e5fca565b3692fdaa7cdb2652bd7f2073380e5c2447dd9846e
Opcode Fuzzy Hash: ba77e99a7422cc0034ba54e50669e459d15d1efcdfdf9e9cfe03b78629492daf
Instruction Fuzzy Hash: 0551A030B00705DBCF21AFA5D8456AEBAB1BF88715F60103FE501B72A1CB785D41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00424070, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 284stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 004240F2
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,00000400,?,?,00000002), ref: 004241F7
CharUpperA.USER32(?,00000400,?,?,00000002), ref: 00424234
lstrlen.KERNEL32(00000000,?,00000002), ref: 00424259
MultiByteToWideChar.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000400,?,00000400,00000002,00000400,?,00000002), ref: 00424374
_wcscpy_s.LIBCMT ref: 004243D4

Strings

W, xrefs: 004242AA
P, xrefs: 004243EE
W, xrefs: 00424143

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Char$ByteMultiWidelstrlen$Upper_wcscpy_s
String ID: P$W$W
API String ID: 35703797-3161791867
Opcode ID: 978f81365cd5560f42e0942264eeb1a124de45c093bb828ee0927418b0489d08
Instruction ID: 3c6f67d8651cea7fbb7bcecd28b7f34013ed8dfd131e73d639f2fd49a219a0cf
Opcode Fuzzy Hash: 978f81365cd5560f42e0942264eeb1a124de45c093bb828ee0927418b0489d08
Instruction Fuzzy Hash: 8DD12AB0E00228DFDF24DF95D844BAEB7B1FF88314F60819AE519A7280C7785A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042A1ED, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0042A1F4
GetPropA.USER32(?,AfxOldWndProc423), ref: 0042A203
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 0042A25D

Part of subcall function 00428A86: GetWindowRect.USER32(?,10000000), ref: 00428AAE
Part of subcall function 00428A86: GetWindow.USER32(?,00000004), ref: 00428ACB

SetWindowLongA.USER32(?,000000FC,?), ref: 0042A284
RemovePropA.USER32(?,AfxOldWndProc423), ref: 0042A28C
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 0042A293
GlobalDeleteAtom.KERNEL32(00000000), ref: 0042A29A

Part of subcall function 00426B29: GetWindowRect.USER32(?,00000000), ref: 00426B35

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 0042A2EE

Strings

AfxOldWndProc423, xrefs: 0042A1FC, 0042A201, 0042A28A, 0042A292

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: 6459d67e17c8a170ac8695b4defba54b38b17e9b686a0a0181cb5a68e01b1634
Instruction ID: f1cd393b2c9c9304a29548e6a6e91f8cc26ee96e069cdfd14c527dffd22137c8
Opcode Fuzzy Hash: 6459d67e17c8a170ac8695b4defba54b38b17e9b686a0a0181cb5a68e01b1634
Instruction Fuzzy Hash: 2A318272901529EBCF02AFE5ED49DBF7A78EF15310F90006BF901A5151CB398A20DB7A

Uniqueness

Uniqueness Score: -1.00%

Function 0046C54E, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,004AFD30,0000000C,0046C660,00000000,00000000,?,004249E7,?,?,00000000,00431A77,0000000C,00000004,00401F8C,8007000E), ref: 0046C55F
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0046C588
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0046C598
InterlockedIncrement.KERNEL32(004B6290), ref: 0046C5BA
__lock.LIBCMT ref: 0046C5C2
___addlocaleref.LIBCMT ref: 0046C5E1

Strings

DecodePointer, xrefs: 0046C590
EncodePointer, xrefs: 0046C57C
KERNEL32.DLL, xrefs: 0046C55A

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: a3110f36c8834da6c2413e0d0f0afb2cbdd0e05e989669e300dc8c9146871146
Instruction ID: 792b06a3d80afc4c73e10b188a7f336fb8bb5b6ecec27aca7ba1407ae78f8da5
Opcode Fuzzy Hash: a3110f36c8834da6c2413e0d0f0afb2cbdd0e05e989669e300dc8c9146871146
Instruction Fuzzy Hash: 141151B0900B019FD720EF76D845B5ABBE0AF14304F10492FE59A96390D7B8A9408F6A

Uniqueness

Uniqueness Score: -1.00%

Function 0045066A, Relevance: 15.2, APIs: 10, Instructions: 224COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00450689
__mbsinc.LIBCMT ref: 004506E7
__mbsinc.LIBCMT ref: 004506F6
__mbsinc.LIBCMT ref: 0045072C
__mbsinc.LIBCMT ref: 0045077B
__mbsinc.LIBCMT ref: 004507C9
__splitpath_s.LIBCMT ref: 004507FF
__splitpath_s.LIBCMT ref: 0045084B
__makepath_s.LIBCMT ref: 0045088A
_strcpy_s.LIBCMT ref: 004508A9

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: __mbsinc$__splitpath_s$H_prolog3__makepath_s_strcpy_s
String ID:
API String ID: 545433585-0
Opcode ID: fc881cb3137b76310346386a42b85b12935baa44db866bba5500a1f336251b9c
Instruction ID: 9add3b73befbe0644d13e2e6a8bb9cd025d9c8afa47b86a934318b5e7d6fbc65
Opcode Fuzzy Hash: fc881cb3137b76310346386a42b85b12935baa44db866bba5500a1f336251b9c
Instruction Fuzzy Hash: 7081C4B59001499FDB15EFA4C891FEE77B8AF09314F14015EF901A7282D738AE45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00432345, Relevance: 15.2, APIs: 10, Instructions: 157windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00432364
GetMenuItemCount.USER32(?), ref: 0043238A
GetSubMenu.USER32(?,?), ref: 004323BD
GetMenuState.USER32(?,?,00000400), ref: 004323CD
GetSubMenu.USER32(?,?), ref: 0043242B
GetMenuStringA.USER32(?,?,00000000,00000100,00000400), ref: 00432444
AppendMenuA.USER32(00000000,00000010,00000000,?), ref: 00432499
GetMenuItemCount.USER32(00000000), ref: 004324CC
GetMenuItemID.USER32(?,?), ref: 004324F6
InsertMenuA.USER32(?,?,00000000,00000000), ref: 00432506

