Play interactive tour

Edit tour

Windows Analysis Report 0klWxH7lko.exe

Overview

General Information

Sample Name:	0klWxH7lko.exe
Analysis ID:	511181
MD5:	8b1a607ffb0fc28a2cfc74782c86639e
SHA1:	a806a148512d7dcf8a3d5578bc8f76d8408ddc50
SHA256:	07c670b4ae43186e7e56124048946ba2f7324226359c10e344241e633773e6f0
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to detect sandboxes (mouse cursor move detection)

May check if the current machine is a sandbox (GetTickCount - Sleep)

Classification

Process Tree

System is w10x64

0klWxH7lko.exe (PID: 4440 cmdline: 'C:\Users\user\Desktop\0klWxH7lko.exe' MD5: 8B1A607FFB0FC28A2CFC74782C86639E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 0klWxH7lko.exe	Virustotal: Detection: 19%			Perma Link
Source: 0klWxH7lko.exe	ReversingLabs: Detection: 22%

Source: 0klWxH7lko.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source:	Binary string: makecab.pdbGCTL source: 0klWxH7lko.exe
Source:	Binary string: makecab.pdb source: 0klWxH7lko.exe

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_004059DC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

1_2_004059DC

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Source: 0klWxH7lko.exe, 00000001.00000002.517897189.000000000069A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0043289C GetKeyboardState,KiUserCallbackDispatcher,

1_2_0043289C

Source: 0klWxH7lko.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: 0klWxH7lko.exe	Binary or memory string: OriginalFilename vs 0klWxH7lko.exe
Source: 0klWxH7lko.exe, 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp	Binary or memory string: OriginalFilenamemakecab.exej% vs 0klWxH7lko.exe
Source: 0klWxH7lko.exe	Binary or memory string: OriginalFilenamemakecab.exej% vs 0klWxH7lko.exe

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0044AA44		1_2_0044AA44
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0044583C		1_2_0044583C

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: String function: 00406A24 appears 61 times
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: String function: 004048D8 appears 68 times

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00450594 NtdllDefWindowProc_A,	1_2_00450594
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0043582C NtdllDefWindowProc_A,GetCapture,	1_2_0043582C
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00450D38 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	1_2_00450D38
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00450DE8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	1_2_00450DE8
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00429488 NtdllDefWindowProc_A,	1_2_00429488
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0044583C GetSubMenu,SaveDC,RestoreDC,7378B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	1_2_0044583C

Source: 0klWxH7lko.exe	Virustotal: Detection: 19%
Source: 0klWxH7lko.exe	ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0041E178 GetLastError,FormatMessageA,

1_2_0041E178

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: 0klWxH7lko.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_00414038 FindResourceA,

1_2_00414038

Source: classification engine

Classification label: mal52.evad.winEXE@1/0@1/0

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_00408D92 GetDiskFreeSpaceA,

1_2_00408D92

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Window found: window name: TButton

Jump to behavior

Source:	Binary string: makecab.pdbGCTL source: 0klWxH7lko.exe
Source:	Binary string: makecab.pdb source: 0klWxH7lko.exe

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0043CE54 push 0043CEE1h; ret	1_2_0043CED9
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0043E11C push 0043E148h; ret	1_2_0043E140
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004462F4 push 0044635Fh; ret	1_2_00446357
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0041A428 push ecx; mov dword ptr [esp], edx	1_2_0041A42D
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0042443C push 0042447Ah; ret	1_2_00424472
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00424484 push 004244B0h; ret	1_2_004244A8
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004244BC push 004244F4h; ret	1_2_004244EC
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00406570 push 004065C1h; ret	1_2_004065B9
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0040E628 push 0040E654h; ret	1_2_0040E64C
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0043263C push ecx; mov dword ptr [esp], ecx	1_2_00432640
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004226D0 push 004227A0h; ret	1_2_00422798
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004247E0 push 0042480Ch; ret	1_2_00424804
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004067B8 push 004067E4h; ret	1_2_004067DC
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00406830 push 0040685Ch; ret	1_2_00406854
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004168D4 push ecx; mov dword ptr [esp], edx	1_2_004168D6
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004228B0 push 004228DCh; ret	1_2_004228D4
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00452954 push 004529AEh; ret	1_2_004529A6
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0042498C push 004249B8h; ret	1_2_004249B0
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00422B84 push 00422BB0h; ret	1_2_00422BA8
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00422C88 push 00422CB4h; ret	1_2_00422CAC
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0043CDEC push 0043CE52h; ret	1_2_0043CE4A
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00408E40 push ecx; mov dword ptr [esp], eax	1_2_00408E41
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00410F86 push 00410FFEh; ret	1_2_00410FF6
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00410F88 push 00410FFEh; ret	1_2_00410FF6
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0042AFAC push 0042B005h; ret	1_2_0042AFFD
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00409044 push ecx; mov dword ptr [esp], eax	1_2_00409045
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0042B048 push 0042B080h; ret	1_2_0042B078
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00411000 push 004110A8h; ret	1_2_004110A0
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004550C8 push 004550FBh; ret	1_2_004550F3
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0042B0DC push 0042B108h; ret	1_2_0042B100
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_004110AA push 004111C0h; ret	1_2_004111B8

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0043C824 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

1_2_0043C824

Source: C:\Users\user\Desktop\0klWxH7lko.exe

1_2_0043C824

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0045061C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0045061C
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_0044D604 KiUserCallbackDispatcher,SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0044D604
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00438128 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00438128
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00450D38 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	1_2_00450D38
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00450DE8 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	1_2_00450DE8
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00422ECC MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,	1_2_00422ECC
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00436F50 IsIconic,GetCapture,	1_2_00436F50
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: 1_2_00437804 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00437804

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0042BDC8

1_2_0042BDC8

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

1_2_0044FB78

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0042BDC8

1_2_0042BDC8

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0041E714 GetSystemInfo,

1_2_0041E714

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_004059DC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

1_2_004059DC

Source: C:\Users\user\Desktop\0klWxH7lko.exe

1_2_0043C824

Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: 0klWxH7lko.exe, 00000001.00000002.518229505.0000000000D20000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_00405BB4
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: GetLocaleInfoA,	1_2_004064FC
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: GetLocaleInfoA,GetACP,	1_2_0040CC84
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: GetLocaleInfoA,	1_2_0040B638
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: GetLocaleInfoA,	1_2_0040B684
Source: C:\Users\user\Desktop\0klWxH7lko.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_00405CBF

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0043CE54 GetVersion,

1_2_0043CE54

Source: C:\Users\user\Desktop\0klWxH7lko.exe

Code function: 1_2_0040A10C GetLocalTime,

1_2_0040A10C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Process Injection1	Process Injection1	Input Capture21	System Time Discovery1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	Security Software Discovery12	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Application Window Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery15	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0klWxH7lko.exe	20%	Virustotal		Browse
0klWxH7lko.exe	23%	ReversingLabs	Win32.Trojan.Zusy

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.0klWxH7lko.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1131223		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
clientconfig.passport.net	unknown	unknown	false		unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	511181
Start date:	28.10.2021
Start time:	18:17:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0klWxH7lko.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.evad.winEXE@1/0@1/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.4% (good quality ratio 97.1%) Quality average: 85.7% Quality standard deviation: 23.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 23.211.6.115, 93.184.220.29, 20.190.151.68, 20.190.151.6, 20.190.151.134, 20.190.151.70, 20.190.151.131, 20.190.151.132, 20.190.151.69, 20.190.151.9, 23.211.4.86, 23.203.70.208, 96.16.150.73, 204.79.197.200, 13.107.21.200, 20.50.102.62, 80.67.82.211, 80.67.82.235, 40.112.88.60 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, e12564.dspb.akamaiedge.net, msagfx.live.com-6.edgekey.net, authgfx.msa.akadns6.net, go.microsoft.com, ocsp.digicert.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.588384260973668
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	0klWxH7lko.exe
File size:	494080
MD5:	8b1a607ffb0fc28a2cfc74782c86639e
SHA1:	a806a148512d7dcf8a3d5578bc8f76d8408ddc50
SHA256:	07c670b4ae43186e7e56124048946ba2f7324226359c10e344241e633773e6f0
SHA512:	8f9fe78bd44bb56030bfc811764fc12ba326e8026dfb82f5d39ea21b245355fb2a6b1daf023df9d8c82752e8c4f07495182757bd0eb6f75bdf8a8e20403b7c08
SSDEEP:	12288:3Tx+95sGgcw0q4UA6DzO35PCgPF+QhTW:3FGZJSoPF+Q9
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Static PE Info

General
Entrypoint:	0x455c38
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c74df59ac4f2d4be1deabe16b5180

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00455AA0h
call 00007FF10495A761h
mov eax, dword ptr [0046B67Ch]
mov eax, dword ptr [eax]
call 00007FF1049A5351h
mov ecx, dword ptr [0046B760h]
mov eax, dword ptr [0046B67Ch]
mov eax, dword ptr [eax]
mov edx, dword ptr [00455160h]
call 00007FF1049A5351h
mov eax, dword ptr [0046B67Ch]
mov eax, dword ptr [eax]
call 00007FF1049A53C5h
call 00007FF104958798h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d000	0x209e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x78000	0x5c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x5fdc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x71000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x54c80	0x54e00	False	0.532331553756	data	6.53716362692	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x56000	0x157f0	0x15800	False	0.510537790698	data	6.15046698513	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x6c000	0xba1	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x6d000	0x209e	0x2200	False	0.356158088235	data	4.91292422553	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x70000	0x10	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x71000	0x18	0x200	False	0.05078125	data	0.164765012351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x5fdc	0x6000	False	0.624348958333	data	6.67168022676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x78000	0x5c00	0x5c00	False	0.296917459239	data	4.34148899694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x789fc	0x134	data
RT_CURSOR	0x78b30	0x134	data
RT_CURSOR	0x78c64	0x134	data
RT_CURSOR	0x78d98	0x134	data
RT_CURSOR	0x78ecc	0x134	data
RT_CURSOR	0x79000	0x134	data
RT_CURSOR	0x79134	0x134	data
RT_BITMAP	0x79268	0x1d0	data
RT_BITMAP	0x79438	0x1e4	data
RT_BITMAP	0x7961c	0x1d0	data
RT_BITMAP	0x797ec	0x1d0	data
RT_BITMAP	0x799bc	0x1d0	data
RT_BITMAP	0x79b8c	0x1d0	data
RT_BITMAP	0x79d5c	0x1d0	data
RT_BITMAP	0x79f2c	0x1d0	data
RT_BITMAP	0x7a0fc	0x1d0	data
RT_BITMAP	0x7a2cc	0x1d0	data
RT_ICON	0x7a49c	0x330	dBase III DBT, version number 0, next free block index 40, 1st item "\366\377\377\376\337\377"	Russian	Russia
RT_STRING	0x7a7cc	0xfc	data
RT_STRING	0x7a8c8	0x1ec	data
RT_STRING	0x7aab4	0x148	data
RT_STRING	0x7abfc	0x274	data
RT_STRING	0x7ae70	0x150	data
RT_STRING	0x7afc0	0xec	data
RT_STRING	0x7b0ac	0x1b0	data
RT_STRING	0x7b25c	0x45c	data
RT_STRING	0x7b6b8	0x354	data
RT_STRING	0x7ba0c	0x3e8	data
RT_STRING	0x7bdf4	0x234	data
RT_STRING	0x7c028	0xec	data
RT_STRING	0x7c114	0x1b4	data
RT_STRING	0x7c2c8	0x3e4	data
RT_STRING	0x7c6ac	0x358	data
RT_STRING	0x7ca04	0x2b4	data
RT_RCDATA	0x7ccb8	0x10	data
RT_RCDATA	0x7ccc8	0x208	data
RT_RCDATA	0x7ced0	0xae9	Delphi compiled form 'TForm1'
RT_GROUP_CURSOR	0x7d9bc	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x7d9d0	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x7d9e4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x7d9f8	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x7da0c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x7da20	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x7da34	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x7da48	0x14	data	Russian	Russia

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
comdlg32.dll	GetOpenFileNameA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 28, 2021 18:18:14.673420906 CEST	61805	53	192.168.2.5	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 28, 2021 18:18:14.673420906 CEST	192.168.2.5	8.8.8.8	0x5973	Standard query (0)	clientconfig.passport.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 28, 2021 18:18:11.816294909 CEST	8.8.8.8	192.168.2.5	0xad19	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Oct 28, 2021 18:18:14.695940971 CEST	8.8.8.8	192.168.2.5	0x5973	No error (0)	clientconfig.passport.net	authgfx.msa.akadns6.net		CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 0klWxH7lko.exe PID: 4440 Parent PID: 5912

General

Start time:	18:18:03
Start date:	28/10/2021
Path:	C:\Users\user\Desktop\0klWxH7lko.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\0klWxH7lko.exe'
Imagebase:	0x400000
File size:	494080 bytes
MD5 hash:	8B1A607FFB0FC28A2CFC74782C86639E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 0klWxH7lko.exe PID: 4440 Parent PID: 5912 0klWxH7lko.exeCOMMON

Executed Functions

Function 00405BB4, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00405BB4(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char* _v32;
				char _v293;
				long _t58;
				long _t75;
				long _t77;
				CHAR* _t84;
				CHAR* _t87;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t101;
				struct HINSTANCE__* _t110;
				intOrPtr _t115;
				void* _t124;
				void* _t126;
				intOrPtr _t127;

				_t124 = _t126;
				_t127 = _t126 + 0xfffffedc;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v293, 0x105);
				_v22 = 0;
				_t58 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t58 == 0) {
					L3:
					_push(_t124);
					_push(0x405cb8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t127;
					_v28 = 5;
					E004059DC( &_v293, 0x105);
					if(RegQueryValueExA(_v12,  &_v293, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, E00405E34, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E00405CBF);
					return RegCloseKey(_v12);
				} else {
					_t75 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t75 == 0) {
						goto L3;
					} else {
						_t77 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t77 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v293);
							L004012D4();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5); // executed
							_t110 = 0;
							if(_v293 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t84 =  &_v293;
								_push(_t84);
								L004012DC();
								_v32 = _t84 +  &_v293;
								while( *_v32 != 0x2e &&  &_v293 != _v32) {
									_v32 = _v32 - 1;
								}
								_t87 =  &_v293;
								if(_t87 != _v32) {
									_v32 = _v32 + 1;
									if(_v22 != 0) {
										_push(0x105 - _v32 - _t87);
										_push( &_v22);
										_push(_v32);
										L004012D4();
										_t110 = LoadLibraryExA( &_v293, 0, 2);
									}
									if(_t110 == 0 && _v17 != 0) {
										_push(0x105 - _v32 -  &_v293);
										_push( &_v17);
										_push(_v32);
										L004012D4();
										_t94 = LoadLibraryExA( &_v293, 0, 2); // executed
										_t110 = _t94;
										if(_t110 == 0) {
											_v15 = 0;
											_push(0x105 - _v32 -  &_v293);
											_push( &_v17);
											_push(_v32);
											L004012D4();
											_t101 = LoadLibraryExA( &_v293, 0, 2); // executed
											_t110 = _t101;
										}
									}
								}
							}
							return _t110;
						} else {
							goto L3;
						}
					}
				}
			}

0x00405bb5
0x00405bb7
0x00405bbe
0x00405bcf
0x00405bd4
0x00405bed
0x00405bf4
0x00405c36
0x00405c38
0x00405c39
0x00405c3e
0x00405c41
0x00405c44
0x00405c56
0x00405c79
0x00405c99
0x00405c99
0x00405c9d
0x00405ca3
0x00405ca6
0x00405ca9
0x00405cb7
0x00405bf6
0x00405c0b
0x00405c12
0x00000000
0x00405c14
0x00405c29
0x00405c30
0x00405cbf
0x00405cc7
0x00405cce
0x00405ccf
0x00405ce2
0x00405ce7
0x00405cf0
0x00405d06
0x00405d0c
0x00405d0d
0x00405d1a
0x00405d22
0x00405d1f
0x00405d1f
0x00405d35
0x00405d3e
0x00405d44
0x00405d4b
0x00405d59
0x00405d5d
0x00405d61
0x00405d62
0x00405d77
0x00405d77
0x00405d7b
0x00405d95
0x00405d99
0x00405d9d
0x00405d9e
0x00405dae
0x00405db3
0x00405db7
0x00405db9
0x00405dcf
0x00405dd3
0x00405dd7
0x00405dd8
0x00405de8
0x00405ded
0x00405ded
0x00405db7
0x00405d7b
0x00405d3e
0x00405df5
0x00000000
0x00000000
0x00000000
0x00405c30
0x00405c12

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,004560C8), ref: 00405BCF
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,004560C8), ref: 00405BED
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,004560C8), ref: 00405C0B
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405C29
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405CB8,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405C72
RegQueryValueExA.ADVAPI32(?,00405E34,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405CB8,?,80000001), ref: 00405C90
RegCloseKey.ADVAPI32(?,00405CBF,00000000,?,?,00000000,00405CB8,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405CB2
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405CCF
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405CDC
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405CE2
lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405D0D
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D62
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D72
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D9E
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405DAE
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00405DD8
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 00405DE8

Strings

Software\Borland\Locales, xrefs: 00405BE3, 00405C01
Software\Borland\Delphi\Locales, xrefs: 00405C1F

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: aab1434bb0c6e3b4759fb69a1b0dbc9a023d57d7c1a4883df5a7300bfb69707e
Instruction ID: 3ea00f02c198545f63f222a2dc2c296a1925c2aaac71fa3e93c1131898c2d3fb
Opcode Fuzzy Hash: aab1434bb0c6e3b4759fb69a1b0dbc9a023d57d7c1a4883df5a7300bfb69707e
Instruction Fuzzy Hash: 14611B71A0464D7EEB11EAE5CC46FEFB7BCDB48304F5040BBA605F61C1D6B89A448B68

Uniqueness

Uniqueness Score: -1.00%

Function 0045061C, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 399
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0045061C(struct HWND__* __eax, void* __ecx, struct HWND__* __edx) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t161;
				struct HWND__* _t162;
				struct HWND__* _t163;
				struct HWND__* _t176;
				struct HWND__* _t185;
				struct HWND__* _t188;
				struct HWND__* _t189;
				struct HWND__* _t191;
				struct HWND__* _t197;
				struct HWND__* _t199;
				struct HWND__* _t202;
				struct HWND__* _t205;
				struct HWND__* _t206;
				struct HWND__* _t216;
				struct HWND__* _t217;
				struct HWND__* _t222;
				struct HWND__* _t224;
				struct HWND__* _t227;
				struct HWND__* _t231;
				struct HWND__* _t239;
				struct HWND__* _t247;
				struct HWND__* _t250;
				struct HWND__* _t254;
				struct HWND__* _t256;
				struct HWND__* _t257;
				struct HWND__* _t269;
				intOrPtr _t272;
				struct HWND__* _t275;
				intOrPtr* _t276;
				struct HWND__* _t284;
				struct HWND__* _t286;
				struct HWND__* _t297;
				void* _t305;
				signed int _t307;
				struct HWND__* _t312;
				struct HWND__* _t313;
				struct HWND__* _t314;
				void* _t315;
				intOrPtr _t336;
				struct HWND__* _t340;
				intOrPtr _t362;
				void* _t364;
				void* _t368;
				void* _t369;
				intOrPtr _t370;