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$Item$Count$AppendH_prolog3InsertStateString
String ID:
API String ID: 915444591-0
Opcode ID: 3b6f262ffa35d775a6a71c9e49e5d60e03f93ad9a811f74e27f12fc7ecde7cbc
Instruction ID: 5cda6fe1ebb2a8f0457b82e3c4450cdc0e07c22664c3669c9d3d3987056659dd
Opcode Fuzzy Hash: 3b6f262ffa35d775a6a71c9e49e5d60e03f93ad9a811f74e27f12fc7ecde7cbc
Instruction Fuzzy Hash: 0E615771900219EFCF25DF94DD85AEEBBB1FF18314F50402AE905A62A0D7785A90CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0043404D, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00434054
GetSystemMetrics.USER32(0000002A), ref: 00434105
GlobalFix.KERNEL32(00000000), ref: 0043416E
CreateDialogIndirectParamA.USER32(72AFF916,?,00051A74,00433A0C,00000000), ref: 0043419D

Strings

MS Shell Dlg, xrefs: 0043410F

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 3629235202-76309092
Opcode ID: 52c7093d10b9740256b16c417f8d73e4e6f4d323d1a6a1783ae72f853e49db5c
Instruction ID: 0b92763112ac87aa3483198eaeb9158f3da4aa1ccc37268257b5c62af80f00bf
Opcode Fuzzy Hash: 52c7093d10b9740256b16c417f8d73e4e6f4d323d1a6a1783ae72f853e49db5c
Instruction Fuzzy Hash: 4251D230A00505DFCF15EFA4C8899EEBBB0AF98314F24556AF411A7295DB38AD80CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0045244A, Relevance: 13.6, APIs: 9, Instructions: 142windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043B449: GetFocus.USER32 ref: 0043B44A
Part of subcall function 0043B449: GetParent.USER32(00000000), ref: 0043B473
Part of subcall function 0043B449: GetWindowLongA.USER32(?,000000F0), ref: 0043B48E
Part of subcall function 0043B449: GetParent.USER32(?), ref: 0043B49C
Part of subcall function 0043B449: GetDesktopWindow.USER32 ref: 0043B4A0
Part of subcall function 0043B449: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0043B4B4

GetMenu.USER32(?), ref: 004524BD
GetMenu.USER32(?), ref: 004524D1
GetMenuItemCount.USER32(00000000), ref: 004524DA
GetSubMenu.USER32(00000000,00000000), ref: 004524EB
GetMenuItemCount.USER32(?), ref: 0045250D
GetMenuItemID.USER32(?,00000000), ref: 0045252E
GetMenuItemID.USER32(?,00000000), ref: 00452556
GetMenuItemCount.USER32(?), ref: 0045258D
GetMenuItemID.USER32(?,00000000), ref: 004525A8

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: f3e9396363557fd6f76c6886822aa66dadcb8fc71e0d5cfe10d07d45f0acfe6f
Instruction ID: 732ccf93dd3cea988568deffbddabb30af5b66acb7707bfe9ec82f045722dfca
Opcode Fuzzy Hash: f3e9396363557fd6f76c6886822aa66dadcb8fc71e0d5cfe10d07d45f0acfe6f
Instruction Fuzzy Hash: 6C519231900209AFCB11DF65CE90AAE7BB5FF5A312F204467E816E2252E7789D44CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004600E0, Relevance: 13.6, APIs: 9, Instructions: 130timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 004600EB
GetCursorPos.USER32(?), ref: 0046010A
ScreenToClient.USER32(?,?), ref: 00460117
GetCapture.USER32 ref: 0046016D

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

ClientToScreen.USER32(?,?), ref: 004601B4
WindowFromPoint.USER32(?,?), ref: 004601C0
IsChild.USER32(?,00000000), ref: 004601D5
KillTimer.USER32(?,0000E001), ref: 00460212
KillTimer.USER32(?,0000E000), ref: 0046022E

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ClientKillScreenTimer$CaptureChildCursorException@8FromPointStateThrowWindow
String ID:
API String ID: 4062695252-0
Opcode ID: 14d52ddf0317309eec691da1787a927599b6a588895748fad2f078f7a2a0115a
Instruction ID: 8bd0f261af0f6dd364fb52263707b43133c16f72a88229e4ba552fed31f09ebd
Opcode Fuzzy Hash: 14d52ddf0317309eec691da1787a927599b6a588895748fad2f078f7a2a0115a
Instruction Fuzzy Hash: DF419231600605EFDB219F65CC48AAF7BB5FF45324F20066AE451D72A1EB39DE018B09

Uniqueness

Uniqueness Score: -1.00%

Function 00442028, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,000000FF), ref: 00442045

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

Part of subcall function 00435FD6: _strcpy_s.LIBCMT ref: 00435FE2

Strings

\..., xrefs: 00442119

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw_strcpy_slstrlen
String ID: \...
API String ID: 3876547911-1167917071
Opcode ID: e6eb64056e002e66c805c6e0a27d241c8d870955b415d0f8aaca3fe1620c73ed
Instruction ID: 42a2292c9b20fda667538bf7b86329f37f6b7d375937648c07801b39f737fe4a
Opcode Fuzzy Hash: e6eb64056e002e66c805c6e0a27d241c8d870955b415d0f8aaca3fe1620c73ed
Instruction Fuzzy Hash: 4A310771800608FFFF219F61CD41AAE7BE4AF11355F50801FFA14A6251E7B89E80CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A080, Relevance: 12.1, APIs: 8, Instructions: 149windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040A0A5
GetSystemMetrics.USER32(00000002), ref: 0040A0F9
IsWindowVisible.USER32(?), ref: 0040A149
GetWindowRect.USER32(?,?), ref: 0040A171
GetSystemMetrics.USER32(00000002), ref: 0040A1A3
EqualRect.USER32(?,?), ref: 0040A1ED
SetScrollRange.USER32(?,00000002,00000000,?,00000001), ref: 0040A23F
IsWindow.USER32(?), ref: 0040A251