				_t315 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_push(_t369);
				_push(0x450cd3);
				_push( *[fs:edx]);
				 *[fs:edx] = _t370;
				 *(_v12 + 0xc) = 0;
				_t305 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xa8)) + 8)) - 1;
				if(_t305 < 0) {
					L5:
					E004504D0(_v8, _t315, _v12);
					_t307 =  *_v12;
					_t161 = _t307;
					__eflags = _t161 - 0x53;
					if(__eflags > 0) {
						__eflags = _t161 - 0xb017;
						if(__eflags > 0) {
							__eflags = _t161 - 0xb020;
							if(__eflags > 0) {
								_t162 = _t161 - 0xb031;
								__eflags = _t162;
								if(_t162 == 0) {
									_t163 = _v12;
									__eflags =  *((intOrPtr*)(_t163 + 4)) - 1;
									if( *((intOrPtr*)(_t163 + 4)) != 1) {
										 *(_v8 + 0xb0) =  *(_v12 + 8);
									} else {
										 *(_v12 + 0xc) =  *(_v8 + 0xb0);
									}
									L102:
									_pop(_t336);
									 *[fs:eax] = _t336;
									return 0;
								}
								__eflags = _t162 + 0xfffffff2 - 2;
								if(_t162 + 0xfffffff2 - 2 < 0) {
									 *(_v12 + 0xc) = E004527E8(_v8,  *(_v12 + 8), _t307) & 0x0000007f;
								} else {
									L101:
									E00450594(_t369); // executed
								}
								goto L102;
							}
							if(__eflags == 0) {
								_t176 = _v12;
								__eflags =  *(_t176 + 4);
								if( *(_t176 + 4) != 0) {
									E004512E4(_v8,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								} else {
									E00451288(_v8, _t315,  *( *(_v12 + 8)),  *((intOrPtr*)( *(_v12 + 8) + 4)));
								}
								goto L102;
							}
							_t185 = _t161 - 0xb01a;
							__eflags = _t185;
							if(_t185 == 0) {
								_t188 = IsIconic( *(_v8 + 0x30));
								__eflags = _t188;
								if(_t188 == 0) {
									_t189 = GetFocus();
									_t340 = _v8;
									__eflags = _t189 -  *((intOrPtr*)(_t340 + 0x30));
									if(_t189 ==  *((intOrPtr*)(_t340 + 0x30))) {
										_t191 = E004483F4(0);
										__eflags = _t191;
										if(_t191 != 0) {
											SetFocus(_t191);
										}
									}
								}
								goto L102;
							}
							__eflags = _t185 == 5;
							if(_t185 == 5) {
								L89:
								E004517D8(_v8,  *(_v12 + 8),  *(_v12 + 4));
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t197 =  *(_v8 + 0x44);
							__eflags = _t197;
							if(_t197 != 0) {
								_t365 = _t197;
								_t199 = E00437E18(_t197);
								__eflags = _t199;
								if(_t199 != 0) {
									_t202 = IsWindowEnabled(E00437E18(_t365));
									__eflags = _t202;
									if(_t202 != 0) {
										_t205 = IsWindowVisible(E00437E18(_t365));
										__eflags = _t205;
										if(_t205 != 0) {
											 *0x456c94 = 0;
											_t206 = GetFocus();
											SetFocus(E00437E18(_t365));
											E004327D0(_t365,  *(_v12 + 4), 0x112,  *(_v12 + 8));
											SetFocus(_t206);
											 *0x456c94 = 1;
											 *(_v12 + 0xc) = 1;
										}
									}
								}
							}
							goto L102;
						}
						__eflags = _t161 - 0xb000;
						if(__eflags > 0) {
							_t216 = _t161 - 0xb001;
							__eflags = _t216;
							if(_t216 == 0) {
								_t217 = _v8;
								__eflags =  *((short*)(_t217 + 0x10a));
								if( *((short*)(_t217 + 0x10a)) != 0) {
									 *((intOrPtr*)(_v8 + 0x108))();
								}
								goto L102;
							}
							__eflags = _t216 == 0x15;
							if(_t216 == 0x15) {
								_t222 = E00451160(_v8, _t315, _v12);
								__eflags = _t222;
								if(_t222 != 0) {
									 *(_v12 + 0xc) = 1;
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t224 = _v8;
							__eflags =  *((short*)(_t224 + 0x112));
							if( *((short*)(_t224 + 0x112)) != 0) {
								 *((intOrPtr*)(_v8 + 0x110))();
							}
							goto L102;
						}
						_t227 = _t161 - 0x112;
						__eflags = _t227;
						if(_t227 == 0) {
							_t231 = ( *(_v12 + 4) & 0x0000fff0) - 0xf020;
							__eflags = _t231;
							if(_t231 == 0) {
								E00450D38(_v8);
							} else {
								__eflags = _t231 == 0x100;
								if(_t231 == 0x100) {
									E00450DE8(_v8);
								} else {
									E00450594(_t369);
								}
							}
							goto L102;
						}
						_t239 = _t227 + 0xffffffe0 - 7;
						__eflags = _t239;
						if(_t239 < 0) {
							 *(_v12 + 0xc) = SendMessageA( *(_v12 + 8), _t307 + 0xbc00,  *(_v12 + 4),  *(_v12 + 8));
							goto L102;
						}
						__eflags = _t239 == 0x1e1;
						if(_t239 == 0x1e1) {
							_t247 = E004256B0(E004255A8());
							__eflags = _t247;
							if(_t247 != 0) {
								E0042570C(E004255A8());
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						goto L89;
					}
					__eflags = _t161 - 0x16;
					if(__eflags > 0) {
						__eflags = _t161 - 0x1d;
						if(__eflags > 0) {
							_t250 = _t161 - 0x37;
							__eflags = _t250;
							if(_t250 == 0) {
								 *(_v12 + 0xc) = E00450D1C(_v8);
								goto L102;
							}
							__eflags = _t250 == 0x13;
							if(_t250 == 0x13) {
								_t254 = _v12;
								__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) - 0xde534454;
								if( *((intOrPtr*)( *((intOrPtr*)(_t254 + 8)))) == 0xde534454) {
									_t256 = _v8;
									__eflags =  *((char*)(_t256 + 0x9e));
									if( *((char*)(_t256 + 0x9e)) != 0) {
										_t257 = _v8;
										__eflags =  *(_t257 + 0xa0);
										if( *(_t257 + 0xa0) != 0) {
											 *(_v12 + 0xc) = 0;
										} else {
											_t312 = E0040D90C("vcltest3.dll", _t307, 0x8000);
											 *(_v8 + 0xa0) = _t312;
											__eflags = _t312;
											if(_t312 == 0) {
												 *(_v12 + 0xc) = GetLastError();
												 *(_v8 + 0xa0) = 0;
											} else {
												 *(_v12 + 0xc) = 0;
												_t313 = GetProcAddress( *(_v8 + 0xa0), "RegisterAutomation");
												_v16 = _t313;
												__eflags = _t313;
												if(_t313 != 0) {
													_t269 =  *(_v12 + 8);
													_v16( *((intOrPtr*)(_t269 + 4)),  *((intOrPtr*)(_t269 + 8)));
												}
											}
										}
									}
								}
								goto L102;
							} else {
								goto L101;
							}
						}
						if(__eflags == 0) {
							_t272 =  *0x46cb48; // 0x2130e74
							E0044FAC0(_t272);
							E00450594(_t369);
							goto L102;
						}
						_t275 = _t161 - 0x1a;
						__eflags = _t275;
						if(_t275 == 0) {
							_t276 =  *0x46b78c; // 0x46caa4
							E0043C7C0( *_t276, _t315,  *(_v12 + 4));
							E00450528(_v8, _t307, _t315, _v12, _t364);
							E00450594(_t369);
							goto L102;
						}
						__eflags = _t275 == 2;
						if(_t275 == 2) {
							E00450594(_t369);
							_t284 = _v12;
							__eflags =  *((intOrPtr*)(_t284 + 4)) - 1;
							asm("sbb eax, eax");
							 *((char*)(_v8 + 0x9d)) = _t284 + 1;
							_t286 = _v12;
							__eflags =  *(_t286 + 4);
							if( *(_t286 + 4) == 0) {
								E00450424();
								PostMessageA( *(_v8 + 0x30), 0xb001, 0, 0); // executed
							} else {
								E00450434(_v8);
								PostMessageA( *(_v8 + 0x30), 0xb000, 0, 0); // executed
							}
							goto L102;
						} else {
							goto L101;
						}
					}
					if(__eflags == 0) {
						_t297 = _v12;
						__eflags =  *(_t297 + 4);
						if( *(_t297 + 4) != 0) {
							E004047E0();
						}
						goto L102;
					}
					__eflags = _t161 - 0x14;
					if(_t161 > 0x14) {
						goto L101;
					}
					switch( *((intOrPtr*)(_t161 * 4 +  &M004506C0))) {
						case 0:
							0 = E00419D80(0, __ebx, __edi, __esi);
							goto L102;
						case 1:
							goto L101;
						case 2:
							_push(0);
							_push(0);
							_push(0xb01a);
							_v8 =  *(_v8 + 0x30);
							_push( *(_v8 + 0x30));
							L00407084();
							__eax = E00450594(__ebp);
							goto L102;
						case 3:
							__eax = _v12;
							__eflags =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								__eax = E00450594(__ebp);
								__eax = _v8;
								__eflags =  *(__eax + 0xac);
								if( *(__eax + 0xac) == 0) {
									__eax = _v8;
									__eax =  *(_v8 + 0x30);
									__eax = E0044828C( *(_v8 + 0x30), __ebx, __edi, __esi);
									__edx = _v8;
									 *(_v8 + 0xac) = __eax;
								}
								_v8 = L0045042C();
							} else {
								_v8 = E00450434(_v8);
								__eax = _v8;
								__eax =  *(_v8 + 0xac);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = _v8;
									__edx = 0;
									__eflags = 0;
									 *(_v8 + 0xac) = 0;
								}
								__eax = E00450594(__ebp);
							}
							goto L102;
						case 4:
							__eax = _v8;
							__eax =  *(_v8 + 0x30);
							_push(__eax);
							L00406FF4();
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E00450594(__ebp);
							} else {
								__eax = E004505D0(__ebp);
							}
							goto L102;
						case 5:
							__eax = _v8;
							__eax =  *(_v8 + 0x44);
							__eflags = __eax;
							if(__eax != 0) {
								__eax = E0044DC94(__eax, __ecx);
							}
							goto L102;
						case 6:
							__eax = _v12;
							 *_v12 = 0x27;
							__eax = E00450594(__ebp);
							goto L102;
					}
				} else {
					_t314 = _t305 + 1;
					_t368 = 0;
					do {
						if( *((intOrPtr*)(E0041449C( *((intOrPtr*)(_v8 + 0xa8)), _t315, _t368)))() != 0) {
							_pop(_t362);
							 *[fs:eax] = _t362;
							return 0;
						}
						_t368 = _t368 + 1;
						_t314 = _t314 - 1;
						__eflags = _t314;
					} while (_t314 != 0);
					goto L5;
				}
			}

0x0045061c
0x00450625
0x00450628
0x0045062d
0x0045062e
0x00450633
0x00450636
0x0045063e
0x0045064d
0x00450650
0x00450684
0x0045068a
0x00450692
0x00450694
0x00450696
0x00450699
0x0045074d
0x00450752
0x004507a3
0x004507a8
0x004507c9
0x004507c9
0x004507ce
0x00450c3b
0x00450c3e
0x00450c42
0x00450c5e
0x00450c44
0x00450c50
0x00450c50
0x00450cc9
0x00450ccb
0x00450cce
0x00000000
0x00450cce
0x004507d7
0x004507da
0x00450a96
0x004507e0
0x00450cc2
0x00450cc3
0x00450cc8
0x00000000
0x004507da
0x004507aa
0x00450c02
0x00450c05
0x00450c09
0x00450c31
0x00450c0b
0x00450c19
0x00450c19
0x00000000
0x00450c09
0x004507b0
0x004507b0
0x004507b5
0x00450bb0
0x00450bb5
0x00450bb7
0x00450bbd
0x00450bc2
0x00450bc5
0x00450bc8
0x00450bd0
0x00450bd5
0x00450bd7
0x00450bde
0x00450bde
0x00450bd7
0x00450bc8
0x00000000
0x00450bb7
0x004507bb
0x004507be
0x00450be8
0x00450bf8
0x00000000
0x004507c4
0x00000000
0x004507c4
0x004507be
0x00450754
0x00450ac3
0x00450ac6
0x00450ac8
0x00450ace
0x00450ad2
0x00450ad7
0x00450ad9
0x00450ae7
0x00450aec
0x00450aee
0x00450afc
0x00450b01
0x00450b03
0x00450b09
0x00450b10
0x00450b1f
0x00450b38
0x00450b3e
0x00450b43
0x00450b4d
0x00450b4d
0x00450b03
0x00450aee
0x00450ad9
0x00000000
0x00450ac8
0x0045075a
0x0045075f
0x0045078a
0x0045078a
0x0045078f
0x00450b81
0x00450b84
0x00450b8c
0x00450b9e
0x00450b9e
0x00000000
0x00450b8c
0x00450795
0x00450798
0x00450aa4
0x00450aa9
0x00450aab
0x00450ab4
0x00450ab4
0x00000000
0x0045079e
0x00000000
0x0045079e
0x00450798
0x00450761
0x00450b59
0x00450b5c
0x00450b64
0x00450b76
0x00450b76
0x00000000
0x00450b64
0x00450767
0x00450767
0x0045076c
0x004507f0
0x004507f0
0x004507f5
0x00450803
0x004507f7
0x004507f7
0x004507fc
0x00450810
0x004507fe
0x0045081b
0x00450820
0x004507fc
0x00000000
0x004507f5
0x00450771
0x00450771
0x00450774
0x004509a8
0x00000000
0x004509a8
0x0045077a
0x0045077f
0x00450ca4
0x00450ca9
0x00450cab
0x00450cb2
0x00450cb2
0x00000000
0x00450785
0x00000000
0x00450785
0x0045077f
0x0045069f
0x00000000
0x00000000
0x004506a5
0x004506a8
0x00450714
0x00450717
0x00450736
0x00450736
0x00450739
0x00450886
0x00000000
0x00450886
0x0045073f
0x00450742
0x004509c7
0x004509cd
0x004509d3
0x004509d9
0x004509dc
0x004509e3
0x004509e9
0x004509ec
0x004509f3
0x00450a75
0x004509f5
0x00450a04
0x00450a09
0x00450a0f
0x00450a11
0x00450a5d
0x00450a65
0x00450a13
0x00450a18
0x00450a2f
0x00450a31
0x00450a34
0x00450a36
0x00450a3f
0x00450a4d
0x00450a4d
0x00450a36
0x00450a11
0x004509f3
0x004509e3
0x00000000
0x00450748
0x00000000
0x00450748
0x00450742
0x00450719
0x00450c8c
0x00450c91
0x00450c97
0x00000000
0x00450c9c
0x0045071f
0x0045071f
0x00450722
0x00450c6c
0x00450c73
0x00450c7e
0x00450c84
0x00000000
0x00450c89
0x00450728
0x0045072b
0x004508b0
0x004508b6
0x004508b9
0x004508bd
0x004508c3
0x004508c9
0x004508cc
0x004508d0
0x004508f7
0x0045090c
0x004508d2
0x004508d5
0x004508ea
0x004508ea
0x00000000
0x00450731
0x00000000
0x00450731
0x0045072b
0x004506aa
0x004509b0
0x004509b3
0x004509b7
0x004509bd
0x004509bd
0x00000000
0x004509b7
0x004506b0
0x004506b3
0x00000000
0x00000000
0x004506b9
0x00000000
0x00450cbb
0x00000000
0x00000000
0x00000000
0x00000000
0x0045088e
0x00450890
0x00450892
0x0045089a
0x0045089d
0x0045089e
0x004508a4
0x00000000
0x00000000
0x00450916
0x00450919
0x0045091d
0x00450951
0x00450957
0x0045095a
0x00450961
0x00450963
0x00450966
0x00450969
0x0045096e
0x00450971
0x00450971
0x0045097a
0x0045091f
0x00450922
0x00450927
0x0045092a
0x00450930
0x00450932
0x00450939
0x0045093c
0x0045093c
0x0045093e
0x0045093e
0x00450945
0x0045094a
0x00000000
0x00000000
0x0045083e
0x00450841
0x00450844
0x00450845
0x0045084a
0x0045084c
0x0045085b
0x0045084e
0x0045084f
0x00450854
0x00000000
0x00000000
0x00450826
0x00450829
0x0045082c
0x0045082e
0x00450834
0x00450834
0x00000000
0x00000000
0x00450866
0x00450869
0x00450870
0x00000000
0x00000000
0x00450652
0x00450652
0x00450653
0x00450655
0x00450671
0x00450675
0x00450678
0x00000000
0x00450678
0x00450680
0x00450681
0x00450681
0x00450681
0x00000000
0x00450655

Strings

RegisterAutomation, xrefs: 00450A1B
vcltest3.dll, xrefs: 004509FA

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: 0ba99020f4f2aea9c7dcbde37c7af8a7d8db4a05f57ba0d3bba396c581ad2bc8
Instruction ID: 85fb4b39febe4d3c478d1377491793276329876b1ef8cc7cfe0591bcc0962890
Opcode Fuzzy Hash: 0ba99020f4f2aea9c7dcbde37c7af8a7d8db4a05f57ba0d3bba396c581ad2bc8
Instruction Fuzzy Hash: F6E16B38A00204EFD715DBA9C589A9EB7B0FF09311F1486A7EC049B357C738EE499B09

Uniqueness

Uniqueness Score: -1.00%

Function 0044D604, Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 407
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0044D604(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _t149;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t165;
				struct HWND__* _t166;
				long _t176;
				signed int _t198;
				signed int _t199;
				long _t220;
				intOrPtr _t226;
				int _t231;
				intOrPtr _t232;
				intOrPtr _t241;
				intOrPtr _t245;
				signed int _t248;
				intOrPtr _t251;
				intOrPtr _t252;
				signed int _t258;
				long _t259;
				intOrPtr _t262;
				intOrPtr _t266;
				signed int _t269;
				intOrPtr _t270;
				intOrPtr _t271;
				signed int _t277;
				long _t278;
				intOrPtr _t281;
				signed int _t286;
				signed int _t287;
				long _t290;
				intOrPtr _t294;
				struct HWND__* _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				long _t308;
				signed int _t311;
				signed int _t313;
				long _t314;
				signed int _t317;
				signed int _t318;
				signed int _t326;
				long _t328;
				intOrPtr _t331;
				intOrPtr _t362;
				long _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;

				_t372 = _t373;
				_t374 = _t373 + 0xfffffff8;
				_v12 = 0;
				_v8 = __eax;
				_push(_t372);
				_push(0x44db6e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0 && ( *(_v8 + 0x2f4) & 0x00000004) != 0) {
					_t294 =  *0x46b7d0; // 0x41b368
					E004064A4(_t294, 0,  &_v12);
					E0040BE04(_v12, 1);
					E004042EC();
				}
				_t149 =  *0x46cb44; // 0x2131268, executed
				E00451EB4(_t149); // executed
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000004;
				_push(_t372);
				_push(0x44db51);
				_push( *[fs:edx]);
				 *[fs:edx] = _t374;
				if(( *(_v8 + 0x1c) & 0x00000010) == 0) {
					_t155 = _v8;
					_t378 =  *((char*)(_t155 + 0x1a6));
					if( *((char*)(_t155 + 0x1a6)) == 0) {
						_push(_t372);
						_push(0x44da58);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E00403D6C(_v8, __eflags);
						 *[fs:eax] = 0;
						_t160 =  *0x46cb48; // 0x2130e74
						_t127 = _t160 + 0x6c; // 0x2131e80
						__eflags =  *_t127 - _v8;
						if( *_t127 == _v8) {
							__eflags = 0;
							E0044C7B0(_v8, 0);
						}
						_t162 = _v8;
						__eflags =  *((char*)(_t162 + 0x22f)) - 1;
						if( *((char*)(_t162 + 0x22f)) != 1) {
							_t163 = _v8;
							__eflags =  *(_t163 + 0x2f4) & 0x00000008;
							if(( *(_t163 + 0x2f4) & 0x00000008) == 0) {
								_t299 = 0;
								_t165 = E00437E18(_v8);
								_t166 = GetActiveWindow();
								__eflags = _t165 - _t166;
								if(_t165 == _t166) {
									_t176 = IsIconic(E00437E18(_v8));
									__eflags = _t176;
									if(_t176 == 0) {
										_t299 = E004483F4(E00437E18(_v8));
									}
								}
								__eflags = _t299;
								if(_t299 == 0) {
									ShowWindow(E00437E18(_v8), 0);
								} else {
									SetWindowPos(E00437E18(_v8), 0, 0, 0, 0, 0, 0x97);
									SetActiveWindow(_t299);
								}
							} else {
								SetWindowPos(E00437E18(_v8), 0, 0, 0, 0, 0, 0x97);
							}
						} else {
							E00435370(_v8);
						}
					} else {
						_push(_t372);
						_push(0x44d6bc);
						_push( *[fs:eax]);
						 *[fs:eax] = _t374;
						E00403D6C(_v8, _t378);
						 *[fs:eax] = 0;
						if( *((char*)(_v8 + 0x230)) == 4 ||  *((char*)(_v8 + 0x230)) == 6 &&  *((char*)(_v8 + 0x22f)) == 1) {
							if( *((char*)(_v8 + 0x22f)) != 1) {
								_t301 = E0044EE98() -  *(_v8 + 0x48);
								__eflags = _t301;
								_t302 = _t301 >> 1;
								if(_t301 < 0) {
									asm("adc ebx, 0x0");
								}
								_t198 = E0044EE8C() -  *(_v8 + 0x4c);
								__eflags = _t198;
								_t199 = _t198 >> 1;
								if(_t198 < 0) {
									asm("adc eax, 0x0");
								}
							} else {
								_t241 =  *0x46cb44; // 0x2131268
								_t31 = _t241 + 0x44; // 0x2131e80
								_t305 = E00431020( *_t31) -  *(_v8 + 0x48);
								_t302 = _t305 >> 1;
								if(_t305 < 0) {
									asm("adc ebx, 0x0");
								}
								_t245 =  *0x46cb44; // 0x2131268
								_t34 = _t245 + 0x44; // 0x2131e80
								_t248 = E00431064( *_t34) -  *(_v8 + 0x4c);
								_t199 = _t248 >> 1;
								if(_t248 < 0) {
									asm("adc eax, 0x0");
								}
							}
							if(_t302 < 0) {
								_t302 = 0;
							}
							if(_t199 < 0) {
								_t199 = 0;
							}
							_t326 = _t199;
							 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
							if( *((char*)(_v8 + 0x57)) != 0) {
								E0044BA58(_v8, _t326);
							}
						} else {
							_t251 =  *((intOrPtr*)(_v8 + 0x230));
							__eflags = _t251 + 0xfa - 2;
							if(_t251 + 0xfa - 2 >= 0) {
								__eflags = _t251 - 5;
								if(_t251 == 5) {
									_t252 = _v8;
									__eflags =  *((char*)(_t252 + 0x22f)) - 1;
									if( *((char*)(_t252 + 0x22f)) != 1) {
										_t307 = E0044EEC8() -  *(_v8 + 0x48);
										__eflags = _t307;
										_t308 = _t307 >> 1;
										if(_t307 < 0) {
											asm("adc ebx, 0x0");
										}
										_t258 = E0044EEBC() -  *(_v8 + 0x4c);
										__eflags = _t258;
										_t259 = _t258 >> 1;
										if(_t258 < 0) {
											asm("adc eax, 0x0");
										}
									} else {
										_t262 =  *0x46cb44; // 0x2131268
										_t82 = _t262 + 0x44; // 0x2131e80
										_t311 = E00431020( *_t82) -  *(_v8 + 0x48);
										__eflags = _t311;
										_t308 = _t311 >> 1;
										if(_t311 < 0) {
											asm("adc ebx, 0x0");
										}
										_t266 =  *0x46cb44; // 0x2131268
										_t85 = _t266 + 0x44; // 0x2131e80
										_t269 = E00431064( *_t85) -  *(_v8 + 0x4c);
										__eflags = _t269;
										_t259 = _t269 >> 1;
										if(_t269 < 0) {
											asm("adc eax, 0x0");
										}
									}
									__eflags = _t308;
									if(_t308 < 0) {
										_t308 = 0;
										__eflags = 0;
									}
									__eflags = _t259;
									if(_t259 < 0) {
										_t259 = 0;
										__eflags = 0;
									}
									 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								}
							} else {
								_t270 =  *0x46cb44; // 0x2131268
								_t52 = _t270 + 0x44; // 0x2131e80
								_t370 =  *_t52;
								_t271 = _v8;
								__eflags =  *((char*)(_t271 + 0x230)) - 7;
								if( *((char*)(_t271 + 0x230)) == 7) {
									_t362 =  *0x446d0c; // 0x446d58
									_t290 = E00403CFC( *(_v8 + 4), _t362);
									__eflags = _t290;
									if(_t290 != 0) {
										_t370 =  *(_v8 + 4);
									}
								}
								__eflags = _t370;
								if(_t370 == 0) {
									_t313 = E0044EE98() -  *(_v8 + 0x48);
									__eflags = _t313;
									_t314 = _t313 >> 1;
									if(_t313 < 0) {
										asm("adc ebx, 0x0");
									}
									_t277 = E0044EE8C() -  *(_v8 + 0x4c);
									__eflags = _t277;
									_t278 = _t277 >> 1;
									if(_t277 < 0) {
										asm("adc eax, 0x0");
									}
								} else {
									_t59 = _t370 + 0x48; // 0x1da
									_t317 =  *_t59 -  *(_v8 + 0x48);
									__eflags = _t317;
									_t318 = _t317 >> 1;
									if(_t317 < 0) {
										asm("adc ebx, 0x0");
									}
									_t62 = _t370 + 0x40; // 0x193
									_t314 = _t318 +  *_t62;
									_t63 = _t370 + 0x4c; // 0x7f
									_t286 =  *_t63 -  *(_v8 + 0x4c);
									__eflags = _t286;
									_t287 = _t286 >> 1;
									if(_t286 < 0) {
										asm("adc eax, 0x0");
									}
									_t66 = _t370 + 0x44; // 0x1c0
									_t278 = _t287 +  *_t66;
								}
								__eflags = _t314;
								if(_t314 < 0) {
									_t314 = 0;
									__eflags = 0;
								}
								__eflags = _t278;
								if(_t278 < 0) {
									_t278 = 0;
									__eflags = 0;
								}
								_t328 = _t278;
								 *((intOrPtr*)( *_v8 + 0x84))( *(_v8 + 0x4c),  *(_v8 + 0x48));
								_t281 = _v8;
								__eflags =  *((char*)(_t281 + 0x57));
								if( *((char*)(_t281 + 0x57)) != 0) {
									E0044BA58(_v8, _t328);
								}
							}
						}
						 *((char*)(_v8 + 0x230)) = 0;
						if( *((char*)(_v8 + 0x22f)) != 1) {
							ShowWindow(E00437E18(_v8),  *(0x456d08 + ( *(_v8 + 0x22b) & 0x000000ff) * 4)); // executed
						} else {
							if( *(_v8 + 0x22b) != 2) {
								ShowWindow(E00437E18(_v8),  *(0x456d08 + ( *(_v8 + 0x22b) & 0x000000ff) * 4));
								_t220 =  *(_v8 + 0x48) |  *(_v8 + 0x4c) << 0x00000010;
								__eflags = _t220;
								CallWindowProcA(0x406d8c, E00437E18(_v8), 5, 0, _t220);
								E0043187C();
							} else {
								_t231 = E00437E18(_v8);
								_t232 =  *0x46cb44; // 0x2131268
								_t105 = _t232 + 0x44; // 0x2131e80
								_t106 =  *_t105 + 0x254; // 0x0
								SendMessageA( *_t106, 0x223, _t231, 0);
								ShowWindow(E00437E18(_v8), 3);
							}
							_t226 =  *0x46cb44; // 0x2131268
							_t119 = _t226 + 0x44; // 0x2131e80
							_t120 =  *_t119 + 0x254; // 0x0
							SendMessageA( *_t120, 0x234, 0, 0);
						}
					}
				}
				_pop(_t331);
				 *[fs:eax] = _t331;
				_push(0x44db58);
				_t154 = _v8;
				 *(_t154 + 0x2f4) =  *(_t154 + 0x2f4) & 0x000000fb;
				return _t154;
			}