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$MetricsRectSystem$EqualRangeScrollVisible
String ID:
API String ID: 138543920-0
Opcode ID: 83a59bdaa79d99779841bc1c677b1f3067270412c7b73721e13fb11b8b57bb35
Instruction ID: d27297bea302efe9100eb14c1d37142a2accb9b854946e7b28aa6154da5f8863
Opcode Fuzzy Hash: 83a59bdaa79d99779841bc1c677b1f3067270412c7b73721e13fb11b8b57bb35
Instruction Fuzzy Hash: D161C374A012499FDB08CFD8D894BEEBBB5FF48304F248269E905AB385DB35A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004285F6, Relevance: 12.1, APIs: 8, Instructions: 124windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00428629
BeginDeferWindowPos.USER32(00000008), ref: 00428641
GetTopWindow.USER32(?), ref: 00428653
GetDlgCtrlID.USER32(00000000), ref: 0042865E
SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 00428690
GetWindow.USER32(00000000,00000002), ref: 00428699
CopyRect.USER32(?,?), ref: 004286B7
EndDeferWindowPos.USER32(00000000), ref: 00428733

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: ea76392944c69afac70b61d44cfa8ff6f7c9b3553034f9b407cde5d3f5bcb301
Instruction ID: 73610178d2d6cc58f9f0f7181951526ca28a1cba15b00c5cc3b765b6c19ddaf6
Opcode Fuzzy Hash: ea76392944c69afac70b61d44cfa8ff6f7c9b3553034f9b407cde5d3f5bcb301
Instruction Fuzzy Hash: B5414A71A02629DFCF11DF94E8849EEB7B5FF58301B64416FE905A6250CB389E40CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0045000F, Relevance: 12.1, APIs: 8, Instructions: 85windowstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,?,?,?,?,?,?,00444B08,00000104,00000000,*.*,00000000,?,?,0000F002,00000000), ref: 0045001D
_memset.LIBCMT ref: 00450036
GetFocus.USER32 ref: 0045003E
IsWindowEnabled.USER32(?), ref: 0045006B
EnableWindow.USER32(?,00000000), ref: 0045007E
EnableWindow.USER32(?,00000001), ref: 004500C7
IsWindow.USER32(?), ref: 004500CD
SetFocus.USER32(?), ref: 004500DB

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$EnableFocus$Enabled_memsetlstrlen
String ID:
API String ID: 2950697994-0
Opcode ID: 2abda9bfd506df4c1e9a5bd7d19bac1a632b8f143138b62ed702329613a88393
Instruction ID: 436b1504667a8f7c6e9135d92a55f8a2046f521f1782444093aaae234082b942
Opcode Fuzzy Hash: 2abda9bfd506df4c1e9a5bd7d19bac1a632b8f143138b62ed702329613a88393
Instruction Fuzzy Hash: E221A074200B00AFD7229F31ED49B1ABBE5FF44B05F20452FF945872A2CB79E8098B59

Uniqueness

Uniqueness Score: -1.00%

Function 0045C017, Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0045C05F

Part of subcall function 0042D0B0: GetWindowLongA.USER32(00051A74,000000F0), ref: 0042D0BB

SendMessageA.USER32(?,0000043D,00000000,00000000), ref: 0045C0B8
SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0045C0C6
SendMessageA.USER32(?,0000043C,?,00000000), ref: 0045C0D7
SendMessageA.USER32(?,0000043C,?,00000000), ref: 0045C0E6
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0045C0F1
InvalidateRect.USER32(?,00000000,00000001,00000000,00000000), ref: 0045C164

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$InvalidateLongRectWindow_memcmp
String ID:
API String ID: 235743446-0
Opcode ID: fafe825ad7228038c6332e39928d7b4ba48fba4a417128c699427b7718cbb2dc
Instruction ID: 4134d7efdca9d37384a39ff0fc17461611f15b359d26bc70d31199d5e7de2980
Opcode Fuzzy Hash: fafe825ad7228038c6332e39928d7b4ba48fba4a417128c699427b7718cbb2dc
Instruction Fuzzy Hash: D641A570740708BFEB219B64CC46FAEBBB4FF08B54F104419FA556A2D1C7B5A940CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044A542, Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044A549
VariantClear.OLEAUT32(?), ref: 0044A5DF
_memset.LIBCMT ref: 0044A618
_memset.LIBCMT ref: 0044A624
SysFreeString.OLEAUT32(?), ref: 0044A669
SysFreeString.OLEAUT32(?), ref: 0044A673
SysFreeString.OLEAUT32(?), ref: 0044A67D

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: c26a45d06e14fff69bf66725df6abda8a253b8fc15798d15d6248ff93bd5f7c5
Instruction ID: 9fa514666a4e16ace88ab62902e59c507e213650b51dc654852a32eff42c2218
Opcode Fuzzy Hash: c26a45d06e14fff69bf66725df6abda8a253b8fc15798d15d6248ff93bd5f7c5
Instruction Fuzzy Hash: 57418971A40218EFDF11DFA0C845ADEBB79BF08B14F24811BF015AB254C7789A91CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00428330, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004283BD
SendMessageA.USER32(00000000,00000405,00000000,?), ref: 004283E6
GetWindowLongA.USER32(?,000000FC), ref: 004283F8
GetWindowLongA.USER32(?,000000FC), ref: 00428409
SetWindowLongA.USER32(?,000000FC,?), ref: 00428425

Strings

(, xrefs: 004283DC

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: LongWindow$MessageSend_memset
String ID: (
API String ID: 2997958587-3887548279
Opcode ID: aa70cf9991edfe17c0e93bd969f382b70f242d8c100ee762a05610511bf43b40
Instruction ID: 5245e27f153f885226bd8ed9587101e8360d3800fe77c7db5178dad9169ff2a1
Opcode Fuzzy Hash: aa70cf9991edfe17c0e93bd969f382b70f242d8c100ee762a05610511bf43b40
Instruction Fuzzy Hash: 2C31B070701721DFDB21EFB9D884A6EBBE4BF08714F54056EE98197691DB39E800CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045A072, Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00460423

Part of subcall function 0042F58C: __EH_prolog3.LIBCMT ref: 0042F593
Part of subcall function 0042F58C: GetWindowDC.USER32(00000000,00000004), ref: 0042F5BF

GetClientRect.USER32(?,?), ref: 0046043E
GetWindowRect.USER32(?,?), ref: 0046044B

Part of subcall function 0042F083: ScreenToClient.USER32(?,00426F87), ref: 0042F097
Part of subcall function 0042F083: ScreenToClient.USER32(?,00426F8F), ref: 0042F0A0

OffsetRect.USER32(?,?,?), ref: 00460472

Part of subcall function 0042E803: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0042E828
Part of subcall function 0042E803: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0042E83D

OffsetRect.USER32(?,?,?), ref: 00460490

Part of subcall function 0042E887: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0042E8AC
Part of subcall function 0042E887: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0042E8C1

SendMessageA.USER32(?,00000014,?,00000000), ref: 004604BA

Part of subcall function 0042F5E0: __EH_prolog3.LIBCMT ref: 0042F5E7
Part of subcall function 0042F5E0: ReleaseDC.USER32(?,00000000), ref: 0042F604

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$Clip$ClientH_prolog3$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 2952362992-0
Opcode ID: 780016c8dad77c662d2d0e44254e707948077181d40eabcd83a3117c3dfda344
Instruction ID: 52aeb892dae2ff7e7503e5255d0292d2f86c492414c69fe2648aacbd39832eef
Opcode Fuzzy Hash: 780016c8dad77c662d2d0e44254e707948077181d40eabcd83a3117c3dfda344
Instruction Fuzzy Hash: A2210A72D1011AEBDF19EB90DC55DFEB3B8FF18304F40412AF556A31A1EA346A0ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042E409, Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0042E433
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042E44E
MulDiv.KERNEL32(00000000), ref: 0042E455
DPtoLP.GDI32(00000000,?,00000001), ref: 0042E470
DPtoLP.GDI32(00000000,?,00000001), ref: 0042E47F
ReleaseDC.USER32(00000000,00000000), ref: 0042E49A

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-0
Opcode ID: ae696c4c4790b95885b65676973be1efc4f26280770dc2fa55acddbafbb4d3b4
Instruction ID: ee9d48f241933851e679672298e64812301ae52e18d6f89cbf3c64fd4158d016
Opcode Fuzzy Hash: ae696c4c4790b95885b65676973be1efc4f26280770dc2fa55acddbafbb4d3b4
Instruction Fuzzy Hash: D0211871E00218EFDB00EFE5DC85AAEBBF8FB48701F50402AE505EB290D77469058B55

Uniqueness

Uniqueness Score: -1.00%

Function 0045E614, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0045E633
__snprintf_s.LIBCMT ref: 0045E6C7
RegOpenKeyExA.ADVAPI32(80000000,?,00000000,0002001F,?,?,?,?,?,?), ref: 0045E711
RegCloseKey.ADVAPI32(?,?,?,?,?,?), ref: 0045E72D

Strings

CLSID\%s, xrefs: 0045E6B8

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: CloseH_prolog3Open__snprintf_s
String ID: CLSID\%s
API String ID: 2941381156-3461197268
Opcode ID: 86c8a45b4927cb222b74454fd5b789fcbaec4949ae37cf3895980d82c060343b
Instruction ID: d9f10619a3f4e0aaf5e9c9c4d32ecdc6f329a2106e86193b74cd4c1c9c7d78a9
Opcode Fuzzy Hash: 86c8a45b4927cb222b74454fd5b789fcbaec4949ae37cf3895980d82c060343b
Instruction Fuzzy Hash: B041A6B1900609EFDB21EFA6CC419AFB7B8FF48705F10002FFA11A6251E7385A05DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004525D3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 00452645
UpdateWindow.USER32(?), ref: 0045265C
GetParent.USER32(?), ref: 004526C4
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 004526E0

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

Strings

@, xrefs: 004526AF

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Message$Exception@8ParentPostSendThrowUpdateWindow
String ID: @
API String ID: 1055267519-2766056989
Opcode ID: 9aafc4fa260417bd13c7d92e8e9d8b705896f5b89ebb923af14caa2e54472ee2
Instruction ID: 1185677a4678d4d514bdb40cb8a09f626db294e8426417989a17ca3b652d4821
Opcode Fuzzy Hash: 9aafc4fa260417bd13c7d92e8e9d8b705896f5b89ebb923af14caa2e54472ee2
Instruction Fuzzy Hash: B0319831600B01EFD7315F21CE48B6B77A5BF16316F20443FE95A562A2CBB9A858CB19

Uniqueness

Uniqueness Score: -1.00%

Function 004540BB, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004540C2

Part of subcall function 0042D0B0: GetWindowLongA.USER32(00051A74,000000F0), ref: 0042D0BB

_swprintf.LIBCMT ref: 0045410B

Part of subcall function 00465BB7: __vsprintf_s_l.LIBCMT ref: 00465BCA

Part of subcall function 0042AF60: _strlen.LIBCMT ref: 0042AF71

_swprintf.LIBCMT ref: 00454179

Strings

- , xrefs: 0045411F, 00454150
:%d, xrefs: 00454100, 0045416E

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: _swprintf$H_prolog3_LongWindow__vsprintf_s_l_strlen
String ID: - $:%d
API String ID: 1012054303-2359489159
Opcode ID: c2f69b9290585a4191d0d8e98bf983ebca3f3461ea74fa7c8415e37881effb01
Instruction ID: 0a8e60a9ce2202564c0febdbaef21f8b288af393016574dbc51c28d30e6d9186
Opcode Fuzzy Hash: c2f69b9290585a4191d0d8e98bf983ebca3f3461ea74fa7c8415e37881effb01
Instruction Fuzzy Hash: EE21E5715002086BCB10FBA1EE42FEF7779AF54B09F64012FB901A3192EF6C6A48C759