0x0044d605
0x0044d607
0x0044d60f
0x0044d612
0x0044d617
0x0044d618
0x0044d61d
0x0044d620
0x0044d62a
0x0044d63b
0x0044d640
0x0044d64f
0x0044d654
0x0044d654
0x0044d659
0x0044d65e
0x0044d666
0x0044d66f
0x0044d670
0x0044d675
0x0044d678
0x0044d682
0x0044d688
0x0044d68b
0x0044d692
0x0044da36
0x0044da37
0x0044da3c
0x0044da3f
0x0044da49
0x0044da53
0x0044da6f
0x0044da74
0x0044da77
0x0044da7a
0x0044da7c
0x0044da81
0x0044da81
0x0044da86
0x0044da89
0x0044da90
0x0044da9f
0x0044daa2
0x0044daa9
0x0044daca
0x0044dacf
0x0044dad6
0x0044dadb
0x0044dadd
0x0044dae8
0x0044daed
0x0044daef
0x0044dafe
0x0044dafe
0x0044daef
0x0044db00
0x0044db02
0x0044db34
0x0044db04
0x0044db1c
0x0044db22
0x0044db22
0x0044daab
0x0044dac3
0x0044dac3
0x0044da92
0x0044da95
0x0044da95
0x0044d698
0x0044d69a
0x0044d69b
0x0044d6a0
0x0044d6a3
0x0044d6ad
0x0044d6b7
0x0044d6dd
0x0044d709
0x0044d752
0x0044d752
0x0044d755
0x0044d757
0x0044d759
0x0044d759
0x0044d769
0x0044d769
0x0044d76c
0x0044d76e
0x0044d770
0x0044d770
0x0044d70b
0x0044d70b
0x0044d710
0x0044d71d
0x0044d720
0x0044d722
0x0044d724
0x0044d724
0x0044d727
0x0044d72c
0x0044d737
0x0044d73a
0x0044d73c
0x0044d73e
0x0044d73e
0x0044d73c
0x0044d775
0x0044d777
0x0044d777
0x0044d77b
0x0044d77d
0x0044d77d
0x0044d78d
0x0044d796
0x0044d7a3
0x0044d7ac
0x0044d7ac
0x0044d7b6
0x0044d7b9
0x0044d7c4
0x0044d7c7
0x0044d89b
0x0044d89d
0x0044d8a3
0x0044d8a6
0x0044d8ad
0x0044d8f6
0x0044d8f6
0x0044d8f9
0x0044d8fb
0x0044d8fd
0x0044d8fd
0x0044d90d
0x0044d90d
0x0044d910
0x0044d912
0x0044d914
0x0044d914
0x0044d8af
0x0044d8af
0x0044d8b4
0x0044d8c1
0x0044d8c1
0x0044d8c4
0x0044d8c6
0x0044d8c8
0x0044d8c8
0x0044d8cb
0x0044d8d0
0x0044d8db
0x0044d8db
0x0044d8de
0x0044d8e0
0x0044d8e2
0x0044d8e2
0x0044d8e0
0x0044d917
0x0044d919
0x0044d91b
0x0044d91b
0x0044d91b
0x0044d91d
0x0044d91f
0x0044d921
0x0044d921
0x0044d921
0x0044d93a
0x0044d93a
0x0044d7cd
0x0044d7cd
0x0044d7d2
0x0044d7d2
0x0044d7d5
0x0044d7d8
0x0044d7df
0x0044d7e7
0x0044d7ed
0x0044d7f2
0x0044d7f4
0x0044d7f9
0x0044d7f9
0x0044d7f4
0x0044d7fc
0x0044d7fe
0x0044d837
0x0044d837
0x0044d83a
0x0044d83c
0x0044d83e
0x0044d83e
0x0044d84e
0x0044d84e
0x0044d851
0x0044d853
0x0044d855
0x0044d855
0x0044d800
0x0044d800
0x0044d806
0x0044d806
0x0044d809
0x0044d80b
0x0044d80d
0x0044d80d
0x0044d810
0x0044d810
0x0044d813
0x0044d819
0x0044d819
0x0044d81c
0x0044d81e
0x0044d820
0x0044d820
0x0044d823
0x0044d823
0x0044d823
0x0044d858
0x0044d85a
0x0044d85c
0x0044d85c
0x0044d85c
0x0044d85e
0x0044d860
0x0044d862
0x0044d862
0x0044d862
0x0044d872
0x0044d87b
0x0044d881
0x0044d884
0x0044d888
0x0044d891
0x0044d891
0x0044d888
0x0044d7c7
0x0044d943
0x0044d954
0x0044da2a
0x0044d95a
0x0044d964
0x0044d9b7
0x0044d9cb
0x0044d9cb
0x0044d9e0
0x0044d9e8
0x0044d966
0x0044d96b
0x0044d976
0x0044d97b
0x0044d97e
0x0044d985
0x0044d995
0x0044d995
0x0044d9f6
0x0044d9fb
0x0044d9fe
0x0044da05
0x0044da05
0x0044d954
0x0044d692
0x0044db3b
0x0044db3e
0x0044db41
0x0044db46
0x0044db49
0x0044db50

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,0044DB51), ref: 0044D796
SendMessageA.USER32 ref: 0044D985

Part of subcall function 004064A4: LoadStringA.USER32 ref: 004064D6

Strings

XmD, xrefs: 0044D7E7

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherLoadMessageSendStringUser
String ID: XmD
API String ID: 830504888-1007433337
Opcode ID: 964e089a63ba9463f6094f551cf2dc42ade77f637f2c28c6603ac26d352afdda
Instruction ID: 17c6b9fca8f0dfafda715134ff59f8d20104fd14869eb34a8d01e9dac4c61255
Opcode Fuzzy Hash: 964e089a63ba9463f6094f551cf2dc42ade77f637f2c28c6603ac26d352afdda
Instruction Fuzzy Hash: 6BF16E30A04244EFEB00DFA9D986BAE77F0AB08304F1540B6E544EB362D779BE40DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00405CBF, Relevance: 15.1, APIs: 10, Instructions: 101
stringlibrarythreadCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00405CBF() {
				void* _t42;
				void* _t45;
				struct HINSTANCE__* _t52;
				struct HINSTANCE__* _t59;
				struct HINSTANCE__* _t67;
				void* _t76;

				_push(0x105);
				_push( *((intOrPtr*)(_t76 - 4)));
				_push(_t76 - 0x121);
				L004012D4();
				GetLocaleInfoA(GetThreadLocale(), 3, _t76 - 0xd, 5); // executed
				_t67 = 0;
				if( *(_t76 - 0x121) == 0 ||  *(_t76 - 0xd) == 0 &&  *((char*)(_t76 - 0x12)) == 0) {
					L14:
					return _t67;
				} else {
					_t42 = _t76 - 0x121;
					_push(_t42);
					L004012DC();
					 *((intOrPtr*)(_t76 - 0x1c)) = _t42 + _t76 - 0x121;
					L5:
					if( *((char*)( *((intOrPtr*)(_t76 - 0x1c)))) != 0x2e && _t76 - 0x121 !=  *((intOrPtr*)(_t76 - 0x1c))) {
						 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) - 1;
						goto L5;
					}
					_t45 = _t76 - 0x121;
					if(_t45 !=  *((intOrPtr*)(_t76 - 0x1c))) {
						 *((intOrPtr*)(_t76 - 0x1c)) =  *((intOrPtr*)(_t76 - 0x1c)) + 1;
						if( *((char*)(_t76 - 0x12)) != 0) {
							_push(0x105 -  *((intOrPtr*)(_t76 - 0x1c)) - _t45);
							_push(_t76 - 0x12);
							_push( *((intOrPtr*)(_t76 - 0x1c)));
							L004012D4();
							_t67 = LoadLibraryExA(_t76 - 0x121, 0, 2);
						}
						if(_t67 == 0 &&  *(_t76 - 0xd) != 0) {
							_push(0x105 -  *((intOrPtr*)(_t76 - 0x1c)) - _t76 - 0x121);
							_push(_t76 - 0xd);
							_push( *((intOrPtr*)(_t76 - 0x1c)));
							L004012D4();
							_t52 = LoadLibraryExA(_t76 - 0x121, 0, 2); // executed
							_t67 = _t52;
							if(_t67 == 0) {
								 *((char*)(_t76 - 0xb)) = 0;
								_push(0x105 -  *((intOrPtr*)(_t76 - 0x1c)) - _t76 - 0x121);
								_push(_t76 - 0xd);
								_push( *((intOrPtr*)(_t76 - 0x1c)));
								L004012D4();
								_t59 = LoadLibraryExA(_t76 - 0x121, 0, 2); // executed
								_t67 = _t59;
							}
						}
					}
					goto L14;
				}
			}

0x00405cbf
0x00405cc7
0x00405cce
0x00405ccf
0x00405ce2
0x00405ce7
0x00405cf0
0x00405def
0x00405df5
0x00405d06
0x00405d06
0x00405d0c
0x00405d0d
0x00405d1a
0x00405d22
0x00405d28
0x00405d1f
0x00000000
0x00405d1f
0x00405d35
0x00405d3e
0x00405d44
0x00405d4b
0x00405d59
0x00405d5d
0x00405d61
0x00405d62
0x00405d77
0x00405d77
0x00405d7b
0x00405d95
0x00405d99
0x00405d9d
0x00405d9e
0x00405dae
0x00405db3
0x00405db7
0x00405db9
0x00405dcf
0x00405dd3
0x00405dd7
0x00405dd8
0x00405de8
0x00405ded
0x00405ded
0x00405db7
0x00405d7b
0x00000000
0x00405d3e

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00405CCF
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00405CDC
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00405CE2
lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00405D0D
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D62
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405D72
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00405D9E
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00405DAE
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 00405DD8
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 00405DE8

Strings

Software\Borland\Locales, xrefs: 00405BE3, 00405C01
Software\Borland\Delphi\Locales, xrefs: 00405C1F

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 88326ff7fc12c8fd9b9bbbe3029879190534d8d9203839bf8fe7a52cae8cc4bd
Instruction ID: 3934a18d3daaf2464fe8a0d7d82db5fdb74b30492aada46bfaf36b30f03f32ea
Opcode Fuzzy Hash: 88326ff7fc12c8fd9b9bbbe3029879190534d8d9203839bf8fe7a52cae8cc4bd
Instruction Fuzzy Hash: 52313E71E0424A7EEB15EAE9C889FEFB7BC9F48304F4081A7A145F21C1D6BC9A448F14

Uniqueness

Uniqueness Score: -1.00%

Function 0043582C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043582C(void* __eax, intOrPtr* __edx) {
				char _v20;
				char _v28;
				intOrPtr _t17;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t32;
				void* _t39;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				intOrPtr* _t65;
				intOrPtr* _t67;
				void* _t68;

				_t67 = __edx;
				_t50 = __eax;
				_t17 =  *__edx;
				_t68 = _t17 - 0x84;
				if(_t68 > 0) {
					_t19 = _t17 + 0xffffff00 - 9;
					if(_t19 < 0) {
						_t21 = E00431D80(__eax);
						if(_t21 != 0) {
							L28:
							return _t21;
						}
						L27:
						_t23 = E0043289C(_t50, _t67); // executed
						return _t23;
					}
					if(_t19 + 0xffffff09 - 0xb < 0) {
						_t21 = E00435798(__eax, _t51, __edx);
						if(_t21 == 0) {
							goto L27;
						}
						if( *((intOrPtr*)(_t67 + 0xc)) != 0) {
							goto L28;
						}
						_t21 = E0043811C(_t50);
						if(_t21 == 0) {
							goto L28;
						}
						_push( *((intOrPtr*)(_t67 + 8)));
						_push( *((intOrPtr*)(_t67 + 4)));
						_push( *_t67);
						_t32 = E00437E18(_t50);
						_push(_t32);
						L00406D94();
						return _t32;
					}
					goto L27;
				}
				if(_t68 == 0) {
					_t21 = E0043289C(__eax, __edx);
					if( *((intOrPtr*)(__edx + 0xc)) != 0xffffffff) {
						goto L28;
					}
					E00407268( *((intOrPtr*)(__edx + 8)), _t51,  &_v20);
					E00431160(_t50,  &_v28,  &_v20);
					_t21 = E00435704(_t50, 0,  &_v28, 0);
					if(_t21 == 0) {
						goto L28;
					}
					 *((intOrPtr*)(_t67 + 0xc)) = 1;
					return _t21;
				}
				_t39 = _t17 - 7;
				if(_t39 == 0) {
					_t65 = E00448668(__eax);
					if(_t65 == 0) {
						goto L27;
					}
					_t21 =  *((intOrPtr*)( *_t65 + 0xe8))();
					if(_t21 == 0) {
						goto L28;
					}
					goto L27;
				}
				_t21 = _t39 - 1;
				if(_t21 == 0) {
					if(( *(__eax + 0x54) & 0x00000020) != 0) {
						goto L28;
					}
				} else {
					if(_t21 == 0x17) {
						_t45 = E00437E18(__eax);
						if(_t45 == GetCapture() &&  *0x456b08 != 0) {
							_t47 =  *0x456b08; // 0x0
							if(_t50 ==  *((intOrPtr*)(_t47 + 0x30))) {
								_t48 =  *0x456b08; // 0x0
								E004327D0(_t48, 0, 0x1f, 0);
							}
						}
					}
				}
			}

0x00435832
0x00435834
0x00435836
0x00435838
0x0043583d
0x0043585c
0x0043585f
0x0043593c
0x00435943
0x0043598e
0x0043598e
0x0043598e
0x0043597f
0x00435983
0x00000000
0x00435983
0x0043586d
0x00435906
0x0043590d
0x00000000
0x00000000
0x00435913
0x00000000
0x00000000
0x00435917
0x0043591e
0x00000000
0x00000000
0x00435923
0x00435927
0x0043592a
0x0043592d
0x00435932
0x00435933
0x00000000
0x00435933
0x00000000
0x00435873
0x0043583f
0x004358b5
0x004358be
0x00000000
0x00000000
0x004358cd
0x004358dc
0x004358e9
0x004358f0
0x00000000
0x00000000
0x004358f6
0x00000000
0x004358f6
0x00435841
0x00435844
0x0043587f
0x00435883
0x00000000
0x00000000
0x0043588f
0x00435897
0x00000000
0x00000000
0x00000000
0x0043589d
0x00435846
0x00435847
0x004358a6
0x00000000
0x00000000
0x00435849
0x0043584c
0x00435949
0x00435957
0x00435962
0x0043596a
0x00435975
0x0043597a
0x0043597a
0x0043596a
0x00435957
0x0043584c

APIs

GetCapture.USER32 ref: 00435950

Strings

, xrefs: 004358A2

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: 66858b5c65f9f96124c1c1a20a3afe1e62cfc2885425e7b3db6683ca97040c75
Instruction ID: 9a1fb202d9eefaca3519e7d522e0e936c3de1599858127d307be13c4b5eecb1e
Opcode Fuzzy Hash: 66858b5c65f9f96124c1c1a20a3afe1e62cfc2885425e7b3db6683ca97040c75
Instruction Fuzzy Hash: 6431D2B1304B00CBCB24AA3DC88171A63855F5D374F10AA7FB4A6DB392DA3CDC468B59

Uniqueness

Uniqueness Score: -1.00%

Function 0043289C, Relevance: 3.1, APIs: 2, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043289C(intOrPtr* __eax, signed int* __edx) {
				signed int _v12;
				short _v14;
				char _v16;
				signed int _v20;
				intOrPtr* _v24;
				char _v280;
				signed int _t39;
				signed int _t40;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t50;
				signed int _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t67;
				signed int _t68;
				void* _t73;
				signed int* _t79;
				intOrPtr _t90;
				intOrPtr* _t96;

				_t79 = __edx;
				_t96 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0) {
					L4:
					_t39 =  *_t79;
					if(_t39 < 0x100 || _t39 > 0x108) {
						_t40 =  *_t79;
						__eflags = _t40 - 0x200;
						if(_t40 < 0x200) {
							L30:
							__eflags = _t40 - 0xb00b;
							if(_t40 == 0xb00b) {
								E004311BC(_t96, _t79[1], _t40, _t79[2]);
							}
							L32:
							return  *((intOrPtr*)( *_t96 - 0x14))();
						}
						__eflags = _t40 - 0x20a;
						if(_t40 > 0x20a) {
							goto L30;
						}
						__eflags =  *(_t96 + 0x50) & 0x00000080;
						if(( *(_t96 + 0x50) & 0x00000080) != 0) {
							L16:
							_t46 =  *_t79 - 0x200;
							__eflags = _t46;
							if(__eflags == 0) {
								L21:
								_t47 =  *0x46b67c; // 0x46cb44
								E00451FD0( *_t47, _t79, _t96, __eflags);
								goto L32;
							}
							_t50 = _t46 - 1;
							__eflags = _t50;
							if(_t50 == 0) {
								L22:
								__eflags =  *((char*)(_t96 + 0x5d)) - 1;
								if(__eflags != 0) {
									 *(_t96 + 0x54) =  *(_t96 + 0x54) | 0x00000001;
									goto L32;
								}
								return E00403D6C(_t96, __eflags);
							}
							_t53 = _t50 - 1;
							__eflags = _t53;
							if(_t53 == 0) {
								 *(_t96 + 0x54) =  *(_t96 + 0x54) & 0x0000fffe;
								goto L32;
							}
							__eflags = _t53 == 1;
							if(_t53 == 1) {
								goto L22;
							}
							_t55 =  *0x46caa4; // 0x2130e48
							__eflags =  *((char*)(_t55 + 0x20));
							if( *((char*)(_t55 + 0x20)) == 0) {
								goto L32;
							} else {
								_t56 =  *0x46caa4; // 0x2130e48
								__eflags =  *(_t56 + 0x1c);
								if( *(_t56 + 0x1c) == 0) {
									goto L32;
								}
								_t90 =  *0x46caa4; // 0x2130e48
								_t25 = _t90 + 0x1c; // 0x0
								__eflags =  *_t79 -  *_t25;
								if( *_t79 !=  *_t25) {
									goto L32;
								}
								GetKeyboardState( &_v280);
								_v20 =  *_t79;
								_v16 = E004485AC( &_v280);
								_v14 = _t79[1];
								_v12 = _t79[2];
								return E00403D6C(_t96, __eflags);
							}
							goto L21;
						}
						_t67 = _t40 - 0x203;
						__eflags = _t67;
						if(_t67 == 0) {
							L15:
							 *_t79 =  *_t79 - 2;
							__eflags =  *_t79;
							goto L16;
						}
						_t68 = _t67 - 3;
						__eflags = _t68;
						if(_t68 == 0) {
							goto L15;
						}
						__eflags = _t68 != 3;
						if(_t68 != 3) {
							goto L16;
						}
						goto L15;
					}
					_v24 = E00448668(_t96);
					if(_v24 == 0) {
						goto L32;
					}
					_t73 =  *((intOrPtr*)( *_v24 + 0xf0))();
					if(_t73 == 0) {
						goto L32;
					}
				} else {
					_v24 = E00448668(__eax);
					if(_v24 == 0 ||  *((intOrPtr*)(_v24 + 0x250)) == 0) {
						goto L4;
					} else {
						_t73 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v24 + 0x250)))) + 0x24))();
						if(_t73 == 0) {
							goto L4;
						}
					}
				}
				return _t73;
			}

0x004328a8
0x004328aa
0x004328b0
0x004328e8
0x004328e8
0x004328ef
0x00432928
0x0043292a
0x0043292f
0x00432a07
0x00432a07
0x00432a0c
0x00432a19
0x00432a19
0x00432a1e
0x00000000
0x00432a24
0x00432935
0x0043293a
0x00000000
0x00000000
0x00432940
0x00432944
0x0043295a
0x0043295c
0x0043295c
0x00432961
0x0043296e
0x00432970
0x00432979
0x00000000
0x00432979
0x00432963
0x00432963
0x00432964
0x00432983
0x00432983
0x00432987
0x00432999
0x00000000
0x00432999
0x00000000
0x0043298f
0x00432966
0x00432966
0x00432967
0x004329a0
0x00000000
0x004329a0
0x00432969
0x0043296a
0x00000000
0x00000000
0x004329a7
0x004329ac
0x004329b0
0x00000000
0x004329b2
0x004329b2
0x004329b7
0x004329bb
0x00000000
0x00000000
0x004329bf
0x004329c5
0x004329c5
0x004329c8
0x00000000
0x00000000
0x004329d1
0x004329d8
0x004329e6
0x004329ed
0x004329f4
0x00000000
0x00432a00
0x00000000
0x004329b0
0x00432946
0x00432946
0x0043294b
0x00432957
0x00432957
0x00432957
0x00000000
0x00432957
0x0043294d
0x0043294d
0x00432950
0x00000000
0x00000000
0x00432952
0x00432955
0x00000000
0x00000000
0x00000000
0x00432955
0x004328ff
0x00432906
0x00000000
0x00000000
0x00432915
0x0043291d
0x00000000
0x00432923
0x004328b2
0x004328b9
0x004328c0
0x00000000
0x004328ce
0x004328dd
0x004328e2
0x00000000
0x00000000
0x004328e2
0x004328c0
0x00432a2d

APIs

GetKeyboardState.USER32(?), ref: 004329D1
KiUserCallbackDispatcher.NTDLL ref: 00432A24

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherKeyboardStateUser
String ID:
API String ID: 4281813569-0
Opcode ID: 74b6afffda12f7bc1d7ea52af28815c80511b68f7945d2466aa25aeb0bb2e27e
Instruction ID: a4803adaf3eefa6ba985f4513be6023ebf9fe727cf7ceabbdce64d3ec0b73631
Opcode Fuzzy Hash: 74b6afffda12f7bc1d7ea52af28815c80511b68f7945d2466aa25aeb0bb2e27e
Instruction Fuzzy Hash: 8C419D307002558BCB20EB68DA887AEB7A0AF09310F1451ABD444BB395D7B8DD45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00414038, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00414038(void* __eax, struct HINSTANCE__* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				intOrPtr _t15;
				struct HINSTANCE__* _t20;
				intOrPtr* _t22;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t35;
				intOrPtr _t38;
				intOrPtr _t40;