Uniqueness

Uniqueness Score: -1.00%

Function 0044A137, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044A13E
GetRgnBox.GDI32(?,?), ref: 0044A1B9
IntersectRect.USER32(?,?,?), ref: 0044A1CE
EqualRect.USER32(?,?), ref: 0044A1DC

Strings

iI, xrefs: 0044A18F

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID: iI
API String ID: 2161412305-2083763752
Opcode ID: 9a3bcecb922714f435a42ab5814590608633cd6e67dcf2b78680492a244a211a
Instruction ID: 6dd45661d84c583fd11fcbf6ea376196217d30ad7dd7a0cdc0fc8330caaf2ab9
Opcode Fuzzy Hash: 9a3bcecb922714f435a42ab5814590608633cd6e67dcf2b78680492a244a211a
Instruction Fuzzy Hash: FF211B71900209EFDF01EFA5C8809EEBB78BF18304F50856FE555A3211D7789A15DFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00402170, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,?,00402065,00000000,00000000,00000000), ref: 0040217E
LockResource.KERNEL32(00000000), ref: 00402198

Strings

e @, xrefs: 004021EC
e @, xrefs: 004021C5

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Resource$LoadLock
String ID: e @$e @
API String ID: 1037334470-2578036179
Opcode ID: 935784628f2149bfccd79260cb87169c6ac242db3efe21c5b41a5fd91cd171ca
Instruction ID: c32a6a5ee8ead18c2feb433e2f1b996dea7d625eddc9b1dcaf6e65adce45fb8b
Opcode Fuzzy Hash: 935784628f2149bfccd79260cb87169c6ac242db3efe21c5b41a5fd91cd171ca
Instruction Fuzzy Hash: 15211D34900119EFCF44DFE4CA48AAEB7B1BF58300F2045AAE816BB280D3749E41EB54

Uniqueness

Uniqueness Score: -1.00%

Function 004501B1, Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004501BB

Part of subcall function 00433B33: _memset.LIBCMT ref: 00433B4A

_memset.LIBCMT ref: 0045020E
GetVersionExA.KERNEL32(?,00000000,00000000,00000018), ref: 00450223
_malloc.LIBCMT ref: 0045024C
_memset.LIBCMT ref: 00450263

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: _memset$H_prolog3_Version_malloc
String ID:
API String ID: 1339555267-0
Opcode ID: 69cf650f30b1e326ce7667bd405f13ea108f636098e4f13d8d2fcc6a7a661fd6
Instruction ID: ec0a2ee4913b40cae3b6d9970be1092a5b2fee2543df5665aa0a86f91605c092
Opcode Fuzzy Hash: 69cf650f30b1e326ce7667bd405f13ea108f636098e4f13d8d2fcc6a7a661fd6
Instruction Fuzzy Hash: E2517EB4A00B04DFDB21DF69C980A9ABBF0BF09314F04469EE99997352D778E944CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00440345, Relevance: 7.6, APIs: 5, Instructions: 100timeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044034C
GetWindowTextLengthA.USER32(?), ref: 00440392
GetWindowTextA.USER32(?,00000000,00000000), ref: 004403BC
SystemTimeToFileTime.KERNEL32(?,?,?,000000FF), ref: 00440409

Part of subcall function 00432B4F: __CxxThrowException@8.LIBCMT ref: 00432B63

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,0000001C), ref: 0044041B

Part of subcall function 0043E619: _memset.LIBCMT ref: 0043E62A

Part of subcall function 0043B159: lstrlen.KERNEL32(0042BE56,?,?,00000000), ref: 0043B183
Part of subcall function 0043B159: _memset.LIBCMT ref: 0043B1A0
Part of subcall function 0043B159: GetWindowTextA.USER32(?,00000000,00000100), ref: 0043B1BA
Part of subcall function 0043B159: lstrcmp.KERNEL32(00000000,0042BE56), ref: 0043B1CC
Part of subcall function 0043B159: SetWindowTextA.USER32(?,0042BE56), ref: 0043B1D8

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: TextTimeWindow$FileSystem_memset$Exception@8H_prolog3LengthThrowlstrcmplstrlen
String ID:
API String ID: 4241279144-0
Opcode ID: 1e203d5feb6ba7416775312bad6bb11010ebf9b3af5255b256193720e03d8391
Instruction ID: 56f81c1204b01356de3f01f4b5a43c070605305e740c434b4196c7fde51da5f5
Opcode Fuzzy Hash: 1e203d5feb6ba7416775312bad6bb11010ebf9b3af5255b256193720e03d8391
Instruction Fuzzy Hash: 193170B1500119EBCF10EFA1DC41DFE7B79FF18318F10452AFA15A6191DB389951DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0045035D, Relevance: 7.6, APIs: 5, Instructions: 79windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00450364
GetParent.USER32(?), ref: 004503B4
SendMessageA.USER32(?,00000464,00000104,?), ref: 004503C8
GetParent.USER32(?), ref: 004503FB
SendMessageA.USER32(?,00000465,00000104,?), ref: 0045040F

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageParentSend$H_prolog3
String ID:
API String ID: 1482283565-0
Opcode ID: 3fdcd5636cb703956bb2b14c251d974bcc5d5ced9c9e7584b9b81977ef971d4b
Instruction ID: 1222faadfffda6702f010a1afce5fe00e7e965ef18cae49e5e766e53ed473933
Opcode Fuzzy Hash: 3fdcd5636cb703956bb2b14c251d974bcc5d5ced9c9e7584b9b81977ef971d4b
Instruction Fuzzy Hash: 4231BC71A00526EBCB05EFA1CC45DAF7B74FF04328F50022BB925672E2DB389944CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0045224A, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 004522C9
GlobalAddAtomA.KERNEL32(?), ref: 004522D5
GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 004522E8
GlobalAddAtomA.KERNEL32(?), ref: 004522EE
SendMessageA.USER32(?,000003E4,?,?), ref: 00452312

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: b31cc56a890e109627b5eaffe3c154c0680e8a0bc21828fd65d38639818ab14f
Instruction ID: 5f2cc5fb318cde3a158844135492b8f4ff329199bd56369a7db0cedc776f93bd
Opcode Fuzzy Hash: b31cc56a890e109627b5eaffe3c154c0680e8a0bc21828fd65d38639818ab14f
Instruction Fuzzy Hash: A0214C719006089AEB309FB9DC45BEEB7F8FB08705F00441BE959D7182E7B8A948CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00404350, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042F4FD: __EH_prolog3.LIBCMT ref: 0042F504
Part of subcall function 0042F4FD: GetDC.USER32(00000000), ref: 0042F530

SendMessageA.USER32(?,000007E9,000000FE,00000000), ref: 00404438
SendMessageA.USER32(?,000007E9,FF000000,00000000), ref: 00404478
SendMessageA.USER32(?,000007E9,?,00000000), ref: 004044C6

Strings

x3@, xrefs: 0040437C, 004043DD, 004043F9, 004044D3, 004043E0, 004043FC

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$H_prolog3
String ID: x3@
API String ID: 1885053084-655672410
Opcode ID: f2207ed7c092f701a4cd4c8ba0319c89e6cfd201a436b21d5a72e015e18e1bcd
Instruction ID: 1ffb502b45ae453a676f95645b6b64a3a45d5562df96c808373b72a2e210002f
Opcode Fuzzy Hash: f2207ed7c092f701a4cd4c8ba0319c89e6cfd201a436b21d5a72e015e18e1bcd
Instruction Fuzzy Hash: 285108B5A00218DFDB04DF98D890EADB7B5FB88314F204269E915AB3D5C735AC42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0048E18E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0048E195

Part of subcall function 0040E2A0: _strlen.LIBCMT ref: 0040E2BF

__CxxThrowException@8.LIBCMT ref: 0048E1C7

Part of subcall function 00463FFA: RaiseException.KERNEL32(00401012,00401012,?,?,00401012,00401012,00401012), ref: 0046403A

Part of subcall function 0040E1F0: std::exception::exception.LIBCMT ref: 0040E225

Strings

invalid string position, xrefs: 0048E19A
-H, xrefs: 0048E1C0, 0048E1D9

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow_strlenstd::exception::exception
String ID: -H$invalid string position
API String ID: 3092953383-1441538336
Opcode ID: ecf7c4fac1e1e2406d2617e64965b0e900cf266219ac1c2e4e032dea61522bef
Instruction ID: 71f8eaf431d13e78f27be5d3a20f3660e182c9e9cc22523d0114980dc4de5dac
Opcode Fuzzy Hash: ecf7c4fac1e1e2406d2617e64965b0e900cf266219ac1c2e4e032dea61522bef
Instruction Fuzzy Hash: A6E030719002189BCB04FBD1CC05ECEB7B4ABA5315F10482FF60476181EBB89556CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004546C7, Relevance: 6.1, APIs: 4, Instructions: 132timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004546DE

Part of subcall function 0042CEA1: _wctomb_s.LIBCMT ref: 0042CEB1

GetFileTime.KERNEL32(?,?,?,?), ref: 00454715
GetFileSize.KERNEL32(?,00000000), ref: 0045472A

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: 0201c4b884bfbbf023d69887f4fc1eed64cd362aa73406f1a2cb8059389b4850
Instruction ID: 8976b3bfe382139f4760fb25151f5437201bf8a2d034a8d6225b366c798da218
Opcode Fuzzy Hash: 0201c4b884bfbbf023d69887f4fc1eed64cd362aa73406f1a2cb8059389b4850
Instruction Fuzzy Hash: B3418075500705AFC720DF64C8808ABB7F8BF493157108A2FE5A6D7691E734E989CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0043C6DB, Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 0043C76C
__msize.LIBCMT ref: 0043C78F
_malloc.LIBCMT ref: 0043C7A7
_malloc.LIBCMT ref: 0043C7BC

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: e3c5cb1e8fcb123f2c8d843a8c1f7d7fc9daea379b2a256263c214cc588c41df
Instruction ID: d4106f9be111ad875dedea37c0f9a188e7a63fa5f178030105d7d033bdb30787
Opcode Fuzzy Hash: e3c5cb1e8fcb123f2c8d843a8c1f7d7fc9daea379b2a256263c214cc588c41df
Instruction Fuzzy Hash: 352184325006129FCB24AF35C8C1A5B77A5AF48754F10D52BEC199A286EB38EC41DF99

Uniqueness

Uniqueness Score: -1.00%

Function 00450521, Relevance: 6.1, APIs: 4, Instructions: 79windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00450528
GetParent.USER32(?), ref: 00450572
SendMessageA.USER32(?,00000464,00000104,?), ref: 0045058A

Part of subcall function 00424EC0: _strlen.LIBCMT ref: 00424ED3

PathFindExtensionA.SHLWAPI(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 004505A4

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: ExtensionFindH_prolog3MessageParentPathSend_strlen
String ID:
API String ID: 3113102702-0
Opcode ID: 9e98c78835fe26bc93d9db64d8f561895e9a340704ace5a40e634b707efac433
Instruction ID: 023245a0748d2706f34cfcbf5366c59365e955726b7b6a2b5b45fd6b8ed4af15
Opcode Fuzzy Hash: 9e98c78835fe26bc93d9db64d8f561895e9a340704ace5a40e634b707efac433
Instruction Fuzzy Hash: 7221AE75900619EBCF20EFA1C8909BE77B1BF40309B51092FF95267292EB389D44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042A6B6, Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0042A6E0
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 0042A70B

Part of subcall function 00428E0E: GetTopWindow.USER32(00000000), ref: 00428E1C

GetCapture.USER32 ref: 0042A71D
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0042A72C