				_t38 = _t40;
				_push(_t22);
				_t35 = _t22;
				_t20 = __edx;
				_t32 = __eax;
				if(__edx == 0) {
					_t20 =  *0x46c664; // 0x400000
				}
				_t10 = FindResourceA(_t20, E00404D98(_t32), 0xa) & 0xffffff00 | _t9 != 0x00000000;
				_t43 = _t10;
				if(_t10 == 0) {
					return _t10;
				} else {
					_v8 = E00416A10(_t20, 1, 0xa, _t32);
					_push(_t38);
					_push(0x4140ac);
					_push( *[fs:eax]);
					 *[fs:eax] = _t40;
					_t15 = E00416504(_v8, _t20,  *_t35, _t32, _t35, _t43); // executed
					 *_t35 = _t15;
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(E004140B3);
					return E00403B64(_v8);
				}
			}

0x00414039
0x0041403b
0x0041403f
0x00414041
0x00414043
0x00414047
0x00414049
0x00414049
0x00414061
0x00414064
0x00414066
0x004140ba
0x00414068
0x00414079
0x0041407e
0x0041407f
0x00414084
0x00414087
0x0041408f
0x00414094
0x00414098
0x0041409b
0x0041409e
0x004140ab
0x004140ab

APIs

FindResourceA.KERNEL32(?,00000000,0000000A), ref: 0041405A

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: a87a8a8e70ca48b30a21d773078be582ede1dad3d8f069caf2e0477c23b1946e
Instruction ID: c173584460829ebe0b9554a129c95bc4c3d111f2eead2ba069aff5e907944b92
Opcode Fuzzy Hash: a87a8a8e70ca48b30a21d773078be582ede1dad3d8f069caf2e0477c23b1946e
Instruction Fuzzy Hash: 8401D471304300AFD710EF6BEC9296ABBEDDB89714722407AF604D7282DA7A9C00966C

Uniqueness

Uniqueness Score: -1.00%

Function 0041E714, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041E714(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v48;
				struct _SYSTEM_INFO* _t17;
				unsigned int _t20;
				unsigned int _t22;
				signed int _t31;
				intOrPtr _t33;

				_v12 = __edx;
				_v8 = __eax;
				_t17 =  &_v48;
				GetSystemInfo(_t17); // executed
				_t33 = _v8;
				_t31 = _v12 - 1;
				if(_t31 >= 0) {
					if( *((short*)( &_v48 + 0x20)) == 3) {
						do {
							_t20 =  *(_t33 + _t31 * 4) >> 0x10;
							 *(_t33 + _t31 * 4) = _t20;
							_t31 = _t31 - 1;
						} while (_t31 >= 0);
						return _t20;
					} else {
						goto L2;
					}
					do {
						L2:
						asm("bswap eax");
						_t22 =  *(_t33 + _t31 * 4) >> 8;
						 *(_t33 + _t31 * 4) = _t22;
						_t31 = _t31 - 1;
					} while (_t31 >= 0);
					return _t22;
				}
				return _t17;
			}

0x0041e71a
0x0041e71d
0x0041e720
0x0041e724
0x0041e729
0x0041e72f
0x0041e730
0x0041e73a
0x0041e74d
0x0041e756
0x0041e75e
0x0041e761
0x0041e761
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e73c
0x0041e73c
0x0041e73f
0x0041e741
0x0041e744
0x0041e747
0x0041e747
0x00000000
0x0041e73c
0x0041e768

APIs

GetSystemInfo.KERNEL32(?), ref: 0041E724

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 850649dd9cde938ba69a54dfa49c9e0a55357d5bb72568a860e75057c2bc7d81
Instruction ID: 0f9d3d28f0b23eed663938fb1e940d19010725ad38dbb5cf1cabf4769e918c14
Opcode Fuzzy Hash: 850649dd9cde938ba69a54dfa49c9e0a55357d5bb72568a860e75057c2bc7d81
Instruction Fuzzy Hash: 4EF0F675E01109DFDB14EF99C4888DCB7B4FB5630174442AAD814E7382EB38A590CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0043CE54, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0043CE54(void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t6;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t16;
				void* _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t28;

				_t25 = __esi;
				_t17 = __ecx;
				_push(_t28);
				_push(0x43ceda);
				_push( *[fs:eax]);
				 *[fs:eax] = _t28;
				 *0x46caac =  *0x46caac - 1;
				if( *0x46caac < 0) {
					 *0x46caa8 = (GetVersion() & 0x000000ff) - 4 >= 0; // executed
					_t31 =  *0x46caa8;
					E0043CC20(_t16, __edi,  *0x46caa8);
					_t6 =  *0x42cfe0; // 0x42d02c
					E00413CC4(_t6, _t16, _t17,  *0x46caa8);
					_t8 =  *0x42cfe0; // 0x42d02c
					E00413D64(_t8, _t16, _t17, _t31);
					_t21 =  *0x42cfe0; // 0x42d02c
					_t10 =  *0x43e27c; // 0x43e2c8
					E00413D10(_t10, _t16, _t21, __esi, _t31);
					_t22 =  *0x42cfe0; // 0x42d02c
					_t12 =  *0x43cee4; // 0x43cf30
					E00413D10(_t12, _t16, _t22, __esi, _t31);
					_t23 =  *0x42cfe0; // 0x42d02c
					_t14 =  *0x43d008; // 0x43d054
					E00413D10(_t14, _t16, _t23, _t25, _t31);
				}
				_pop(_t20);
				 *[fs:eax] = _t20;
				_push(0x43cee1);
				return 0;
			}

0x0043ce54
0x0043ce54
0x0043ce59
0x0043ce5a
0x0043ce5f
0x0043ce62
0x0043ce65
0x0043ce6c
0x0043ce7c
0x0043ce7c
0x0043ce83
0x0043ce88
0x0043ce8d
0x0043ce92
0x0043ce97
0x0043ce9c
0x0043cea2
0x0043cea7
0x0043ceac
0x0043ceb2
0x0043ceb7
0x0043cebc
0x0043cec2
0x0043cec7
0x0043cec7
0x0043cece
0x0043ced1
0x0043ced4
0x0043ced9

APIs

GetVersion.KERNEL32(00000000,0043CEDA), ref: 0043CE6E

Part of subcall function 0043CC20: GetCurrentProcessId.KERNEL32(?,00000000,0043CD98), ref: 0043CC41
Part of subcall function 0043CC20: GlobalAddAtomA.KERNEL32 ref: 0043CC74
Part of subcall function 0043CC20: GetCurrentThreadId.KERNEL32 ref: 0043CC8F
Part of subcall function 0043CC20: GlobalAddAtomA.KERNEL32 ref: 0043CCC5
Part of subcall function 0043CC20: RegisterClipboardFormatA.USER32(00000000), ref: 0043CCDB
Part of subcall function 0043CC20: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,0043CD98), ref: 0043CD5F
Part of subcall function 0043CC20: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0043CD70

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID:
API String ID: 3775504709-0
Opcode ID: 09d4d5ec5161c5e43ed974ef69de0e9615d83c6ed28fecb04647864f19da2e46
Instruction ID: ec9272ab661991192dab41c042b9f6fbfa6ba680c70deb6e5e32577c34eb06fb
Opcode Fuzzy Hash: 09d4d5ec5161c5e43ed974ef69de0e9615d83c6ed28fecb04647864f19da2e46
Instruction Fuzzy Hash: 9DF03C353042408FC611FF66FDC291A73A5F749749BA29437E80093AA5D6389C42DB8D

Uniqueness

Uniqueness Score: -1.00%

Function 00450594, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00450594(intOrPtr _a4) {
				intOrPtr _t26;

				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 8)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 4)));
				_push( *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)))));
				_t26 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30));
				_push(_t26); // executed
				L00406D94(); // executed
				 *((intOrPtr*)( *((intOrPtr*)(_a4 - 8)) + 0xc)) = _t26;
				return _t26;
			}

0x004505a0
0x004505aa
0x004505b3
0x004505ba
0x004505bd
0x004505be
0x004505c9
0x004505cd

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004505BE

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: a0d0599e936251741e21a05fa445e42998fce430f2c468d0038edade3f3cf750
Instruction ID: 91d705e2bc7dfa67a160f8e773f53d8101ffc3b96d04ad947ce6b46072f4bddc
Opcode Fuzzy Hash: a0d0599e936251741e21a05fa445e42998fce430f2c468d0038edade3f3cf750
Instruction Fuzzy Hash: E4F0C579205608AFCB40DF9DC588D4AFBE8BF4C260B058595B988CB322D234FD81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0043CC20, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0043CC20(void* __ebx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				long _v28;
				char _v32;
				char _v36;
				intOrPtr _t25;
				short _t27;
				char _t29;
				intOrPtr _t35;
				short _t37;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t53;
				struct HINSTANCE__* _t63;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr _t83;
				void* _t87;

				_v20 = 0;
				_v8 = 0;
				_push(_t87);
				_push(0x43cd98);
				_push( *[fs:eax]);
				 *[fs:eax] = _t87 + 0xffffffe0;
				_v16 = GetCurrentProcessId();
				_v12 = 0;
				E00409534("Delphi%.8X", 0,  &_v16,  &_v8);
				E0040492C(0x46cab4, _v8);
				_t25 =  *0x46cab4; // 0x2130dd0
				_t27 = GlobalAddAtomA(E00404D98(_t25)); // executed
				 *0x46cab0 = _t27;
				_t29 =  *0x46c664; // 0x400000
				_v36 = _t29;
				_v32 = 0;
				_v28 = GetCurrentThreadId();
				_v24 = 0;
				E00409534("ControlOfs%.8X%.8X", 1,  &_v36,  &_v20);
				E0040492C(0x46cab8, _v20);
				_t35 =  *0x46cab8; // 0x2130dec
				_t37 = GlobalAddAtomA(E00404D98(_t35)); // executed
				 *0x46cab2 = _t37;
				_t38 =  *0x46cab8; // 0x2130dec
				 *0x46cabc = RegisterClipboardFormatA(E00404D98(_t38));
				 *0x46caf4 = E004146D0(1);
				E0043C824();
				 *0x46caa4 = E0043C64C(1, 1);
				_t47 = E0044EC6C(1, __edi);
				_t78 =  *0x46b7bc; // 0x46cb48
				 *_t78 = _t47;
				_t49 = E0044FD80(0, 1);
				_t80 =  *0x46b67c; // 0x46cb44
				 *_t80 = _t49;
				_t50 =  *0x46b67c; // 0x46cb44
				E00451AD8( *_t50, 1);
				_t53 =  *0x42bfb8; // 0x42bfbc
				E00413E50(_t53, 0x42e6ac, 0x42e6bc);
				_t63 = GetModuleHandleA("USER32");
				if(_t63 != 0) {
					 *0x456a44 = GetProcAddress(_t63, "AnimateWindow");
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x43cd9f);
				E004048D8( &_v20);
				return E004048D8( &_v8);
			}

0x0043cc29
0x0043cc2c
0x0043cc31
0x0043cc32
0x0043cc37
0x0043cc3a
0x0043cc46
0x0043cc49
0x0043cc57
0x0043cc64
0x0043cc69
0x0043cc74
0x0043cc79
0x0043cc83
0x0043cc88
0x0043cc8b
0x0043cc94
0x0043cc97
0x0043cca8
0x0043ccb5
0x0043ccba
0x0043ccc5
0x0043ccca
0x0043ccd0
0x0043cce0
0x0043ccf1
0x0043ccf6
0x0043cd07
0x0043cd15
0x0043cd1a
0x0043cd20
0x0043cd2b
0x0043cd30
0x0043cd36
0x0043cd38
0x0043cd41
0x0043cd50
0x0043cd55
0x0043cd64
0x0043cd68
0x0043cd75
0x0043cd75
0x0043cd7c
0x0043cd7f
0x0043cd82
0x0043cd8a
0x0043cd97

APIs

GetCurrentProcessId.KERNEL32(?,00000000,0043CD98), ref: 0043CC41
GlobalAddAtomA.KERNEL32 ref: 0043CC74
GetCurrentThreadId.KERNEL32 ref: 0043CC8F
GlobalAddAtomA.KERNEL32 ref: 0043CCC5
RegisterClipboardFormatA.USER32(00000000), ref: 0043CCDB

Part of subcall function 004146D0: RtlInitializeCriticalSection.KERNEL32(List("A,?,?,0041B2B1,00000000,0041B2D5), ref: 004146EF

Part of subcall function 0043C824: SetErrorMode.KERNEL32(00008000), ref: 0043C83D
Part of subcall function 0043C824: GetModuleHandleA.KERNEL32(USER32,00000000,0043C98A,?,00008000), ref: 0043C861
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0043C86E
Part of subcall function 0043C824: LoadLibraryA.KERNEL32(imm32.dll,00000000,0043C98A,?,00008000), ref: 0043C88A
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0043C8AC
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0043C8C1
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0043C8D6
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0043C8EB
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0043C900
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 0043C915
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0043C92A
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0043C93F
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0043C954
Part of subcall function 0043C824: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0043C969
Part of subcall function 0043C824: SetErrorMode.KERNEL32(?,0043C991,00008000), ref: 0043C984

Part of subcall function 0044EC6C: GetKeyboardLayout.USER32 ref: 0044ECB1
Part of subcall function 0044EC6C: 7378AC50.USER32(00000000,00000000,?,?,00000000,?,0043CD1A,00000000,00000000,?,00000000,?,00000000,0043CD98), ref: 0044ED06
Part of subcall function 0044EC6C: 7378AD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,0043CD1A,00000000,00000000,?,00000000,?,00000000,0043CD98), ref: 0044ED10
Part of subcall function 0044EC6C: 7378B380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,0043CD1A,00000000,00000000,?,00000000,?), ref: 0044ED1B

Part of subcall function 0044FD80: LoadIconA.USER32(00400000,MAINICON), ref: 0044FE65
Part of subcall function 0044FD80: GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,0043CD30,00000000,00000000,?,00000000,?,00000000,0043CD98), ref: 0044FE97
Part of subcall function 0044FD80: OemToCharA.USER32 ref: 0044FEAA
Part of subcall function 0044FD80: CharNextA.USER32(?,?,?,00400000,?,00000100,?,?,?,0043CD30,00000000,00000000,?,00000000,?,00000000), ref: 0044FEF7
Part of subcall function 0044FD80: CharLowerA.USER32(00000000,?,?,?,00400000,?,00000100,?,?,?,0043CD30,00000000,00000000,?,00000000,?), ref: 0044FEFD

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,00000000,?,00000000,0043CD98), ref: 0043CD5F
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 0043CD70

Strings

AnimateWindow, xrefs: 0043CD6A
USER32, xrefs: 0043CD5A
ControlOfs%.8X%.8X, xrefs: 0043CCA3
Delphi%.8X, xrefs: 0043CC52

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$7378CharModule$AtomCurrentErrorGlobalHandleLoadMode$B380ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameNextProcessRegisterSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 3563442799-1126952177
Opcode ID: a5724d06eef12ffce13d83ab4328e572ade17aad75008c692159a1c69545a68e
Instruction ID: 22e33cdba1832a589975c952b5d4f6b00a723b00d483563835cba640efcbc7e9
Opcode Fuzzy Hash: a5724d06eef12ffce13d83ab4328e572ade17aad75008c692159a1c69545a68e
Instruction Fuzzy Hash: 714161B4A002459BC700FFB9DC82A9D77A5EB49308F41903BF405F7791EB7899008B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0044FD80, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 130
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0044FD80(void* __ecx, char __edx) {
				char _v5;
				char* _v12;
				char _v268;
				void* __ebx;
				void* __ebp;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t48;
				struct HINSTANCE__** _t58;
				struct HICON__* _t60;
				intOrPtr _t63;
				struct HINSTANCE__** _t65;
				CHAR* _t76;
				char* _t80;
				intOrPtr _t86;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t96;
				void* _t97;
				char _t99;
				void* _t111;
				void* _t112;

				_t99 = __edx;
				_t97 = __ecx;
				if(__edx != 0) {
					_t112 = _t112 + 0xfffffff0;
					_t44 = E00403E84(_t44, _t111);
				}
				_v5 = _t99;
				_t96 = _t44;
				E00419F20(_t97, 0);
				_t47 =  *0x46b5f0; // 0x4563e8
				if( *((short*)(_t47 + 2)) == 0) {
					_t95 =  *0x46b5f0; // 0x4563e8
					 *((intOrPtr*)(_t95 + 4)) = _t96;
					 *_t95 = 0x451508;
				}
				_t48 =  *0x46b698; // 0x4563f0
				if( *((short*)(_t48 + 2)) == 0) {
					_t94 =  *0x46b698; // 0x4563f0
					 *((intOrPtr*)(_t94 + 4)) = _t96;
					 *_t94 = E00451700;
				}
				 *((char*)(_t96 + 0x34)) = 0;
				 *((intOrPtr*)(_t96 + 0x90)) = E00403B34(1);
				 *((intOrPtr*)(_t96 + 0xa8)) = E00403B34(1);
				 *((intOrPtr*)(_t96 + 0x60)) = 0;
				 *((intOrPtr*)(_t96 + 0x84)) = 0;
				 *((intOrPtr*)(_t96 + 0x5c)) = 0xff000018;
				 *((intOrPtr*)(_t96 + 0x78)) = 0x1f4;
				 *((char*)(_t96 + 0x7c)) = 1;
				 *((intOrPtr*)(_t96 + 0x80)) = 0;
				 *((intOrPtr*)(_t96 + 0x74)) = 0x9c4;
				 *((char*)(_t96 + 0x88)) = 0;
				 *((char*)(_t96 + 0x9d)) = 1;
				 *((char*)(_t96 + 0xb4)) = 1;
				 *((intOrPtr*)(_t96 + 0x98)) = E00421E34(1);
				_t58 =  *0x46b514; // 0x46c02c
				_t60 = LoadIconA( *_t58, "MAINICON"); // executed
				E00422204(_t57, _t60);
				_t20 = _t96 + 0x98; // 0x736d
				_t63 =  *_t20;
				 *((intOrPtr*)(_t63 + 0x14)) = _t96;
				 *((intOrPtr*)(_t63 + 0x10)) = 0x451d60;
				_t65 =  *0x46b514; // 0x46c02c
				GetModuleFileNameA( *_t65,  &_v268, 0x100);
				OemToCharA( &_v268,  &_v268);
				_v12 = E0040CBF4( &_v268, _t97, 0x5c);
				if(_v12 != 0) {
					E00408E50( &_v268, _v12 + 1);
				}
				_v12 = E0040CC3C( &_v268, _t97, 0x2e);
				if(_v12 != 0) {
					 *_v12 = 0;
				}
				_t76 = CharNextA( &_v268); // executed
				CharLowerA(_t76);
				_t36 = _t96 + 0x8c; // 0x448190
				E00404B48(_t36, 0x100,  &_v268);
				_t80 =  *0x46b414; // 0x46c034
				if( *_t80 == 0) {
					E0045009C(_t96, _t96, 0x100); // executed
				}
				 *((char*)(_t96 + 0x59)) = 1;
				 *((char*)(_t96 + 0x5a)) = 1;
				 *((char*)(_t96 + 0x5b)) = 1;
				 *((char*)(_t96 + 0x9e)) = 1;
				 *((intOrPtr*)(_t96 + 0xa0)) = 0;
				E00451F3C(_t96, 0x100);
				E00452924(_t96);
				_t86 = _t96;
				if(_v5 != 0) {
					E00403EDC(_t86);
					_pop( *[fs:0x0]);
				}
				return _t96;
			}

0x0044fd80
0x0044fd80
0x0044fd8d
0x0044fd8f
0x0044fd92
0x0044fd92
0x0044fd97
0x0044fd9a
0x0044fda0
0x0044fda5
0x0044fdaf
0x0044fdb1
0x0044fdb6
0x0044fdb9
0x0044fdb9
0x0044fdbf
0x0044fdc9
0x0044fdcb
0x0044fdd0
0x0044fdd3
0x0044fdd3
0x0044fdd9
0x0044fde9
0x0044fdfb
0x0044fe03
0x0044fe08
0x0044fe0e
0x0044fe15
0x0044fe1c
0x0044fe22
0x0044fe28
0x0044fe2f
0x0044fe36
0x0044fe3d
0x0044fe52
0x0044fe5d
0x0044fe65
0x0044fe6e
0x0044fe73
0x0044fe73
0x0044fe79
0x0044fe7c
0x0044fe8f
0x0044fe97
0x0044feaa
0x0044febc
0x0044fec3
0x0044fecf
0x0044fecf
0x0044fee1
0x0044fee8
0x0044feed
0x0044feed
0x0044fef7
0x0044fefd
0x0044ff02
0x0044ff13
0x0044ff18
0x0044ff20
0x0044ff24
0x0044ff24
0x0044ff29
0x0044ff2d
0x0044ff31
0x0044ff35
0x0044ff3e
0x0044ff46
0x0044ff4d
0x0044ff52
0x0044ff58
0x0044ff5a
0x0044ff5f
0x0044ff66
0x0044ff70

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0044FE65
GetModuleFileNameA.KERNEL32(00400000,?,00000100,?,?,?,0043CD30,00000000,00000000,?,00000000,?,00000000,0043CD98), ref: 0044FE97
OemToCharA.USER32 ref: 0044FEAA
CharNextA.USER32(?,?,?,00400000,?,00000100,?,?,?,0043CD30,00000000,00000000,?,00000000,?,00000000), ref: 0044FEF7
CharLowerA.USER32(00000000,?,?,?,00400000,?,00000100,?,?,?,0043CD30,00000000,00000000,?,00000000,?), ref: 0044FEFD

Strings

MAINICON, xrefs: 0044FE58
cE, xrefs: 0044FDA5, 0044FDB1
l!A, xrefs: 0044FDDF, 0044FDF1

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$FileIconLoadLowerModuleNameNext
String ID: MAINICON$l!A$cE
API String ID: 3256280155-3560492580
Opcode ID: 60a28b49c0148196ef2ad5d5d2e7ac64d23890dcddce4133ffc692e6d561a098
Instruction ID: 467d5a687349db4c68d62c5f1852310e0b517460a97d902e3c0629a6a8b475a9
Opcode Fuzzy Hash: 60a28b49c0148196ef2ad5d5d2e7ac64d23890dcddce4133ffc692e6d561a098
Instruction Fuzzy Hash: 12516170A042449FDB41EF79D8857C97BF4AB15308F0480BAE848DF397D7B99988CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401BB8() {
				intOrPtr* _v8;
				void* _t17;
				signed int _t19;
				intOrPtr _t28;
				void* _t29;
				intOrPtr _t34;

				_push(_t34);
				_push("�/&");
				_push( *[fs:edx]);
				 *[fs:edx] = _t34;
				_push(0x46c5c8);
				L00401390();
				if( *0x46c049 != 0) {
					_push(0x46c5c8);
					L00401398();
				}
				E00401434(0x46c5e8);
				E00401434(0x46c5f8);
				E00401434(0x46c624);
				_t17 = LocalAlloc(0, 0xff8); // executed
				 *0x46c620 = _t17;
				if( *0x46c620 != 0) {
					_t19 = 3;
					do {
						_t29 =  *0x46c620; // 0x6b1510
						 *((intOrPtr*)(_t29 + _t19 * 4 - 0xc)) = 0;
						_t19 = _t19 + 1;
					} while (_t19 != 0x401);
					_v8 = 0x46c608;
					 *((intOrPtr*)(_v8 + 4)) = _v8;
					 *_v8 = _v8;
					 *0x46c614 = _v8;
					 *0x46c5c0 = 1;
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E00401C87);
				if( *0x46c049 != 0) {
					_push(0x46c5c8);
					L004013A0();
					return 0;
				}
				return 0;
			}

0x00401bbe
0x00401bbf
0x00401bc4
0x00401bc7
0x00401bca
0x00401bcf
0x00401bdb
0x00401bdd
0x00401be2
0x00401be2
0x00401bec
0x00401bf6
0x00401c00
0x00401c0c
0x00401c11
0x00401c1d
0x00401c1f
0x00401c24
0x00401c24
0x00401c2c
0x00401c30
0x00401c31
0x00401c38
0x00401c45
0x00401c4e
0x00401c53
0x00401c58
0x00401c58
0x00401c61
0x00401c64
0x00401c67
0x00401c73
0x00401c75
0x00401c7a
0x00000000
0x00401c7a
0x00401c7f

APIs

RtlInitializeCriticalSection.KERNEL32(0046C5C8,00000000,/&,?,?,?,004025DE), ref: 00401BCF
RtlEnterCriticalSection.KERNEL32(0046C5C8,0046C5C8,00000000,/&,?,?,?,004025DE), ref: 00401BE2
LocalAlloc.KERNEL32(00000000,00000FF8,0046C5C8,00000000,/&,?,?,?,004025DE), ref: 00401C0C
RtlLeaveCriticalSection.KERNEL32(0046C5C8,00401C87,00000000,/&,?,?,?,004025DE), ref: 00401C7A

Strings

/&, xrefs: 00401BBF
4+k, xrefs: 00401BF1
D+k, xrefs: 00401BE7
$+k, xrefs: 00401BFB

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: $+k$4+k$D+k$/&
API String ID: 730355536-3664660266
Opcode ID: bd8248c25fbfe06e984a97a870baf69e0850e7758862fbdebd768e283c98e0b6
Instruction ID: 215d79b1b5e2bd03df935708a951f8be47e7010392a3a1f135e621d91f1ab82b
Opcode Fuzzy Hash: bd8248c25fbfe06e984a97a870baf69e0850e7758862fbdebd768e283c98e0b6
Instruction Fuzzy Hash: DF1193B0644240AFE715EB59C985B7977E1EB4A304F50807BE480A77F1E7BC5940CA1F

Uniqueness

Uniqueness Score: -1.00%

Function 0045009C, Relevance: 13.6, APIs: 9, Instructions: 132
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0045009C(void* __eax, void* __ebx, void* __ecx) {
				struct _WNDCLASSA _v44;
				char _v48;
				char* _t22;
				long _t23;
				CHAR* _t26;
				struct HINSTANCE__* _t27;
				intOrPtr* _t29;
				signed int _t32;
				intOrPtr* _t33;
				signed int _t36;
				struct HINSTANCE__* _t37;
				void* _t39;
				CHAR* _t40;
				struct HWND__* _t41;
				char* _t47;
				char* _t52;
				long _t55;
				long _t59;
				struct HINSTANCE__* _t62;
				intOrPtr _t64;
				void* _t69;
				struct HMENU__* _t70;
				void* _t71;
				intOrPtr _t77;
				void* _t83;
				short _t88;

				_t71 = __ecx;
				_v48 = 0;
				_t69 = __eax;
				_push(_t83);
				_push(0x45023d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xffffffd4;
				if( *((char*)(__eax + 0xa4)) != 0) {
					L13:
					_pop(_t77);
					 *[fs:eax] = _t77;
					_push(0x450244);
					return E004048D8( &_v48);
				}
				_t22 =  *0x46b6d8; // 0x46c048
				if( *_t22 != 0) {
					goto L13;
				}
				_t23 = E0041AFC8(E0045061C, __eax); // executed
				 *(_t69 + 0x40) = _t23;
				 *0x456d7c = L00406D94;
				_t26 =  *0x456d9c; // 0x44fd70
				_t27 =  *0x46c664; // 0x400000
				if(GetClassInfoA(_t27, _t26,  &_v44) == 0) {
					_t62 =  *0x46c664; // 0x400000
					 *0x456d88 = _t62;
					_t88 = RegisterClassA(0x456d78);
					if(_t88 == 0) {
						_t64 =  *0x46b484; // 0x41b348
						E004064A4(_t64, _t71,  &_v48);
						E0040BE04(_v48, 1);
						E004042EC();
					}
				}
				_t29 =  *0x46b530; // 0x46c8f8
				_t32 =  *((intOrPtr*)( *_t29))(0) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_t33 =  *0x46b530; // 0x46c8f8
				_t36 =  *((intOrPtr*)( *_t33))(1, _t32) >> 1;
				if(_t88 < 0) {
					asm("adc eax, 0x0");
				}
				_push(_t36);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t37 =  *0x46c664; // 0x400000
				_push(_t37);
				_push(0);
				_t7 = _t69 + 0x8c; // 0x2e500044
				_t39 = E00404D98( *_t7);
				_t40 =  *0x456d9c; // 0x44fd70, executed
				_t41 = E004072FC(_t40, _t39); // executed
				 *(_t69 + 0x30) = _t41;
				_t9 = _t69 + 0x8c; // 0x448190
				E004048D8(_t9);
				 *((char*)(_t69 + 0xa4)) = 1;
				_t11 = _t69 + 0x40; // 0x10940000
				_t12 = _t69 + 0x30; // 0xe
				SetWindowLongA( *_t12, 0xfffffffc,  *_t11);
				_t47 =  *0x46b5a8; // 0x46caa8
				if( *_t47 != 0) {
					_t55 = E00450D1C(_t69);
					_t13 = _t69 + 0x30; // 0xe
					SendMessageA( *_t13, 0x80, 1, _t55); // executed
					_t59 = E00450D1C(_t69);
					_t14 = _t69 + 0x30; // 0xe
					SetClassLongA( *_t14, 0xfffffff2, _t59); // executed
				}
				_t15 = _t69 + 0x30; // 0xe
				_t70 = GetSystemMenu( *_t15, "true");
				DeleteMenu(_t70, 0xf030, 0);
				DeleteMenu(_t70, 0xf000, 0);
				_t52 =  *0x46b5a8; // 0x46caa8
				if( *_t52 != 0) {
					DeleteMenu(_t70, 0xf010, 0);
				}
				goto L13;
			}

0x0045009c
0x004500a5
0x004500a8
0x004500ac
0x004500ad
0x004500b2
0x004500b5
0x004500bf
0x00450227
0x00450229
0x0045022c
0x0045022f
0x0045023c
0x0045023c
0x004500c5
0x004500cd
0x00000000
0x00000000
0x004500d9
0x004500de
0x004500e6
0x004500ef
0x004500f5
0x00450102
0x00450104
0x00450109
0x00450118
0x0045011b
0x00450120
0x00450125
0x00450134
0x00450139
0x00450139
0x0045011b
0x00450140
0x00450149
0x0045014b
0x0045014d
0x0045014d
0x00450153
0x0045015c
0x0045015e
0x00450160
0x00450160
0x00450163
0x00450164
0x00450166
0x00450168
0x0045016a
0x0045016c
0x00450171
0x00450172
0x00450174
0x0045017a
0x00450186
0x0045018b
0x00450190
0x00450193
0x00450199
0x0045019e
0x004501a5
0x004501ab
0x004501af
0x004501b4
0x004501bc
0x004501c0
0x004501cd
0x004501d1
0x004501d8
0x004501e0
0x004501e4
0x004501e4
0x004501eb
0x004501f4
0x004501fe
0x0045020b
0x00450210
0x00450218
0x00450222
0x00450222
0x00000000

APIs

Part of subcall function 0041AFC8: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041AFEF

GetClassInfoA.USER32 ref: 004500FB
RegisterClassA.USER32 ref: 00450113

Part of subcall function 004064A4: LoadStringA.USER32 ref: 004064D6

SetWindowLongA.USER32 ref: 004501AF
SendMessageA.USER32 ref: 004501D1
SetClassLongA.USER32(0000000E,000000F2,00000000,0000000E,00000080,00000001,00000000,0000000E,000000FC,10940000,00448104), ref: 004501E4
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10940000,00448104), ref: 004501EF
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00448104), ref: 004501FE
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00448104), ref: 0045020B
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10940000,00448104), ref: 00450222

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID:
API String ID: 2103932818-0
Opcode ID: ca705ed24e038b242153b52058669d03b0142de197e7797979bdd1164405fb4c
Instruction ID: a13ba3dbecd9c586b293b469b1b7f34efc0b38228e5542dc11f67403c6e5f57f
Opcode Fuzzy Hash: ca705ed24e038b242153b52058669d03b0142de197e7797979bdd1164405fb4c
Instruction Fuzzy Hash: B9414E74700344AFE710EBA9DC82F6A37A8AB05704F554476FE40EB2D3DAB9AC44876D

Uniqueness

Uniqueness Score: -1.00%

Function 00434DD0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00434DD0(intOrPtr* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v68;
				struct _WNDCLASSA _v108;
				intOrPtr _v116;
				signed char _v137;
				void* _v144;
				struct _WNDCLASSA _v184;
				char _v188;
				char _v192;
				char _v196;
				int _t52;
				void* _t53;
				intOrPtr _t86;
				intOrPtr _t104;
				intOrPtr _t108;
				void* _t109;
				intOrPtr* _t111;
				void* _t115;

				_t109 = __edi;
				_t94 = __ebx;
				_push(__ebx);
				_v196 = 0;
				_t111 = __eax;
				_push(_t115);
				_push(0x434f91);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xffffff40;
				_t95 =  *__eax;
				 *((intOrPtr*)( *__eax + 0x98))();
				if(_v116 != 0 || (_v137 & 0x00000040) == 0) {
					L7:
					 *((intOrPtr*)(_t111 + 0x174)) = _v108.lpfnWndProc;
					_t52 = GetClassInfoA(_v108.hInstance,  &_v68,  &_v184);
					asm("sbb eax, eax");
					_t53 = _t52 + 1;
					if(_t53 == 0 || E0042E3A0 != _v184.lpfnWndProc) {
						if(_t53 != 0) {
							UnregisterClassA( &_v68, _v108.hInstance);
						}
						_v108.lpfnWndProc = E0042E3A0;
						_v108.lpszClassName =  &_v68;
						if(RegisterClassA( &_v108) == 0) {
							E0040D268(_t94, _t95, _t109, _t111);
						}
					}
					 *0x456a48 = _t111;
					_t96 =  *_t111; // executed
					 *((intOrPtr*)( *_t111 + 0x9c))();
					if( *(_t111 + 0x180) == 0) {
						E0040D268(_t94, _t96, _t109, _t111);
					}
					if((GetWindowLongA( *(_t111 + 0x180), 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA( *(_t111 + 0x180), 0xfffffff4) == 0) {
						SetWindowLongA( *(_t111 + 0x180), 0xfffffff4,  *(_t111 + 0x180));
					}
					E0040908C( *((intOrPtr*)(_t111 + 0x64)));
					 *((intOrPtr*)(_t111 + 0x64)) = 0;
					E00438128(_t111);
					E004327D0(_t111, E0041CFF0( *((intOrPtr*)(_t111 + 0x68)), _t94, _t96), 0x30, 1); // executed
					_t130 =  *((char*)(_t111 + 0x5c));
					if( *((char*)(_t111 + 0x5c)) != 0) {
						E00403D6C(_t111, _t130);
					}
					_pop(_t104);
					 *[fs:eax] = _t104;
					_push(0x434f98);
					return E004048D8( &_v196);
				} else {
					_t94 =  *((intOrPtr*)(__eax + 4));
					if(_t94 == 0 || ( *(_t94 + 0x1c) & 0x00000002) == 0) {
						L6:
						_v192 =  *((intOrPtr*)(_t111 + 8));
						_v188 = 0xb;
						_t86 =  *0x46b6b4; // 0x41b358
						E004064A4(_t86, _t95,  &_v196);
						_t95 = _v196;
						E0040BE40(_t94, _v196, 1, _t109, _t111, 0,  &_v192);
						E004042EC();
					} else {
						_t108 =  *0x42d6a8; // 0x42d6f4
						if(E00403CFC(_t94, _t108) == 0) {
							goto L6;
						}
						_v116 = E00437E18(_t94);
					}
					goto L7;
				}
			}

0x00434dd0
0x00434dd0
0x00434dd9
0x00434ddd
0x00434de3
0x00434de7
0x00434de8
0x00434ded
0x00434df0
0x00434dfb
0x00434dfd
0x00434e07
0x00434e7c
0x00434e7f
0x00434e94
0x00434e9c
0x00434e9e
0x00434ea1
0x00434eb2
0x00434ebc
0x00434ebc
0x00434ec1
0x00434ecb
0x00434eda
0x00434edc
0x00434edc
0x00434eda
0x00434ee1
0x00434eef
0x00434ef1
0x00434efe
0x00434f00
0x00434f00
0x00434f18
0x00434f36
0x00434f36
0x00434f3e
0x00434f45
0x00434f4a
0x00434f62
0x00434f67
0x00434f6b
0x00434f73
0x00434f73
0x00434f7a
0x00434f7d
0x00434f80
0x00434f90
0x00434e12
0x00434e12
0x00434e17
0x00434e3c
0x00434e3f
0x00434e45
0x00434e5b
0x00434e60
0x00434e65
0x00434e72
0x00434e77
0x00434e1f
0x00434e21
0x00434e2e
0x00000000
0x00000000
0x00434e37
0x00434e37
0x00000000
0x00434e17

APIs

GetClassInfoA.USER32 ref: 00434E94
UnregisterClassA.USER32 ref: 00434EBC
RegisterClassA.USER32 ref: 00434ED2
GetWindowLongA.USER32 ref: 00434F0E
GetWindowLongA.USER32 ref: 00434F23
SetWindowLongA.USER32 ref: 00434F36

Strings

@, xrefs: 00434E09

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: f580364b1921ff9cb395a8277326e39587a3b56640cd9dca45cbdb95ec58930d
Instruction ID: 0f30ed3dfda7c21a546398a1bb6392f86d390e4a2f6efb3ecfbc9dc10527ed8f
Opcode Fuzzy Hash: f580364b1921ff9cb395a8277326e39587a3b56640cd9dca45cbdb95ec58930d
Instruction Fuzzy Hash: F85182716003149BDB20DBA9CC41BDAB7F9BF48304F1445AAF849E7392DB38AD45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0044A17C, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0044A17C(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				int _t100;
				int _t102;
				intOrPtr _t119;
				int _t124;
				intOrPtr _t157;
				signed char _t165;
				signed char _t166;
				void* _t168;
				signed char _t183;
				intOrPtr _t185;
				intOrPtr _t197;
				void* _t200;
				void* _t202;
				int _t203;
				intOrPtr _t207;
				signed char _t210;

				_t200 = __edi;
				_t206 = _t207;
				_t202 = __edx;
				_v8 = __eax;
				E004346A8(_v8);
				_push(_t207);
				_push(0x44a3e4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t207;
				 *(_v8 + 0x268) = 0;
				 *(_v8 + 0x26c) = 0;
				 *(_v8 + 0x270) = 0;
				_t168 = 0;
				if(E00403AF0( *_v8) ==  *0x447010) {
					_t165 =  *0x46c661; // 0x0
					_t166 = _t165 ^ 0x00000001;
					_t210 = _t166;
					 *(_v8 + 0x234) = _t166;
				}
				E00433E04(_v8, _t168, _t202, _t210); // executed
				if( *(_v8 + 0x25c) == 0 ||  *(_v8 + 0x270) <= 0) {
					L14:
					_t100 =  *(_v8 + 0x268);
					_t219 = _t100;
					if(_t100 > 0) {
						E00431038(_v8, _t100, _t219);
					}
					_t102 =  *(_v8 + 0x26c);
					_t220 = _t102;
					if(_t102 > 0) {
						E0043107C(_v8, _t102, _t220);
					}
					_t183 =  *0x44a3f0; // 0x0
					 *(_v8 + 0x98) = _t183;
					_t221 = _t168;
					if(_t168 == 0) {
						E004497DC(_v8, 1, 1);
						E004378DC(_v8, 1, 1, _t221);
					}
					E004327D0(_v8, 0, 0xb03d, 0);
					_pop(_t185);
					 *[fs:eax] = _t185;
					_push(0x44a3eb);
					return E004346B0(_v8);
				} else {
					if(( *(_v8 + 0x98) & 0x00000010) != 0) {
						_t197 =  *0x46cb48; // 0x2130e74
						_t23 = _t197 + 0x40; // 0x60
						if( *(_v8 + 0x25c) !=  *_t23) {
							_t157 =  *0x46cb48; // 0x2130e74
							_t26 = _t157 + 0x40; // 0x60
							E0041D1C4( *((intOrPtr*)(_v8 + 0x68)), MulDiv(E0041D1BC( *((intOrPtr*)(_v8 + 0x68))),  *_t26,  *(_v8 + 0x25c)), _t200, _t206);
						}
					}
					_t119 =  *0x46cb48; // 0x2130e74
					_t29 = _t119 + 0x40; // 0x60
					 *(_v8 + 0x25c) =  *_t29;
					_t203 = E0044A514(_v8);
					_t124 =  *(_v8 + 0x270);
					_t215 = _t203 - _t124;
					if(_t203 != _t124) {
						_t168 = 1;
						E004497DC(_v8, _t124, _t203);
						E004378DC(_v8,  *(_v8 + 0x270), _t203, _t215);
						if(( *(_v8 + 0x98) & 0x00000004) != 0) {
							 *(_v8 + 0x268) = MulDiv( *(_v8 + 0x268), _t203,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000008) != 0) {
							 *(_v8 + 0x26c) = MulDiv( *(_v8 + 0x26c), _t203,  *(_v8 + 0x270));
						}
						if(( *(_v8 + 0x98) & 0x00000020) != 0) {
							 *(_v8 + 0x1fa) = MulDiv( *(_v8 + 0x1fa), _t203,  *(_v8 + 0x270));
							 *(_v8 + 0x1fe) = MulDiv( *(_v8 + 0x1fe), _t203,  *(_v8 + 0x270));
						}
					}
					goto L14;
				}
			}

0x0044a17c
0x0044a17d
0x0044a182
0x0044a184
0x0044a18a
0x0044a191
0x0044a192
0x0044a197
0x0044a19a
0x0044a1a2
0x0044a1ad
0x0044a1b8
0x0044a1be
0x0044a1d0
0x0044a1d2
0x0044a1d7
0x0044a1d7
0x0044a1dc
0x0044a1dc
0x0044a1e7
0x0044a1f6
0x0044a358
0x0044a35b
0x0044a361
0x0044a363
0x0044a36a
0x0044a36a
0x0044a372
0x0044a378
0x0044a37a
0x0044a381
0x0044a381
0x0044a389
0x0044a38f
0x0044a395
0x0044a397
0x0044a3a6
0x0044a3b8
0x0044a3b8
0x0044a3c9
0x0044a3d0
0x0044a3d3
0x0044a3d6
0x0044a3e3
0x0044a20c
0x0044a216
0x0044a221
0x0044a227
0x0044a22a
0x0044a236
0x0044a23b
0x0044a256
0x0044a256
0x0044a22a
0x0044a25b
0x0044a260
0x0044a266
0x0044a274
0x0044a279
0x0044a27f
0x0044a281
0x0044a287
0x0044a290
0x0044a2a3
0x0044a2b2
0x0044a2d1
0x0044a2d1
0x0044a2e1
0x0044a300
0x0044a300
0x0044a310
0x0044a32f
0x0044a352
0x0044a352
0x0044a310
0x00000000
0x0044a281

APIs

MulDiv.KERNEL32(00000000,00000060,00000000), ref: 0044A24D
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044A2C9
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044A2F8
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044A327
MulDiv.KERNEL32(?,00000000,00000000), ref: 0044A34A

Strings

\pD, xrefs: 0044A1CA

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: \pD
API String ID: 0-3295277753
Opcode ID: 22f0924acac9bb01b1c3a82b196b8539e45a2140cf97a0b69f177532400f132d
Instruction ID: d113d601023af0747b5e0630e55ed3fa38d7b3f8a3bbcc9dc9b4f736382401a7
Opcode Fuzzy Hash: 22f0924acac9bb01b1c3a82b196b8539e45a2140cf97a0b69f177532400f132d
Instruction Fuzzy Hash: 4871F534A04148EFDB00DFA9C589AADB7F5AF49304F2941F6E808EB362D775AE41DB44

Uniqueness

Uniqueness Score: -1.00%

Function 0044EC6C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0044EC6C(char __edx, void* __edi) {
				char _v5;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr _t42;
				intOrPtr* _t45;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				char _t64;
				void* _t74;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t74 = __edi;
				_t64 = __edx;
				if(__edx != 0) {
					_t77 = _t77 + 0xfffffff0;
					_t25 = E00403E84(_t25, _t76);
				}
				_v5 = _t64;
				_t62 = _t25;
				E00419F20(_t63, 0);
				_t28 =  *0x46b4b4; // 0x4563d8
				 *((intOrPtr*)(_t28 + 4)) = _t62;
				 *_t28 = 0x44f010;
				_t29 =  *0x46b4c0; // 0x4563e0
				 *((intOrPtr*)(_t29 + 4)) = _t62;
				 *_t29 = 0x44f01c;
				E0044F028(_t62);
				 *((intOrPtr*)(_t62 + 0x3c)) = GetKeyboardLayout(0);
				 *((intOrPtr*)(_t62 + 0x4c)) = E00403B34(1);
				 *((intOrPtr*)(_t62 + 0x50)) = E00403B34(1);
				 *((intOrPtr*)(_t62 + 0x54)) = E00403B34(1);
				 *((intOrPtr*)(_t62 + 0x58)) = E00403B34(1);
				_t42 = E00403B34(1);
				 *((intOrPtr*)(_t62 + 0x7c)) = _t42;
				L00406E84();
				_t75 = _t42;
				L00406C1C();
				 *((intOrPtr*)(_t62 + 0x40)) = _t42;
				L004070C4();
				_t11 = _t62 + 0x58; // 0x44802c6e
				_t45 =  *0x46b604; // 0x46c914
				 *((intOrPtr*)( *_t45))(0, 0, E0044B440,  *_t11, 0, _t75, _t75, 0x5a, 0);
				 *((intOrPtr*)(_t62 + 0x84)) = E0041CE08(1);
				 *((intOrPtr*)(_t62 + 0x88)) = E0041CE08(1);
				 *((intOrPtr*)(_t62 + 0x80)) = E0041CE08(1);
				E0044F478(_t62, _t62, _t63, _t74);
				_t15 = _t62 + 0x84; // 0x38004010
				_t56 =  *_t15;
				 *((intOrPtr*)(_t56 + 0xc)) = _t62;
				 *((intOrPtr*)(_t56 + 8)) = 0x44f340;
				_t18 = _t62 + 0x88; // 0x90000000
				_t57 =  *_t18;
				 *((intOrPtr*)(_t57 + 0xc)) = _t62;
				 *((intOrPtr*)(_t57 + 8)) = 0x44f340;
				_t21 = _t62 + 0x80; // 0x94000000
				_t58 =  *_t21;
				 *((intOrPtr*)(_t58 + 0xc)) = _t62;
				 *((intOrPtr*)(_t58 + 8)) = 0x44f340;
				_t59 = _t62;
				if(_v5 != 0) {
					E00403EDC(_t59);
					_pop( *[fs:0x0]);
				}
				return _t62;
			}

0x0044ec6c
0x0044ec6c
0x0044ec74
0x0044ec76
0x0044ec79
0x0044ec79
0x0044ec7e
0x0044ec81
0x0044ec87
0x0044ec8c
0x0044ec91
0x0044ec94
0x0044ec9a
0x0044ec9f
0x0044eca2
0x0044ecaa
0x0044ecb6
0x0044ecc5
0x0044ecd4
0x0044ece3
0x0044ecf2
0x0044ecfc
0x0044ed01
0x0044ed06
0x0044ed0b
0x0044ed10
0x0044ed15
0x0044ed1b
0x0044ed20
0x0044ed2e
0x0044ed35
0x0044ed43
0x0044ed55
0x0044ed67
0x0044ed6f
0x0044ed74
0x0044ed74
0x0044ed7a
0x0044ed7d
0x0044ed84
0x0044ed84
0x0044ed8a
0x0044ed8d
0x0044ed94
0x0044ed94
0x0044ed9a
0x0044ed9d
0x0044eda4
0x0044edaa
0x0044edac
0x0044edb1
0x0044edb8
0x0044edc1

APIs

GetKeyboardLayout.USER32 ref: 0044ECB1
7378AC50.USER32(00000000,00000000,?,?,00000000,?,0043CD1A,00000000,00000000,?,00000000,?,00000000,0043CD98), ref: 0044ED06
7378AD70.GDI32(00000000,0000005A,00000000,00000000,?,?,00000000,?,0043CD1A,00000000,00000000,?,00000000,?,00000000,0043CD98), ref: 0044ED10
7378B380.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,?,?,00000000,?,0043CD1A,00000000,00000000,?,00000000,?), ref: 0044ED1B

Strings

l!A, xrefs: 0044ECBB, 0044ECCA, 0044ECD9, 0044ECE8, 0044ECF7
cE, xrefs: 0044EC9A

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B380KeyboardLayout
String ID: l!A$cE
API String ID: 1139801820-2109133761
Opcode ID: 7614a45413a10bfbf91ccd8836c90e0019749ebdaa31f8dae66e8b98eaa76eb5
Instruction ID: 408abe7ffb55a5509223f8c70d9ab4b52f778e7ec3ea536793545735162138d5
Opcode Fuzzy Hash: 7614a45413a10bfbf91ccd8836c90e0019749ebdaa31f8dae66e8b98eaa76eb5
Instruction Fuzzy Hash: 4D31FC716112409FD740DF2AD8C1B857BE5FB14318F44817AE908DF363D7799848CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044F478, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0044F478(void* __eax, void* __ebx, void* __ecx, void* __edi) {
				char _v5;
				struct tagLOGFONTA _v65;
				struct tagLOGFONTA _v185;
				struct tagLOGFONTA _v245;
				void _v405;
				void* _t23;
				int _t27;
				void* _t30;
				intOrPtr _t38;
				struct HFONT__* _t41;
				struct HFONT__* _t45;
				struct HFONT__* _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				void* _t57;
				void* _t72;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffe6c;
				_t57 = __eax;
				_v5 = 0;
				if( *0x46cb44 != 0) {
					_t54 =  *0x46cb44; // 0x2131268
					_t2 = _t54 + 0x88; // 0x1
					_v5 =  *_t2;
				}
				_push(_t74);
				_push(0x44f5bd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *0x46cb44 != 0) {
					_t52 =  *0x46cb44; // 0x2131268
					E00451AD8(_t52, 0);
				}
				if(SystemParametersInfoA(0x1f, 0x3c,  &_v65, 0) == 0) {
					_t23 = GetStockObject(0xd);
					_t7 = _t57 + 0x84; // 0x38004010
					E0041D198( *_t7, _t23, _t72);
				} else {
					_t49 = CreateFontIndirectA( &_v65); // executed
					_t6 = _t57 + 0x84; // 0x38004010
					E0041D198( *_t6, _t49, _t72);
				}
				_v405 = 0x154;
				_t27 = SystemParametersInfoA(0x29, 0,  &_v405, 0); // executed
				if(_t27 == 0) {
					_t14 = _t57 + 0x80; // 0x94000000
					E0041D27C( *_t14, 8);
					_t30 = GetStockObject(0xd);
					_t15 = _t57 + 0x88; // 0x90000000
					E0041D198( *_t15, _t30, _t72);
				} else {
					_t41 = CreateFontIndirectA( &_v185);
					_t11 = _t57 + 0x80; // 0x94000000
					E0041D198( *_t11, _t41, _t72);
					_t45 = CreateFontIndirectA( &_v245);
					_t13 = _t57 + 0x88; // 0x90000000
					E0041D198( *_t13, _t45, _t72);
				}
				_t16 = _t57 + 0x80; // 0x94000000
				E0041CFDC( *_t16, 0xff000017);
				_t17 = _t57 + 0x88; // 0x90000000
				E0041CFDC( *_t17, 0xff000007);
				 *[fs:eax] = 0xff000007;
				_push(0x44f5c4);
				if( *0x46cb44 != 0) {
					_t38 =  *0x46cb44; // 0x2131268
					return E00451AD8(_t38, _v5);
				}
				return 0;
			}

0x0044f478
0x0044f479
0x0044f47b
0x0044f482
0x0044f484
0x0044f48f
0x0044f491
0x0044f496
0x0044f49c
0x0044f49c
0x0044f4a1
0x0044f4a2
0x0044f4a7
0x0044f4aa
0x0044f4b4
0x0044f4b8
0x0044f4bd
0x0044f4bd
0x0044f4d3
0x0044f4ef
0x0044f4f6
0x0044f4fc
0x0044f4d5
0x0044f4d9
0x0044f4e0
0x0044f4e6
0x0044f4e6
0x0044f501
0x0044f518
0x0044f51f
0x0044f555
0x0044f560
0x0044f567
0x0044f56e
0x0044f574
0x0044f521
0x0044f528
0x0044f52f
0x0044f535
0x0044f541
0x0044f548
0x0044f54e
0x0044f54e
0x0044f579
0x0044f584
0x0044f589
0x0044f594
0x0044f59e
0x0044f5a1
0x0044f5ad
0x0044f5b2
0x00000000
0x0044f5b7
0x0044f5bc

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 0044F4CC
CreateFontIndirectA.GDI32(?), ref: 0044F4D9
GetStockObject.GDI32(0000000D), ref: 0044F4EF

Part of subcall function 0041D27C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041D289

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 0044F518
CreateFontIndirectA.GDI32(?), ref: 0044F528
CreateFontIndirectA.GDI32(?), ref: 0044F541
GetStockObject.GDI32(0000000D), ref: 0044F567

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 011b2dcb70f6063b8b400af6f2dba3e3c00720fc1942f6260c6c3b0b10186cff
Instruction ID: 44b38f52dd93d551089aa60b30aca79c493095d189f298a98a9193f86407e55c
Opcode Fuzzy Hash: 011b2dcb70f6063b8b400af6f2dba3e3c00720fc1942f6260c6c3b0b10186cff
Instruction Fuzzy Hash: 0231A870604244ABEB50EF69DC82B9A73E4AB44304F448076FD48DB39BDE7C9849CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0042E3A0, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E3A0(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* _t20;
				void* _t21;
				void* _t27;
				void* _t31;
				void* _t35;
				intOrPtr* _t43;

				_t43 =  &_v8;
				_t20 =  *0x456a48; // 0x0
				 *((intOrPtr*)(_t20 + 0x180)) = _a4;
				_t21 =  *0x456a48; // 0x0
				SetWindowLongA(_a4, 0xfffffffc,  *(_t21 + 0x18c));
				if((GetWindowLongA(_a4, 0xfffffff0) & 0x40000000) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0) {
					SetWindowLongA(_a4, 0xfffffff4, _a4);
				}
				_t27 =  *0x456a48; // 0x0
				SetPropA(_a4,  *0x46cab2 & 0x0000ffff, _t27);
				_t31 =  *0x456a48; // 0x0
				SetPropA(_a4,  *0x46cab0 & 0x0000ffff, _t31);
				_t35 =  *0x456a48; // 0x0
				 *0x456a48 = 0; // executed
				_v8 =  *((intOrPtr*)(_t35 + 0x18c))(_a4, _a8, _a12, _a16);
				return  *_t43;
			}

0x0042e3a5
0x0042e3a8
0x0042e3b0
0x0042e3b6
0x0042e3c8
0x0042e3dd
0x0042e3f8
0x0042e3f8
0x0042e3fd
0x0042e40f
0x0042e414
0x0042e426
0x0042e437
0x0042e43c
0x0042e44c
0x0042e454

APIs

SetWindowLongA.USER32 ref: 0042E3C8
GetWindowLongA.USER32 ref: 0042E3D3
GetWindowLongA.USER32 ref: 0042E3E5
SetWindowLongA.USER32 ref: 0042E3F8
SetPropA.USER32(?,00000000,00000000), ref: 0042E40F
SetPropA.USER32(?,00000000,00000000), ref: 0042E426

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 02d575659c5cd47a0c1f1ff47995633db7a8a787c32cad12c112550050e87323
Instruction ID: 144e0cbb75623645672799733184380210d0eb73bf9090bb6880c63418955788
Opcode Fuzzy Hash: 02d575659c5cd47a0c1f1ff47995633db7a8a787c32cad12c112550050e87323
Instruction Fuzzy Hash: 2D111F75504218BFCB40DF99EC84E9A37A8EB09365F508226FD54DB7E2D734ED408B64

Uniqueness

Uniqueness Score: -1.00%

Function 0041E91C, Relevance: 9.1, APIs: 6, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041E91C(struct HDC__* __eax, signed int __ecx) {
				char _v1036;
				signed int _v1038;
				struct tagRGBQUAD _v1048;
				short _v1066;
				short* _t15;
				void* _t18;
				struct HDC__* _t23;
				void* _t26;
				short* _t31;
				short* _t32;

				_t31 = 0;
				 *_t32 = 0x300;
				if(__eax == 0) {
					_v1038 = __ecx;
					E00402C94(_t26, __ecx << 2,  &_v1036);
				} else {
					_push(0);
					L00406B8C();
					_t23 = __eax;
					_t18 = SelectObject(__eax, __eax);
					_v1066 = GetDIBColorTable(_t23, 0, 0x100,  &_v1048);
					SelectObject(_t23, _t18);
					DeleteDC(_t23);
				}
				if(_v1038 != 0) {
					if(_v1038 != 0x10 || E0041E884(_t32) == 0) {
						E0041E714( &_v1036, _v1038 & 0x0000ffff); // executed
					}
					_t15 = _t32;
					_push(_t15);
					L00406BB4();
					_t31 = _t15;
				}
				return _t31;
			}

0x0041e927
0x0041e929
0x0041e931
0x0041e96b
0x0041e979
0x0041e933
0x0041e933
0x0041e935
0x0041e93a
0x0041e93e
0x0041e957
0x0041e95e
0x0041e964
0x0041e964
0x0041e984
0x0041e98c
0x0041e9a2
0x0041e9a2
0x0041e9a7
0x0041e9a9
0x0041e9aa
0x0041e9af
0x0041e9af
0x0041e9bc

APIs

7378A590.GDI32(00000000,00000000,?,?,00420E27,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 0041E935
SelectObject.GDI32(00000000,00000000), ref: 0041E93E
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,00420E27,?,?,?,?,0041FA0B), ref: 0041E952
SelectObject.GDI32(00000000,00000000), ref: 0041E95E
DeleteDC.GDI32(00000000), ref: 0041E964
7378A8F0.GDI32(?,00000000,?,?,00420E27,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 0041E9AA

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378ObjectSelect$A590ColorDeleteTable
String ID:
API String ID: 747582061-0
Opcode ID: 8def90540f5a92601e594009f4164960741d0a05b26ec05961580f83a8382c4b
Instruction ID: 41d42b2f50baa28e040e74ac9070fb08e8ba35f92a5221382247bca4e4c4f0e6
Opcode Fuzzy Hash: 8def90540f5a92601e594009f4164960741d0a05b26ec05961580f83a8382c4b
Instruction Fuzzy Hash: DC0196B511831065E614B76B8C47E9B72F88FC0758F05C82FB9C9972C2E67D8844836F

Uniqueness

Uniqueness Score: -1.00%

Function 0045031C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0045031C(void* __eax, void* __ecx, char __edx) {
				char _v12;
				struct HWND__* _v20;
				int _t17;
				void* _t27;
				void* _t28;
				struct HWND__* _t33;
				void* _t35;
				void* _t36;
				long _t37;

				_t28 = __ecx;
				_t37 = _t36 + 0xfffffff8;
				_t27 = __eax;
				_t17 =  *0x46cb44; // 0x2131268
				if( *((intOrPtr*)(_t17 + 0x30)) != 0) {
					if( *((intOrPtr*)(__eax + 0x94)) == 0) {
						 *_t37 =  *((intOrPtr*)(__eax + 0x30));
						_v12 = __edx;
						EnumWindows(E004502AC, _t37); // executed
						_t17 =  *(_t27 + 0x90);
						if( *((intOrPtr*)(_t17 + 8)) != 0) {
							_t33 = GetWindow(_v20, 3);
							_v20 = _t33;
							if((GetWindowLongA(_t33, 0xffffffec) & 0x00000008) != 0) {
								_v20 = 0xfffffffe;
							}
							_t17 =  *(_t27 + 0x90);
							_t35 =  *((intOrPtr*)(_t17 + 8)) - 1;
							if(_t35 >= 0) {
								do {
									_t17 = SetWindowPos(E0041449C( *(_t27 + 0x90), _t28, _t35), _v20, 0, 0, 0, 0, 0x213);
									_t35 = _t35 - 1;
								} while (_t35 != 0xffffffff);
							}
						}
					}
					 *((intOrPtr*)(_t27 + 0x94)) =  *((intOrPtr*)(_t27 + 0x94)) + 1;
				}
				return _t17;
			}

0x0045031c
0x0045031e
0x00450321
0x00450323
0x0045032c
0x00450339
0x00450342
0x00450345
0x00450351
0x00450356
0x00450360
0x0045036e
0x00450370
0x0045037d
0x0045037f
0x0045037f
0x00450386
0x0045038f
0x00450393
0x00450395
0x004503b5
0x004503ba
0x004503bb
0x00450395
0x00450393
0x00450360
0x004503c0
0x004503c0
0x004503ca

APIs

EnumWindows.USER32(004502AC), ref: 00450351
GetWindow.USER32(00000003,00000003), ref: 00450369
GetWindowLongA.USER32 ref: 00450376
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000213,00000000,000000EC), ref: 004503B5

Strings

x\E, xrefs: 0045031C

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumLongWindows
String ID: x\E
API String ID: 4191631535-3038463933
Opcode ID: 43547ffcebd8d63edbc9300526f5d970673ad06eeaa2ccf206f7867d64c01cd4
Instruction ID: a877819b7cd915c683845aaf9f84be88ce9895f583891c7d17a2ad8402c3df06
Opcode Fuzzy Hash: 43547ffcebd8d63edbc9300526f5d970673ad06eeaa2ccf206f7867d64c01cd4
Instruction Fuzzy Hash: BE114C34605210AFDB10AB28DC85F9672E4AB05725F1501BAFD98AB2D7C3789C44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00427C5C, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00427C5C(intOrPtr* __eax, void* __ebx, signed int __ecx, struct tagRECT* __edx, void* __edi, void* __esi) {
				char _v8;
				int _t40;
				CHAR* _t42;
				int _t54;
				CHAR* _t56;
				int _t65;
				CHAR* _t67;
				intOrPtr* _t76;
				intOrPtr _t86;
				struct tagRECT* _t91;
				signed int _t93;
				int _t94;
				intOrPtr _t97;
				signed int _t104;

				_push(0);
				_t93 = __ecx;
				_t91 = __edx;
				_t76 = __eax;
				_push(_t97);
				_push(0x427db2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t97;
				 *((intOrPtr*)( *__eax + 0x90))();
				if((__ecx & 0x00000400) != 0 && (_v8 == 0 ||  *((char*)(__eax + 0x170)) != 0 &&  *_v8 == 0x26 &&  *((char*)(_v8 + 1)) == 0)) {
					E00404BA0( &_v8, 0x427dc8);
				}
				if( *((char*)(_t76 + 0x170)) == 0) {
					_t104 = _t93;
				}
				_t94 = E00433904(_t76, _t93, _t104);
				E0041DD54( *((intOrPtr*)(_t76 + 0x160)));
				if( *((intOrPtr*)( *_t76 + 0x50))() != 0) {
					_t40 = E00404B98(_v8);
					_t42 = E00404D98(_v8);
					DrawTextA(E0041DE34( *((intOrPtr*)(_t76 + 0x160))), _t42, _t40, _t91, _t94); // executed
				} else {
					OffsetRect(_t91, 1, 1);
					E0041CFDC( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0xff000014);
					_t54 = E00404B98(_v8);
					_t56 = E00404D98(_v8);
					DrawTextA(E0041DE34( *((intOrPtr*)(_t76 + 0x160))), _t56, _t54, _t91, _t94);
					OffsetRect(_t91, 0xffffffff, 0xffffffff);
					E0041CFDC( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x160)) + 0xc)), 0xff000010);
					_t65 = E00404B98(_v8);
					_t67 = E00404D98(_v8);
					DrawTextA(E0041DE34( *((intOrPtr*)(_t76 + 0x160))), _t67, _t65, _t91, _t94);
				}
				_pop(_t86);
				 *[fs:eax] = _t86;
				_push(0x427db9);
				return E004048D8( &_v8);
			}

0x00427c5f
0x00427c64
0x00427c66
0x00427c68
0x00427c6c
0x00427c6d
0x00427c72
0x00427c75
0x00427c7f
0x00427c8b
0x00427cb5
0x00427cb5
0x00427cc1
0x00427cc3
0x00427cc3
0x00427cd2
0x00427cdd
0x00427ceb
0x00427d7c
0x00427d85
0x00427d97
0x00427cf1
0x00427cf6
0x00427d09
0x00427d13
0x00427d1c
0x00427d2e
0x00427d38
0x00427d4b
0x00427d55
0x00427d5e
0x00427d70
0x00427d70
0x00427d9e
0x00427da1
0x00427da4
0x00427db1

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 00427CF6
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00427D2E
OffsetRect.USER32(?,000000FF,000000FF), ref: 00427D38
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00427D70
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 00427D97

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: ac0ead2e6b746d96570d77db4289e27e00631919dd764fa95bbcadfe07040c5d
Instruction ID: 2217990fd3bd6e39e2a07b69bc38f1da70ce7eb7ab93f44a83f945136efded15
Opcode Fuzzy Hash: ac0ead2e6b746d96570d77db4289e27e00631919dd764fa95bbcadfe07040c5d
Instruction Fuzzy Hash: 29316070A04214AFDB11FB6ACC85F9B77A9AF45314F5540BAF808EB396CB789D009628

Uniqueness

Uniqueness Score: -1.00%

Function 004511CC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004511CC(void* __eax, char* __ecx, struct tagMSG* __edx) {
				int _t7;
				int _t21;
				MSG* _t30;
				void* _t31;
				char* _t32;

				_t22 = __ecx;
				_push(__ecx);
				_t30 = __edx;
				_t31 = __eax;
				_t21 = 0;
				_t7 = PeekMessageA(__edx, 0, 0, 0, 1); // executed
				if(_t7 != 0) {
					_t21 = 1;
					if(_t30->message == 0x12) {
						 *((char*)(_t31 + 0x9c)) = 1;
					} else {
						 *_t32 = 0;
						if( *((short*)(_t31 + 0xda)) != 0) {
							_t22 = _t32;
							 *((intOrPtr*)(_t31 + 0xd8))();
						}
						if(E0045112C(_t31, _t30) == 0 &&  *_t32 == 0 && E00451024(_t31, _t30) == 0 && E00451074(_t31, _t22, _t30) == 0 && E00451000(_t31, _t30) == 0) {
							TranslateMessage(_t30);
							DispatchMessageA(_t30); // executed
						}
					}
				}
				return _t21;
			}

0x004511cc
0x004511cf
0x004511d0
0x004511d2
0x004511d4
0x004511df
0x004511e6
0x004511e8
0x004511ee
0x00451256
0x004511f0
0x004511f0
0x004511fc
0x004511fe
0x00451208
0x00451208
0x00451219
0x00451249
0x0045124f
0x0045124f
0x00451219
0x004511ee
0x00451263

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004511DF
TranslateMessage.USER32 ref: 00451249
DispatchMessageA.USER32 ref: 0045124F

Strings

x\E, xrefs: 004511CC

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekTranslate
String ID: x\E
API String ID: 4217535847-3038463933
Opcode ID: 9e1b0b814d211e30030fd081af93c860e6ba766eccc4570a925988c34df58f0a
Instruction ID: 762c45ef317ad565d91cbd16a54ce3288fa1d916d9fb494fb61620b1dc59d496
Opcode Fuzzy Hash: 9e1b0b814d211e30030fd081af93c860e6ba766eccc4570a925988c34df58f0a
Instruction Fuzzy Hash: F601FE2070420456FA30266A4C4176B97854FD374AF15409FFD6AFB3E3C66C5C4E826E

Uniqueness

Uniqueness Score: -1.00%

Function 0044B6E4, Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0044B6E4(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t41;
				void* _t54;
				void* _t61;
				struct HMENU__* _t64;
				struct HMENU__* _t70;
				intOrPtr _t77;
				void* _t79;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t87;
				void* _t92;
				intOrPtr _t97;
				void* _t110;
				intOrPtr _t112;
				void* _t115;

				_t93 = 0;
				_v20 = 0;
				_t112 = __edx;
				_t92 = __eax;
				_push(_t115);
				_push(0x44b8aa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t115 + 0xfffffff0;
				if(__edx == 0) {
					L7:
					_t39 =  *((intOrPtr*)(_t92 + 0x248));
					if( *((intOrPtr*)(_t92 + 0x248)) != 0) {
						E004451B8(_t39, 0, 0);
					}
					if(( *(_t92 + 0x1c) & 0x00000008) != 0 || _t112 != 0 && ( *(_t112 + 0x1c) & 0x00000008) != 0) {
						_t112 = 0;
					}
					 *((intOrPtr*)(_t92 + 0x248)) = _t112;
					if(_t112 != 0) {
						E00419FF0(_t112, _t92);
					}
					if(_t112 == 0 || ( *(_t92 + 0x1c) & 0x00000010) == 0 &&  *((char*)(_t92 + 0x229)) == 3) {
						_t41 = E0043811C(_t92);
						__eflags = _t41;
						if(_t41 != 0) {
							SetMenu(E00437E18(_t92), 0); // executed
						}
						goto L30;
					} else {
						if( *((char*)( *((intOrPtr*)(_t92 + 0x248)) + 0x5c)) != 0 ||  *((char*)(_t92 + 0x22f)) == 1) {
							if(( *(_t92 + 0x1c) & 0x00000010) == 0) {
								__eflags =  *((char*)(_t92 + 0x22f)) - 1;
								if( *((char*)(_t92 + 0x22f)) != 1) {
									_t54 = E0043811C(_t92);
									__eflags = _t54;
									if(_t54 != 0) {
										SetMenu(E00437E18(_t92), 0);
									}
								}
								goto L30;
							}
							goto L21;
						} else {
							L21:
							if(E0043811C(_t92) != 0) {
								_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
								_t64 = GetMenu(E00437E18(_t92));
								_t137 = _t61 - _t64;
								if(_t61 != _t64) {
									_t70 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t92 + 0x248)))) + 0x34))();
									SetMenu(E00437E18(_t92), _t70);
								}
								E004451B8(_t112, E00437E18(_t92), _t137);
							}
							L30:
							if( *((char*)(_t92 + 0x22e)) != 0) {
								E0044C7B0(_t92, 1);
							}
							E0044B61C(_t92);
							_pop(_t97);
							 *[fs:eax] = _t97;
							_push(0x44b8b1);
							return E004048D8( &_v20);
						}
					}
				}
				_t77 =  *0x46cb48; // 0x2130e74
				_t79 = E0044EF18(_t77) - 1;
				if(_t79 >= 0) {
					_v8 = _t79 + 1;
					_t110 = 0;
					do {
						_t81 =  *0x46cb48; // 0x2130e74
						if(_t112 ==  *((intOrPtr*)(E0044EF04(_t81, _t110) + 0x248))) {
							_t83 =  *0x46cb48; // 0x2130e74
							if(_t92 != E0044EF04(_t83, _t110)) {
								_v16 =  *((intOrPtr*)(_t112 + 8));
								_v12 = 0xb;
								_t87 =  *0x46b4d4; // 0x41b518
								E004064A4(_t87, _t93,  &_v20);
								_t93 = _v20;
								E0040BE40(_t92, _v20, 1, _t110, _t112, 0,  &_v16);
								E004042EC();
							}
						}
						_t110 = _t110 + 1;
						_t10 =  &_v8;
						 *_t10 = _v8 - 1;
					} while ( *_t10 != 0);
				}
			}

0x0044b6ed
0x0044b6ef
0x0044b6f2
0x0044b6f4
0x0044b6f8
0x0044b6f9
0x0044b6fe
0x0044b701
0x0044b706
0x0044b778
0x0044b778
0x0044b780
0x0044b784
0x0044b784
0x0044b78d
0x0044b799
0x0044b799
0x0044b79b
0x0044b7a3
0x0044b7a9
0x0044b7a9
0x0044b7b0
0x0044b863
0x0044b868
0x0044b86a
0x0044b876
0x0044b876
0x00000000
0x0044b7c9
0x0044b7d3
0x0044b7e2
0x0044b83c
0x0044b843
0x0044b847
0x0044b84c
0x0044b84e
0x0044b85a
0x0044b85a
0x0044b84e
0x00000000
0x0044b843
0x00000000
0x0044b7e4
0x0044b7e4
0x0044b7ed
0x0044b7fb
0x0044b808
0x0044b80d
0x0044b80f
0x0044b819
0x0044b825
0x0044b825
0x0044b835
0x0044b835
0x0044b87b
0x0044b882
0x0044b888
0x0044b888
0x0044b88f
0x0044b896
0x0044b899
0x0044b89c
0x0044b8a9
0x0044b8a9
0x0044b7d3
0x0044b7b0
0x0044b708
0x0044b712
0x0044b715
0x0044b718
0x0044b71b
0x0044b71d
0x0044b71f
0x0044b72f
0x0044b733
0x0044b73f
0x0044b744
0x0044b747
0x0044b754
0x0044b759
0x0044b75e
0x0044b768
0x0044b76d
0x0044b76d
0x0044b73f
0x0044b772
0x0044b773
0x0044b773
0x0044b773
0x0044b71d

APIs

GetMenu.USER32(00000000), ref: 0044B808
SetMenu.USER32(00000000,00000000), ref: 0044B825
SetMenu.USER32(00000000,00000000), ref: 0044B85A
SetMenu.USER32(00000000,00000000,00000000,0044B8AA), ref: 0044B876

Part of subcall function 004064A4: LoadStringA.USER32 ref: 004064D6

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$LoadString
String ID:
API String ID: 3688185913-0
Opcode ID: 43511ccf0f16fea2a515d02fca31378f89571f5b9ae5a01d953289f8585f05e3
Instruction ID: 3874f5dcc42cb128502dba8179fee0f80a25548de892f5bb8838a2a8fdfab10a
Opcode Fuzzy Hash: 43511ccf0f16fea2a515d02fca31378f89571f5b9ae5a01d953289f8585f05e3
Instruction Fuzzy Hash: 6951AF30A043409BEB21AB2AC88675A7799EF85708F0454BBFC409B397CB7CDC4587D9

Uniqueness

Uniqueness Score: -1.00%

Function 00422DB4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00422DB4(int _a4) {
				void* __ebx;
				void* __ebp;
				signed int _t2;
				signed int _t3;
				void* _t7;
				int _t8;
				void* _t12;
				void* _t13;
				void* _t17;

				_t8 = _a4;
				if( *0x46c920 == 0) {
					 *0x46c8f8 = E00422CC0(0, _t8, "GetSystemMetrics",  *0x46c8f8, _t17);
					_t7 =  *0x46c8f8(_t8); // executed
					return _t7;
				}
				_t3 = _t2 | 0xffffffff;
				_t12 = _t8 + 0xffffffb4 - 2;
				__eflags = _t12;
				if(__eflags < 0) {
					_t3 = 0;
				} else {
					if(__eflags == 0) {
						_t8 = 0;
					} else {
						_t13 = _t12 - 1;
						__eflags = _t13;
						if(_t13 == 0) {
							_t8 = 1;
						} else {
							__eflags = _t13 - 0xffffffffffffffff;
							if(_t13 - 0xffffffffffffffff < 0) {
								_t3 = 1;
							}
						}
					}
				}
				__eflags = _t3 - 0xffffffff;
				if(_t3 != 0xffffffff) {
					return _t3;
				} else {
					return GetSystemMetrics(_t8);
				}
			}

0x00422db8
0x00422dc2
0x00422dd6
0x00422ddc
0x00000000
0x00422ddc
0x00422de4
0x00422dec
0x00422dec
0x00422def
0x00422e03
0x00422df1
0x00422df1
0x00422e07
0x00422df3
0x00422df3
0x00422df3
0x00422df4
0x00422e0b
0x00422df6
0x00422df7
0x00422dfa
0x00422dfc
0x00422dfc
0x00422dfa
0x00422df4
0x00422df1
0x00422e10
0x00422e13
0x00422e1d
0x00422e15
0x00000000
0x00422e16

APIs

GetSystemMetrics.USER32 ref: 00422E16

Part of subcall function 00422CC0: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00422D44

KiUserCallbackDispatcher.NTDLL ref: 00422DDC

Strings

GetSystemMetrics, xrefs: 00422DC4

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: ec19e675988011ecc2bfb952993e98f86cfa36b1a323fe4b78d11dbba27658f8
Instruction ID: 44df2ad46bb5544ae86f351f6a7e85249ca7be62ffb94e2f19cb959e77d8506d
Opcode Fuzzy Hash: ec19e675988011ecc2bfb952993e98f86cfa36b1a323fe4b78d11dbba27658f8
Instruction Fuzzy Hash: 0FF06D703142217AC7205A39FFC56232546A746330FE24F37E5627B6D1D6FC8C52A25E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C65C, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040C65C(void* __eax, void* __ebx, void* __ecx) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t27;
				void* _t37;
				intOrPtr _t43;
				void* _t48;
				void* _t49;
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t59;
				void* _t60;
				intOrPtr _t61;

				_t49 = __ecx;
				_t59 = _t60;
				_t61 = _t60 + 0xffffffe8;
				_v12 = 0;
				_push(_t59);
				_push(0x40c732);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61;
				_v8 = 0xffffffff;
				_t55 = __eax;
				E00404970( &_v12, __eax);
				E00404DE8( &_v12);
				_push( &_v16);
				_t27 = E00404D98(_v12);
				_push(_t27); // executed
				L00406B5C(); // executed
				_t48 = _t27;
				if(_t48 == 0) {
					_pop(_t56);
					 *[fs:eax] = _t56;
					_push(E0040C739);
					return E004048D8( &_v12);
				} else {
					_v20 = E00402A68(_t48, _t49, _t55);
					_push(_t59);
					_push(0x40c715);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					_push(_v20);
					_push(_t48);
					_push(_v16);
					_t37 = E00404D98(_v12);
					_push(_t37); // executed
					L00406B54(); // executed
					if(_t37 != 0) {
						_push( &_v28);
						_push( &_v24);
						_push(E0040C744);
						_t43 = _v20;
						_push(_t43);
						L00406B64();
						if(_t43 != 0) {
							_v8 =  *((intOrPtr*)(_v24 + 8));
						}
					}
					_pop(_t57);
					 *[fs:eax] = _t57;
					_push(0x40c71c);
					return E00402A98(_v20);
				}
			}

0x0040c65c
0x0040c65d
0x0040c65f
0x0040c665
0x0040c66c
0x0040c66d
0x0040c672
0x0040c675
0x0040c678
0x0040c682
0x0040c684
0x0040c68c
0x0040c694
0x0040c698
0x0040c69d
0x0040c69e
0x0040c6a3
0x0040c6a7
0x0040c71e
0x0040c721
0x0040c724
0x0040c731
0x0040c6a9
0x0040c6b0
0x0040c6b5
0x0040c6b6
0x0040c6bb
0x0040c6be
0x0040c6c4
0x0040c6c5
0x0040c6c9
0x0040c6cd
0x0040c6d2
0x0040c6d3
0x0040c6da
0x0040c6df
0x0040c6e3
0x0040c6e4
0x0040c6e9
0x0040c6ec
0x0040c6ed
0x0040c6f4
0x0040c6fc
0x0040c6fc
0x0040c6f4
0x0040c701
0x0040c704
0x0040c707
0x0040c714
0x0040c714

APIs

742514E0.VERSION(00000000,?,00000000,0040C732), ref: 0040C69E
742514C0.VERSION(00000000,?,00000000,?,00000000,0040C715,?,00000000,?,00000000,0040C732), ref: 0040C6D3
74251500.VERSION(?,0040C744,?,?,00000000,?,00000000,?,00000000,0040C715,?,00000000,?,00000000,0040C732), ref: 0040C6ED

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 742514$74251500
String ID:
API String ID: 4005490263-0
Opcode ID: 318172207aa029c87f7e15ed71d3468b7f28130b526193b7a75cf5c5089a0c03
Instruction ID: 39a138c8fd91aba7b18394ce3b5245b57d21431200640309a97a6d707e0ad88e
Opcode Fuzzy Hash: 318172207aa029c87f7e15ed71d3468b7f28130b526193b7a75cf5c5089a0c03
Instruction Fuzzy Hash: E72110B5A00609AFDB11EFE9CC818AEB7FCEB49710B514576B510F32D1E738AD158A18

Uniqueness

Uniqueness Score: -1.00%

Function 004017BC, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004017BC(signed int __eax, intOrPtr* __ecx, void* __edx) {
				signed int _v20;
				void* _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _t20;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t48;
				void** _t49;
				signed int* _t50;
				void** _t51;

				_t51 =  &_v24;
				_t39 = __ecx;
				 *_t51 = __edx;
				_t49 =  &_v32;
				_t48 =  &_v36;
				_t50 =  &_v28;
				_v24 = __eax & 0xfffff000;
				_v20 =  *_t51 + __eax + 0x00000fff & 0xfffff000;
				 *__ecx = _v24;
				 *((intOrPtr*)(__ecx + 4)) = _v20 - _v24;
				_t20 =  *0x46c5e8; // 0x6b2b44
				 *_t48 = _t20;
				while(0x46c5e8 !=  *_t48) {
					 *_t49 =  *( *_t48 + 8);
					 *_t50 =  *((intOrPtr*)( *_t48 + 0xc)) +  *_t49;
					if( *_t49 < _v24) {
						 *_t49 = _v24;
					}
					if( *_t50 > _v20) {
						 *_t50 = _v20;
					}
					if( *_t49 <  *_t50) {
						_t35 = VirtualAlloc( *_t49,  *_t50 -  *_t49, 0x1000, 4); // executed
						if(_t35 == 0) {
							 *_t39 = 0;
							return 0;
						}
					}
					 *_t48 =  *((intOrPtr*)( *_t48));
				}
				return 0x46c5e8;
			}

0x004017c0
0x004017c3
0x004017c5
0x004017c8
0x004017cc
0x004017d0
0x004017de
0x004017f1
0x004017f9
0x00401803
0x00401806
0x0040180b
0x0040186a
0x00401814
0x0040181d
0x00401826
0x0040182c
0x0040182c
0x00401835
0x0040183b
0x0040183b
0x00401843
0x00401855
0x0040185c
0x00401860
0x00000000
0x00401860
0x0040185c
0x00401868
0x00401868
0x0040187a

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 00401855

Strings

4+k, xrefs: 004017BF
D+k, xrefs: 00401806, 0040186A

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: 4+k$D+k
API String ID: 4275171209-3055203674
Opcode ID: be3f4c0181fe9c9af463280a23a8057e64266a0699d6779d819978b9bb92d5e4
Instruction ID: cac06f20f137fbde153e4005a4cfb70d571f0b419a393b3611fca7b420214c6c
Opcode Fuzzy Hash: be3f4c0181fe9c9af463280a23a8057e64266a0699d6779d819978b9bb92d5e4
Instruction Fuzzy Hash: 6721ADB5604246DFC750DF2CC880A5AB7E0FF98350B14892AF999DB3A4E334EA54CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0040C65A, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040C65A(void* __eax, void* __ebx) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				void* _t27;
				void* _t37;
				intOrPtr _t43;
				void* _t48;
				void* _t49;
				intOrPtr _t56;
				intOrPtr _t57;
				void* _t59;
				void* _t60;
				intOrPtr _t61;

				_t59 = _t60;
				_t61 = _t60 + 0xffffffe8;
				_v12 = 0;
				_push(_t59);
				_push(0x40c732);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61;
				_v8 = 0xffffffff;
				_t55 = __eax;
				E00404970( &_v12, __eax);
				E00404DE8( &_v12);
				_push( &_v16);
				_t27 = E00404D98(_v12);
				_push(_t27); // executed
				L00406B5C(); // executed
				_t48 = _t27;
				if(_t48 == 0) {
					_pop(_t56);
					 *[fs:eax] = _t56;
					_push(E0040C739);
					return E004048D8( &_v12);
				} else {
					_v20 = E00402A68(_t48, _t49, _t55);
					_push(_t59);
					_push(0x40c715);
					_push( *[fs:eax]);
					 *[fs:eax] = _t61;
					_push(_v20);
					_push(_t48);
					_push(_v16);
					_t37 = E00404D98(_v12);
					_push(_t37); // executed
					L00406B54(); // executed
					if(_t37 != 0) {
						_push( &_v28);
						_push( &_v24);
						_push(E0040C744);
						_t43 = _v20;
						_push(_t43);
						L00406B64();
						if(_t43 != 0) {
							_v8 =  *((intOrPtr*)(_v24 + 8));
						}
					}
					_pop(_t57);
					 *[fs:eax] = _t57;
					_push(0x40c71c);
					return E00402A98(_v20);
				}
			}

0x0040c65d
0x0040c65f
0x0040c665
0x0040c66c
0x0040c66d
0x0040c672
0x0040c675
0x0040c678
0x0040c682
0x0040c684
0x0040c68c
0x0040c694
0x0040c698
0x0040c69d
0x0040c69e
0x0040c6a3
0x0040c6a7
0x0040c71e
0x0040c721
0x0040c724
0x0040c731
0x0040c6a9
0x0040c6b0
0x0040c6b5
0x0040c6b6
0x0040c6bb
0x0040c6be
0x0040c6c4
0x0040c6c5
0x0040c6c9
0x0040c6cd
0x0040c6d2
0x0040c6d3
0x0040c6da
0x0040c6df
0x0040c6e3
0x0040c6e4
0x0040c6e9
0x0040c6ec
0x0040c6ed
0x0040c6f4
0x0040c6fc
0x0040c6fc
0x0040c6f4
0x0040c701
0x0040c704
0x0040c707
0x0040c714
0x0040c714

APIs

742514E0.VERSION(00000000,?,00000000,0040C732), ref: 0040C69E
742514C0.VERSION(00000000,?,00000000,?,00000000,0040C715,?,00000000,?,00000000,0040C732), ref: 0040C6D3
74251500.VERSION(?,0040C744,?,?,00000000,?,00000000,?,00000000,0040C715,?,00000000,?,00000000,0040C732), ref: 0040C6ED

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 742514$74251500
String ID:
API String ID: 4005490263-0
Opcode ID: 31511b725a1485195474fa3e887167a24d5249ae4ddb342bab4b12b156f7cd65
Instruction ID: 1921ba75302761497a67f4a5cb85d7e250eceb61dde73eab3178be707491c32b
Opcode Fuzzy Hash: 31511b725a1485195474fa3e887167a24d5249ae4ddb342bab4b12b156f7cd65
Instruction Fuzzy Hash: CD211FB5A00609AFDB11EFE9CC818AEB7FDEF49700B514576B510F3291E738AD018A18

Uniqueness

Uniqueness Score: -1.00%

Function 00401618, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401618(void* __eax, void** __edx) {
				void* _t3;
				void** _t8;
				void* _t11;
				long _t14;

				_t8 = __edx;
				if(__eax >= 0x100000) {
					_t14 = __eax + 0x0000ffff & 0xffff0000;
				} else {
					_t14 = 0x100000;
				}
				_t8[1] = _t14;
				_t3 = VirtualAlloc(0, _t14, 0x2000, 1); // executed
				_t11 = _t3;
				 *_t8 = _t11;
				if(_t11 != 0) {
					_t3 = E0040143C(0x46c5e8, _t8);
					if(_t3 == 0) {
						VirtualFree( *_t8, 0, 0x8000);
						 *_t8 = 0;
						return 0;
					}
				}
				return _t3;
			}

0x0040161b
0x00401625
0x00401634
0x00401627
0x00401627
0x00401627
0x0040163a
0x00401647
0x0040164c
0x0040164e
0x00401652
0x0040165b
0x00401662
0x0040166e
0x00401675
0x00000000
0x00401675
0x00401662
0x0040167a

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004019AB), ref: 00401647
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004019AB), ref: 0040166E

Strings

D+k, xrefs: 00401656

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFree
String ID: D+k
API String ID: 2087232378-616741303
Opcode ID: 9f7a1ce924d85a1b2359e824fd94cb92b7bb9ad4a225a0bae048609f2744df63
Instruction ID: 028d83359eb453fcb0bef4f183ff5797724561d9b366710b2bb239687d376c99
Opcode Fuzzy Hash: 9f7a1ce924d85a1b2359e824fd94cb92b7bb9ad4a225a0bae048609f2744df63
Instruction Fuzzy Hash: 23F02772B0073017EB20566E0C85F5366848F867A4F180477FD48FF3E9D6B74C0142A9

Uniqueness

Uniqueness Score: -1.00%

Function 00402414, Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

APIs

Part of subcall function 00401BB8: RtlInitializeCriticalSection.KERNEL32(0046C5C8,00000000,/&,?,?,?,004025DE), ref: 00401BCF
Part of subcall function 00401BB8: RtlEnterCriticalSection.KERNEL32(0046C5C8,0046C5C8,00000000,/&,?,?,?,004025DE), ref: 00401BE2
Part of subcall function 00401BB8: LocalAlloc.KERNEL32(00000000,00000FF8,0046C5C8,00000000,/&,?,?,?,004025DE), ref: 00401C0C
Part of subcall function 00401BB8: RtlLeaveCriticalSection.KERNEL32(0046C5C8,00401C87,00000000,/&,?,?,?,004025DE), ref: 00401C7A

RtlEnterCriticalSection.KERNEL32(0046C5C8,00000000,004025B0), ref: 0040245D
RtlLeaveCriticalSection.KERNEL32(0046C5C8,004025B7), ref: 004025AA

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID:
API String ID: 2227675388-0
Opcode ID: 262cf37b6416800b94b6a283abf16196936c54d025515ba701812149fb80a1f8
Instruction ID: 086555a41379fe2f04c9ccee25467be397049e820cd76e2799f40974d09395c6
Opcode Fuzzy Hash: 262cf37b6416800b94b6a283abf16196936c54d025515ba701812149fb80a1f8
Instruction Fuzzy Hash: 695140B1A00245EFCB10CF98D9D466EB7F0FB49314B20817AD845A77D1E3B89941CB4E

Uniqueness

Uniqueness Score: -1.00%

Function 0040187C, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040187C(void* __eax, void** __ecx, intOrPtr __edx) {
				intOrPtr _t20;
				int _t35;
				signed int* _t38;
				intOrPtr* _t44;
				void** _t45;
				intOrPtr* _t49;

				 *_t49 = __edx;
				_t45 = _t49 + 8;
				_t44 = _t49 + 4;
				_t38 = _t49 + 0xc;
				 *(_t49 + 0x10) = __eax + 0x00000fff & 0xfffff000;
				 *(_t49 + 0x14) = __eax +  *_t49 & 0xfffff000;
				 *__ecx =  *(_t49 + 0x10);
				__ecx[1] =  *(_t49 + 0x14) -  *(_t49 + 0x10);
				_t20 =  *0x46c5e8; // 0x6b2b44
				 *_t44 = _t20;
				while(0x46c5e8 !=  *_t44) {
					 *_t45 =  *( *_t44 + 8);
					 *_t38 =  *((intOrPtr*)( *_t44 + 0xc)) +  *_t45;
					if( *_t45 <  *(_t49 + 0x10)) {
						 *_t45 =  *(_t49 + 0x10);
					}
					if( *_t38 >  *(_t49 + 0x14)) {
						 *_t38 =  *(_t49 + 0x14);
					}
					if( *_t45 <  *_t38) {
						_t35 = VirtualFree( *_t45,  *_t38 -  *_t45, 0x4000); // executed
						if(_t35 == 0) {
							 *0x46c5c4 = 2;
						}
					}
					 *_t44 =  *((intOrPtr*)( *_t44));
				}
				return 0x46c5e8;
			}

0x00401883
0x00401886
0x0040188a
0x0040188e
0x004018a2
0x004018af
0x004018b7
0x004018c1
0x004018c4
0x004018c9
0x00401925
0x004018d2
0x004018db
0x004018e3
0x004018e9
0x004018e9
0x004018f1
0x004018f7
0x004018f7
0x004018fd
0x0040190c
0x00401913
0x00401915
0x00401915
0x00401913
0x00401923
0x00401923
0x00401935

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 0040190C

Strings

D+k, xrefs: 004018C4, 00401925

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID: D+k
API String ID: 1263568516-616741303
Opcode ID: 3ce9ccfeafb9cf3e1219dd24afba10d20573baafe0f813583f6c379d665574d6
Instruction ID: 0ce21482ad8d186d92f06a99c233d824e819b8853d4c2eae3f03c878b867ec56
Opcode Fuzzy Hash: 3ce9ccfeafb9cf3e1219dd24afba10d20573baafe0f813583f6c379d665574d6
Instruction Fuzzy Hash: C421E0B5604306DFC710DF2CD880A1AB7E0FF99310B20496AE594DB364E330E948CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0044F028, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044F028(void* __eax) {
				struct HICON__* _t5;
				void* _t7;
				void* _t8;
				struct HINSTANCE__* _t11;
				CHAR** _t12;
				void* _t13;

				_t13 = __eax;
				 *((intOrPtr*)(_t13 + 0x60)) = LoadCursorA(0, 0x7f00);
				_t8 = 0xffffffea;
				_t12 = 0x456d24;
				do {
					if(_t8 < 0xffffffef || _t8 > 0xfffffff4) {
						if(_t8 != 0xffffffeb) {
							_t11 = 0;
						} else {
							goto L4;
						}
					} else {
						L4:
						_t11 =  *0x46c664; // 0x400000
					}
					_t5 = LoadCursorA(_t11,  *_t12); // executed
					_t7 = E0044F0FC(_t13, _t5, _t8);
					_t8 = _t8 + 1;
					_t12 =  &(_t12[1]);
				} while (_t8 != 0xffffffff);
				return _t7;
			}

0x0044f02c
0x0044f03a
0x0044f03d
0x0044f042
0x0044f047
0x0044f04a
0x0044f054
0x0044f05e
0x00000000
0x00000000
0x00000000
0x0044f056
0x0044f056
0x0044f056
0x0044f056
0x0044f064
0x0044f06f
0x0044f074
0x0044f075
0x0044f078
0x0044f081

APIs

LoadCursorA.USER32 ref: 0044F035
LoadCursorA.USER32 ref: 0044F064

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 3f94c8bf57ef3bb6ecbb6002d3e5e8d3e562f74cb72fe445ae3a72a4071aae53
Instruction ID: 586ad4673e3bc32bf2b5ff8e73a23afcad7c0f672dfa028796fcd84240dd920b
Opcode Fuzzy Hash: 3f94c8bf57ef3bb6ecbb6002d3e5e8d3e562f74cb72fe445ae3a72a4071aae53
Instruction Fuzzy Hash: 2FF0AE21B0464456BA20953E8CC1E3A72989BC2734B200377F939D72D3C76E6C49415D

Uniqueness

Uniqueness Score: -1.00%

Function 0041DFA4, Relevance: 3.0, APIs: 2, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041DFA4(void* __eax, void* __ecx, void* __edx) {
				void* __ebx;
				void* _t8;
				void* _t16;

				_t16 = __eax;
				_t8 = E0041CFF0( *((intOrPtr*)(__eax + 0xc)), __eax, __ecx); // executed
				SelectObject( *(_t16 + 4), _t8);
				return SetTextColor( *(_t16 + 4), E0041CB1C( *((intOrPtr*)( *((intOrPtr*)(_t16 + 0xc)) + 0x18))));
			}

0x0041dfa5
0x0041dfaa
0x0041dfb4
0x0041dfcf

APIs

Part of subcall function 0041CFF0: CreateFontIndirectA.GDI32(?), ref: 0041D12E

SelectObject.GDI32(?,00000000), ref: 0041DFB4

Part of subcall function 0041CB1C: GetSysColor.USER32(?), ref: 0041CB26

SetTextColor.GDI32(?,00000000), ref: 0041DFC9

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$CreateFontIndirectObjectSelectText
String ID:
API String ID: 2338844261-0
Opcode ID: 278fa7d2fd0a70434c3d653246f62751925b72ffcb352ba5984c1be6d79677cc
Instruction ID: 5c6cd377c0dec8427c4421e024cb8e4ed24b7f2808ed4e9c1bf95fab30d3327a
Opcode Fuzzy Hash: 278fa7d2fd0a70434c3d653246f62751925b72ffcb352ba5984c1be6d79677cc
Instruction Fuzzy Hash: D5D067B52441009BCB40EFADDDC1D06B7ECAB0821430580A6B909DF25BCA38E8508728

Uniqueness

Uniqueness Score: -1.00%

Function 0040721C, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040721C(int __eax, long __edx) {
				void* _t2;

				_t2 = GlobalAlloc(__eax, __edx); // executed
				GlobalFix(_t2);
				return _t2;
			}

0x0040721e
0x00407224
0x00407229

APIs

GlobalAlloc.KERNEL32 ref: 0040721E
GlobalFix.KERNEL32 ref: 00407224

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Alloc
String ID:
API String ID: 2558781224-0
Opcode ID: 65fba659373334e4ead66397aedb6a001e9cb730b19fe39f78287eb6257abbdd
Instruction ID: d4b71d984331ad16aabc7564cd8ff7a7226ac506a0f246d0c8651284fc912a2a
Opcode Fuzzy Hash: 65fba659373334e4ead66397aedb6a001e9cb730b19fe39f78287eb6257abbdd
Instruction Fuzzy Hash: 859002C4A0020028DC00B3B20C0AD3B041C58C67683C2C86F3447F3083883E85200C39

Uniqueness

Uniqueness Score: -1.00%

Function 00451EB4, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00451EB4(intOrPtr __eax) {
				intOrPtr _v8;
				intOrPtr _t8;
				intOrPtr _t9;
				intOrPtr _t13;
				void* _t16;
				void* _t23;
				void* _t27;
				void* _t29;
				void* _t30;
				intOrPtr _t31;

				_v8 = __eax;
				_t8 = _v8;
				if( *((intOrPtr*)(_t8 + 0x30)) != 0) {
					_t9 =  *0x46cb48; // 0x2130e74
					_t29 = E0044EF18(_t9) - 1;
					if(_t29 < 0) {
						L9:
						return E00451E58(0, _t31);
					}
					_t30 = _t29 + 1;
					_t27 = 0;
					while(1) {
						_t13 =  *0x46cb48; // 0x2130e74
						_t23 = E0044EF04(_t13, _t27);
						if( *((char*)(_t23 + 0x57)) != 0 && ( *(_t23 + 0x190) == 0 || E0043811C(_t23) != 0 || IsChild(E00437E18(_t23),  *(_t23 + 0x190)) == 0)) {
							break;
						}
						_t27 = _t27 + 1;
						_t30 = _t30 - 1;
						if(_t30 != 0) {
							continue;
						}
						goto L9;
					}
					_t16 = E00451E58(1, _t31); // executed
					return _t16;
				}
				return _t8;
			}

0x00451ebb
0x00451ebe
0x00451ec5
0x00451ec7
0x00451ed3
0x00451ed6
0x00451f2a
0x00000000
0x00451f32
0x00451ed8
0x00451ed9
0x00451edb
0x00451edd
0x00451ee7
0x00451eed
0x00000000
0x00000000
0x00451f26
0x00451f27
0x00451f28
0x00000000
0x00000000
0x00000000
0x00451f28
0x00451f1e
0x00000000
0x00451f23
0x00451f38

APIs

IsChild.USER32(00000000,00000000), ref: 00451F12

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Child
String ID:
API String ID: 3815930669-0
Opcode ID: 476696a52aea57c12ca562fdc447bf19fba745308bd3351039acd4d10407d181
Instruction ID: 3f3c0de6917a1b89d9f4ccb4c9725c99b1e6eafd61009ca16ccee1a81fbe3747
Opcode Fuzzy Hash: 476696a52aea57c12ca562fdc447bf19fba745308bd3351039acd4d10407d181
Instruction Fuzzy Hash: E601D8326042045BE720AB2FDC8AB5BB3DCAB50756F40007FFC05C7263DB6D9C4982A8

Uniqueness

Uniqueness Score: -1.00%

Function 004072A2, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004072A2(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t31;
				long _t38;

				_push(_t31);
				_v8 = _t31;
				_t38 = __eax;
				_t13 = E00402EAC();
				_t24 = CreateWindowExA(_t38, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402E9C(_t13);
				return _t24;
			}

0x004072a7
0x004072ab
0x004072b0
0x004072b2
0x004072e3
0x004072ec
0x004072f8

APIs

CreateWindowExA.USER32 ref: 004072E3

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9c4a35b888cf2551de8f51d0c0d54e28cea9aafeb2db290ed2152421daa76f7a
Instruction ID: e0fc07bd19804e23af67faa43fc44cd2481e19bfe577e80d05c5da4bdf4657b1
Opcode Fuzzy Hash: 9c4a35b888cf2551de8f51d0c0d54e28cea9aafeb2db290ed2152421daa76f7a
Instruction Fuzzy Hash: 28F07FB2704118BF9B80DE9DDD85E9B77ECEB4C264B15416ABA08E3241D674ED108BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004072A4, Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004072A4(long __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				CHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				CHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00402EAC();
				_t24 = CreateWindowExA(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402E9C(_t13);
				return _t24;
			}

0x004072ab
0x004072b0
0x004072b2
0x004072e3
0x004072ec
0x004072f8

APIs

CreateWindowExA.USER32 ref: 004072E3

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3535ac39d5b3a2ae28fb97fd662484c5fec1079fa713ec3a8be5620ec229d509
Instruction ID: abfbe099832aae9f3496a2f733b48eb4eec01d8df31966954bd9e84fa2a3cbe4
Opcode Fuzzy Hash: 3535ac39d5b3a2ae28fb97fd662484c5fec1079fa713ec3a8be5620ec229d509
Instruction Fuzzy Hash: 7FF092B2604118BF9B80DE9DDD85EDB77ECEB4C264B15416AFA0CE3241D674ED108BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00450F70, Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00450F70(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				void* _t27;
				intOrPtr _t33;
				intOrPtr _t40;
				char _t41;

				_push(0);
				_t37 = __edx;
				_t27 = __eax;
				_push(_t40);
				_push(0x450ff2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t40;
				_t41 =  *((char*)(__eax + 0xa4));
				if(_t41 == 0) {
					E0040492C(__eax + 0x8c, __edx);
				} else {
					E00450F24(__eax,  &_v8);
					E00404CE4(_v8, _t37);
					if(_t41 != 0 ||  *((intOrPtr*)(_t27 + 0x8c)) != 0) {
						SetWindowTextA( *(_t27 + 0x30), E00404D98(_t37)); // executed
						E004048D8(_t27 + 0x8c);
					}
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(0x450ff9);
				return E004048D8( &_v8);
			}

0x00450f73
0x00450f77
0x00450f79
0x00450f7d
0x00450f7e
0x00450f83
0x00450f86
0x00450f89
0x00450f90
0x00450fd7
0x00450f92
0x00450f97
0x00450fa1
0x00450fa6
0x00450fbd
0x00450fc8
0x00450fc8
0x00450fa6
0x00450fde
0x00450fe1
0x00450fe4
0x00450ff1

APIs

Part of subcall function 00450F24: GetWindowTextA.USER32 ref: 00450F47

SetWindowTextA.USER32(?,00000000), ref: 00450FBD

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 3aad00bd948037fc323e5330df04e241d6aa4a94f223f850d0bbc1c4baa46c2f
Instruction ID: 888efd2483dc6d4a9f8a1621d5d17741cad9628e7b6fa877b7005ade7513a654
Opcode Fuzzy Hash: 3aad00bd948037fc323e5330df04e241d6aa4a94f223f850d0bbc1c4baa46c2f
Instruction Fuzzy Hash: F101F77A204204AFD721FA25C842B5A73A8EB44704F5580B7FD04DB283DBBC9D08C76D

Uniqueness

Uniqueness Score: -1.00%

Function 004072FC, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004072FC(CHAR* __eax, CHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32) {
				long _v8;
				void* _t12;
				struct HWND__* _t22;
				long _t27;
				CHAR* _t30;

				_v8 = _t27;
				_t30 = __eax;
				_t12 = E00402EAC();
				_t22 = CreateWindowExA(0, _t30, __edx, _v8, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00402E9C(_t12);
				return _t22;
			}

0x00407303
0x00407308
0x0040730a
0x00407339
0x00407342
0x0040734e

APIs

CreateWindowExA.USER32 ref: 00407339

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 29c723ce35690072d19baf1a26dd99f1737f8c56e4999962c25fa1d40af64553
Instruction ID: 90c95729ce2e418d1af6485d5ce9f4a250eb70241a0d2c3c327b7363d9e02702
Opcode Fuzzy Hash: 29c723ce35690072d19baf1a26dd99f1737f8c56e4999962c25fa1d40af64553
Instruction Fuzzy Hash: CCF0A4B2704118BFDB80DE9EDD85E9B77ECEB4C264B14416ABA0CD7241D674ED1087B4

Uniqueness

Uniqueness Score: -1.00%

Function 004314A8, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E004314A8(intOrPtr* __eax, void* __edx) {
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v28;
				intOrPtr _v32;
				intOrPtr* _t31;

				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *__eax + 0x44))();
				_push( *((intOrPtr*)(__eax + 0x48)) - _v20 +  *_t31);
				_push( *((intOrPtr*)(__eax + 0x4c)) - _v16 + _v32);
				return  *((intOrPtr*)( *__eax + 0x84))();
			}

0x004314b3
0x004314b4
0x004314bf
0x004314cc
0x004314d8
0x004314ef

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 004314E3

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3e450580647ac04c52fe3c9217b9489fe8f4b0b89d3e34e1a1c747df32f352d3
Instruction ID: 2b489bd349fd00ef9accd65a6c2d7a08998cef0b38985eff922cf8e7109b24d4
Opcode Fuzzy Hash: 3e450580647ac04c52fe3c9217b9489fe8f4b0b89d3e34e1a1c747df32f352d3
Instruction Fuzzy Hash: CDF0D4362042019FC704DF5CC8C498ABBE5FF89255F0446A8FA89CB356DA32E814CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00405920, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405920(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x400000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E00405BB4(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x400000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x400000
				return  *_t7;
			}

0x00405928
0x0040592e
0x0040593a
0x0040593e
0x00405947
0x0040594c
0x0040594e
0x00405953
0x00405955
0x00405958
0x00405958
0x00405953
0x0040595b
0x00405966

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040593E

Part of subcall function 00405BB4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,004560C8), ref: 00405BCF
Part of subcall function 00405BB4: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,004560C8), ref: 00405BED
Part of subcall function 00405BB4: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,004560C8), ref: 00405C0B
Part of subcall function 00405BB4: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405C29
Part of subcall function 00405BB4: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00405CB8,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405C72
Part of subcall function 00405BB4: RegQueryValueExA.ADVAPI32(?,00405E34,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00405CB8,?,80000001), ref: 00405C90
Part of subcall function 00405BB4: RegCloseKey.ADVAPI32(?,00405CBF,00000000,?,?,00000000,00405CB8,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405CB2

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 337c67f52d6be5fb65d74032fded88a98f1ea97e9e75802b9995ec0761888c4a
Instruction ID: ebbd9b28e8d1944eb974a5e23f17fa8135e273b79809ad56ce01caa39c6bd71f
Opcode Fuzzy Hash: 337c67f52d6be5fb65d74032fded88a98f1ea97e9e75802b9995ec0761888c4a
Instruction Fuzzy Hash: 40E06DB1A00610CBDB10DE5C88C1A4337E8AB08764F0009A6ED98EF386D3B4DE208BD4

Uniqueness

Uniqueness Score: -1.00%

Function 004085EC, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004085EC(void* __eax, void* __edx) {
				int _t3;
				char* _t5;
				int _t7;
				int _t10;
				void* _t12;

				_t12 = __eax;
				_t3 = E00404B98(__edx);
				_t5 = E00404D98(__edx);
				_t7 = E00404B98(_t12);
				_t10 = CompareStringA(0x400, 1, E00404D98(_t12), _t7, _t5, _t3); // executed
				return _t10 - 2;
			}

0x004085f0
0x004085f4
0x004085fc
0x00408604
0x00408619
0x00408623

APIs

CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,00408633,?,?,004089BD), ref: 00408619

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: ed35611da8407f76b090acac208f65b8e071dc7621fd8a1ac5751d6064c14b38
Instruction ID: 59e5352558182b3bb511e05d165ab98a9c95749589f53045169c9acb154877a3
Opcode Fuzzy Hash: ed35611da8407f76b090acac208f65b8e071dc7621fd8a1ac5751d6064c14b38
Instruction Fuzzy Hash: 31D09ED13A07102AE25076BE0C82F5A408C4F99B1AB02003AB30DF62C3C97CCD451269

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFC8, Relevance: 1.3, APIs: 1, Instructions: 70
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AFC8(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* _v12;
				char _v16;
				intOrPtr _t27;
				void* _t29;
				intOrPtr* _t48;
				void _t52;

				_t48 =  &_v16;
				if( *0x46c884 == 0) {
					_t29 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_v12 = _t29;
					_t52 =  *0x46c880; // 0x630000
					 *_v12 = _t52;
					E00402C94(0x456410, 2, _v12 + 4);
					 *((intOrPtr*)(_v12 + 6)) = E0041AFC0(_v12 + 5, E0041AFA0);
					 *_t48 = _v12 + 0xa;
					do {
						 *((char*)( *_t48)) = 0xe8;
						 *((intOrPtr*)( *_t48 + 1)) = E0041AFC0( *_t48, _v12 + 4);
						 *((intOrPtr*)( *_t48 + 5)) =  *0x46c884;
						 *0x46c884 =  *_t48;
						 *_t48 =  *_t48 + 0xd;
					} while ( *_t48 - _v12 < 0xffc);
					 *0x46c880 = _v12;
				}
				_v8 =  *0x46c884;
				 *_t48 =  *0x46c884;
				 *0x46c884 =  *((intOrPtr*)( *_t48 + 5));
				_t27 =  *_t48;
				 *((intOrPtr*)(_t27 + 5)) = _a4;
				 *((intOrPtr*)(_t27 + 9)) = _a8;
				return _v8;
			}

0x0041afd0
0x0041afdb
0x0041afef
0x0041aff4
0x0041affa
0x0041b000
0x0041b012
0x0041b02a
0x0041b033
0x0041b035
0x0041b037
0x0041b049
0x0041b050
0x0041b055
0x0041b057
0x0041b05f
0x0041b069
0x0041b069
0x0041b070
0x0041b075
0x0041b07c
0x0041b07e
0x0041b083
0x0041b089
0x0041b094

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0041AFEF

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 205e2ca7d28585095eb4681ad7d4e5c7cf81f8b8ae04d10dfa94a4256b5fa68c
Instruction ID: 20666deb844d0f801dcced245bf89fa88a75401ae7b92f2f4ac84805fac6d004
Opcode Fuzzy Hash: 205e2ca7d28585095eb4681ad7d4e5c7cf81f8b8ae04d10dfa94a4256b5fa68c
Instruction Fuzzy Hash: 2531B474A00215DFCB10DF99C4C1F89BBF1EF49314F1181A9E588DB369E374A985CB86

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0043C824, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0043C824() {
				int _v8;
				intOrPtr _t4;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t25;
				struct HINSTANCE__* _t27;
				struct HINSTANCE__* _t29;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t44;

				_t42 = _t44;
				_t4 =  *0x46b7e4; // 0x46c740
				if( *((char*)(_t4 + 0xc)) == 0) {
					return _t4;
				} else {
					_v8 = SetErrorMode(0x8000);
					_push(_t42);
					_push(0x43c98a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					if( *0x46caf8 == 0) {
						 *0x46caf8 = GetProcAddress(GetModuleHandleA("USER32"), "WINNLSEnableIME");
					}
					if( *0x456b74 == 0) {
						 *0x456b74 = LoadLibraryA("imm32.dll");
						if( *0x456b74 != 0) {
							_t11 =  *0x456b74; // 0x0
							 *0x46cafc = GetProcAddress(_t11, "ImmGetContext");
							_t13 =  *0x456b74; // 0x0
							 *0x46cb00 = GetProcAddress(_t13, "ImmReleaseContext");
							_t15 =  *0x456b74; // 0x0
							 *0x46cb04 = GetProcAddress(_t15, "ImmGetConversionStatus");
							_t17 =  *0x456b74; // 0x0
							 *0x46cb08 = GetProcAddress(_t17, "ImmSetConversionStatus");
							_t19 =  *0x456b74; // 0x0
							 *0x46cb0c = GetProcAddress(_t19, "ImmSetOpenStatus");
							_t21 =  *0x456b74; // 0x0
							 *0x46cb10 = GetProcAddress(_t21, "ImmSetCompositionWindow");
							_t23 =  *0x456b74; // 0x0
							 *0x46cb14 = GetProcAddress(_t23, "ImmSetCompositionFontA");
							_t25 =  *0x456b74; // 0x0
							 *0x46cb18 = GetProcAddress(_t25, "ImmGetCompositionStringA");
							_t27 =  *0x456b74; // 0x0
							 *0x46cb1c = GetProcAddress(_t27, "ImmIsIME");
							_t29 =  *0x456b74; // 0x0
							 *0x46cb20 = GetProcAddress(_t29, "ImmNotifyIME");
						}
					}
					_pop(_t40);
					 *[fs:eax] = _t40;
					_push(0x43c991);
					return SetErrorMode(_v8);
				}
			}

0x0043c825
0x0043c829
0x0043c832
0x0043c994
0x0043c838
0x0043c842
0x0043c847
0x0043c848
0x0043c84d
0x0043c850
0x0043c85a
0x0043c873
0x0043c873
0x0043c87f
0x0043c88f
0x0043c89b
0x0043c8a6
0x0043c8b1
0x0043c8bb
0x0043c8c6
0x0043c8d0
0x0043c8db
0x0043c8e5
0x0043c8f0
0x0043c8fa
0x0043c905
0x0043c90f
0x0043c91a
0x0043c924
0x0043c92f
0x0043c939
0x0043c944
0x0043c94e
0x0043c959
0x0043c963
0x0043c96e
0x0043c96e
0x0043c89b
0x0043c975
0x0043c978
0x0043c97b
0x0043c989
0x0043c989

APIs

SetErrorMode.KERNEL32(00008000), ref: 0043C83D
GetModuleHandleA.KERNEL32(USER32,00000000,0043C98A,?,00008000), ref: 0043C861
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 0043C86E
LoadLibraryA.KERNEL32(imm32.dll,00000000,0043C98A,?,00008000), ref: 0043C88A
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 0043C8AC
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 0043C8C1
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 0043C8D6
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 0043C8EB
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 0043C900
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 0043C915
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0043C92A
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 0043C93F
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 0043C954
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0043C969
SetErrorMode.KERNEL32(?,0043C991,00008000), ref: 0043C984

Strings

ImmSetConversionStatus, xrefs: 0043C8E0
ImmIsIME, xrefs: 0043C949
ImmGetCompositionStringA, xrefs: 0043C934
WINNLSEnableIME, xrefs: 0043C868
ImmGetConversionStatus, xrefs: 0043C8CB
ImmSetCompositionFontA, xrefs: 0043C91F
ImmSetCompositionWindow, xrefs: 0043C90A
ImmReleaseContext, xrefs: 0043C8B6
ImmSetOpenStatus, xrefs: 0043C8F5
ImmNotifyIME, xrefs: 0043C95E
imm32.dll, xrefs: 0043C885
ImmGetContext, xrefs: 0043C8A1
USER32, xrefs: 0043C85C

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: ee4b704ae72f122ba5f380