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$CaptureWindow
String ID:
API String ID: 729421689-0
Opcode ID: 35ee7f472d872d8bb581927dea09c7447f632c0fc45bf85fcf5453d11efdd9c7
Instruction ID: f0a1912fcc52cdede2c8c33cea60bb29b2c763122dcff83c9fb224101b562ed9
Opcode Fuzzy Hash: 35ee7f472d872d8bb581927dea09c7447f632c0fc45bf85fcf5453d11efdd9c7
Instruction Fuzzy Hash: AA01F77135021D7FF6312B209CC9FBB36ADFB8C788F41043AF781AA1E2CA959C005664

Uniqueness

Uniqueness Score: -1.00%

Function 0042C53B, Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042CF6B: GetDlgItem.USER32(00401012,?), ref: 0042CF78

SendMessageA.USER32(?,00000188,00000000,00000000), ref: 0042C573
SendMessageA.USER32(?,0000018A,00000000,00000000), ref: 0042C587
SendMessageA.USER32(?,00000189,00000000,00000000), ref: 0042C59C
SendMessageA.USER32(?,0000018C,000000FF,?), ref: 0042C5C4

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 9f5f3b69665e6f7c9fb4b4d76de780066ddaf37e43d7e1caca36a940fbd3da8d
Instruction ID: 3a1b86dcc0ed93acf244c646cfc01eb01e8401e4543fcb1c44d4aff15e801c51
Opcode Fuzzy Hash: 9f5f3b69665e6f7c9fb4b4d76de780066ddaf37e43d7e1caca36a940fbd3da8d
Instruction Fuzzy Hash: F5110432340128BBCF01AF55DC01FAE3B29EF84720F50422BF9255B1E0CB74A951CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0045214C, Relevance: 6.1, APIs: 4, Instructions: 53fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00452175
DragQueryFile.SHELL32(?,000000FF,00000000,00000000), ref: 0045218E
DragQueryFile.SHELL32(?,?,?,00000104), ref: 004521B2
DragFinish.SHELL32(?), ref: 004521CE

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: d4565c15ff03cd1c3fc500859f0848bf6e0838e9c38cc3ee96340d707c7db76e
Instruction ID: 17fd6e3e6ebb2416d8d03e040f5a8eb93397542fa8b413dc664f2326a4bc6fff
Opcode Fuzzy Hash: d4565c15ff03cd1c3fc500859f0848bf6e0838e9c38cc3ee96340d707c7db76e
Instruction Fuzzy Hash: EB1151B19001189FDB20AFB4DC85FAEBBB8FF08315F10452BE525A7192DB74A4488F64

Uniqueness

Uniqueness Score: -1.00%

Function 0044A0A7, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,00000000,?), ref: 0044A0E6
EqualRect.USER32(?,00000000), ref: 0044A0F3
IsRectEmpty.USER32(?), ref: 0044A0FD
InvalidateRect.USER32(?,?,?), ref: 0044A11A

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: 139d454e18f1f0cf9917074765f7fc3a7b9f49c73f54dcae44b441e03ca6e523
Instruction ID: f21cbab1004088333047ee71a6ccff21f6ce4369d95818b6679da207cc83d416
Opcode Fuzzy Hash: 139d454e18f1f0cf9917074765f7fc3a7b9f49c73f54dcae44b441e03ca6e523
Instruction Fuzzy Hash: 2B112A3290010AEFDF01DF94D889EDEBBB9FF18305F0040A2FA04A6111D3759A5A8FA5

Uniqueness

Uniqueness Score: -1.00%

Function 004544C3, Relevance: 6.1, APIs: 4, Instructions: 52timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00454527
GetLastError.KERNEL32(00000000), ref: 00454539
LocalFileTimeToFileTime.KERNEL32(?,00000000), ref: 00454548
GetLastError.KERNEL32(00000000), ref: 00454553

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: e0adc2d5adde247f8e7929a7dff9872a650349a88b0a68c69bb0bc3607923057
Instruction ID: 5dc48cf50a53babc959e1c06732a2e5b027c142d0f1d2b31e07c805bd38a231f
Opcode Fuzzy Hash: e0adc2d5adde247f8e7929a7dff9872a650349a88b0a68c69bb0bc3607923057
Instruction Fuzzy Hash: 39016525E10219B6CF00BFF588056AE777DAF44709F00505BFD01AB252EA789688879D

Uniqueness

Uniqueness Score: -1.00%

Function 0042857F, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0042858A
GetTopWindow.USER32(00000000), ref: 0042859D

Part of subcall function 0042857F: GetWindow.USER32(00000000,00000002), ref: 004285E4

GetTopWindow.USER32(?), ref: 004285CD

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: bf2175105902e43a189ed61f0576099eca0340aed452f53592f6313e02122481
Instruction ID: 495852f1420ec8137339215e64239f936d8a9b5ad03ffdbdb67d6e7962144ae4
Opcode Fuzzy Hash: bf2175105902e43a189ed61f0576099eca0340aed452f53592f6313e02122481
Instruction Fuzzy Hash: B3017132203636B7CF232E61AC00E9F3A54AF71360B84402AFC0455211EF39CA919AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004405FB, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0044060F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0043D42A,?,?,?,004AC62C,00000008), ref: 00440627
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0044062F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0043D42A,?,?,?,004AC62C,00000008), ref: 0044064E

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 1b0dd1aca19002d4e34209b491b7c01766521b3cdaa241a2d1fa6d7f25102649
Instruction ID: 05f101b5a179b91c296078595210f6416541d882e2330fda67a00c137259d1c7
Opcode Fuzzy Hash: 1b0dd1aca19002d4e34209b491b7c01766521b3cdaa241a2d1fa6d7f25102649
Instruction Fuzzy Hash: 38F062711062747F93212B625C4CCABBF9CEE9A2B5B11052BF64992100C679A810C7F9

Uniqueness

Uniqueness Score: -1.00%

Function 00426266, Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 004262A4
SetBkColor.GDI32(00000000,00000000), ref: 004262B0
GetSysColor.USER32(00000008), ref: 004262C0
SetTextColor.GDI32(00000000,?), ref: 004262CA

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: dcc7454183c0c083a2eda933a921a6e0b3fe2640e6be5b5c83fe1bf8042a0053
Instruction ID: 38ff7d913656bcf6610e3dfd52c3d81a1c747d2f2d04b41a2501bb6d16f27043
Opcode Fuzzy Hash: dcc7454183c0c083a2eda933a921a6e0b3fe2640e6be5b5c83fe1bf8042a0053
Instruction Fuzzy Hash: 0F014F30600128EBDF226F64EC49BAF3B69EB05355FA14562F911D01E0D774CD90CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043442B, Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 00434445
LoadResource.KERNEL32(?,00000000), ref: 0043444D
LockResource.KERNEL32(00000000), ref: 0043445A
FreeResource.KERNEL32(00000000,00000000,?,?), ref: 00434472

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 9061bf24b95ec7c6b5fddfcfeb5b54ab02f6f45e730fc84ec3589202e0431800
Instruction ID: a9057abdaddc79e278a1614f3b42f67c4de011e5b58948a18ff4c67e22de7f58
Opcode Fuzzy Hash: 9061bf24b95ec7c6b5fddfcfeb5b54ab02f6f45e730fc84ec3589202e0431800
Instruction Fuzzy Hash: DCF08936200614BFC7526BA59C4DD9FBBBCEF99765B11403AF605D3211D6789D008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00440192, Relevance: 6.0, APIs: 4, Instructions: 32memorystringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044019C
VariantClear.OLEAUT32 ref: 004401A4
lstrlen.KERNEL32(?,?,?,?,00000224), ref: 004401C2
SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 004401CA

Part of subcall function 00432B1B: __CxxThrowException@8.LIBCMT ref: 00432B2F

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: AllocByteClearException@8H_prolog3StringThrowVariantlstrlen
String ID:
API String ID: 103272278-0
Opcode ID: d040c2ec066593751daca99b8f99ae91301846baa4d9cce49aa0dfb500648f91
Instruction ID: e59f45ceb41a4f8c71a9e2f6cfe17f25c1e47f827930aaf9c6850e6970e2702e
Opcode Fuzzy Hash: d040c2ec066593751daca99b8f99ae91301846baa4d9cce49aa0dfb500648f91
Instruction Fuzzy Hash: 10F0C8308107009FD721FF62C84976AB3B4FF10315F20806FE50563261EBBC6984CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0043439C, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(00000000,00000001), ref: 004343BC
GetActiveWindow.USER32 ref: 004343C7
SetActiveWindow.USER32(00000000,?,00000024,00420938,00000000), ref: 004343D5
FreeResource.KERNEL32(628467F9,?,00000024,00420938,00000000), ref: 004343F1

Part of subcall function 0042D231: EnableWindow.USER32(?,00000000), ref: 0042D23E

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: e2e8b8017db15dbaf2c5795d5618923302bd839f08d5ed25d9a3ad88f5d5103a
Instruction ID: 4601c560c21bb3f3bf480c7127d23ccc4860222e8e89f585aa5708ed687ebb34
Opcode Fuzzy Hash: e2e8b8017db15dbaf2c5795d5618923302bd839f08d5ed25d9a3ad88f5d5103a
Instruction Fuzzy Hash: 44F03C30A00B08CFCF22AF64C8455AEB7B2BF8C702F60156AE94173261CB7A6D40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406050, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00406124

Strings

MS Sans Serif, xrefs: 00406166
%-5.1f, xrefs: 0040610D, 0040611F, 00406133

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: _strlen
String ID: %-5.1f$MS Sans Serif
API String ID: 4218353326-966146429
Opcode ID: 067eda6f4b326c288def9c5c2ba3be0f6583191114fa82d34a959ac3c2d9be25
Instruction ID: 31ba7f2cc2b4c9ea4047dea39ae350100d444884f3c6af1f0477c4b370598301
Opcode Fuzzy Hash: 067eda6f4b326c288def9c5c2ba3be0f6583191114fa82d34a959ac3c2d9be25
Instruction Fuzzy Hash: 574118B0E14248DFDB24DFA8C855B9EBBB1BF48304F20426EE4156B382D7759906CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004024D0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00402556

Strings

w$@, xrefs: 00402503, 00402524, 00402531, 00402506
w$@, xrefs: 00402521, 00402561, 00402529

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: _memcpy_s
String ID: w$@$w$@
API String ID: 2001391462-2310522936
Opcode ID: ffefd7b4a4dd47931fbac7c4f6769936d265642f18cfeca61c332ffc1a95d3a6
Instruction ID: ea8dd3682fd7394d5e20d77e568e77dc0984147db08516fe2f1170a4e19f6e60
Opcode Fuzzy Hash: ffefd7b4a4dd47931fbac7c4f6769936d265642f18cfeca61c332ffc1a95d3a6
Instruction Fuzzy Hash: 9231C8B4E0060A9FCB04DF98C9909AEB7B1FF88300F108699E915AB395D730AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004366E5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(?), ref: 004366FD
UnhookWindowsHookEx.USER32(?), ref: 00436707

Strings

DhC, xrefs: 004366F4

Memory Dump Source

Source File: 00000004.00000002.470738360.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.470716622.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.471033071.00000000004B4000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471042636.00000000004B9000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471049802.00000000004CB000.00000040.00020000.sdmp Download File
Associated: 00000004.00000002.471060515.00000000004CE000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.471069270.00000000004CF000.00000004.00020000.sdmp Download File

Similarity

API ID: HookUnhookWindows
String ID: DhC
API String ID: 2953937349-3391294859
Opcode ID: 6e7f1f95caf103e15fa73941a6d794ac6f07803409c44440d68613f6b67ae7cd
Instruction ID: 94403cd277da97fb6f61e47c81794f1213a491487dfd21163a43ad457c0b9762
Opcode Fuzzy Hash: 6e7f1f95caf103e15fa73941a6d794ac6f07803409c44440d68613f6b67ae7cd
Instruction Fuzzy Hash: 8AE086716007115B9A209B3FAC44E57F3ECAE99720707952FE844E3310DB78EC0149A8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 9cf2c56e_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre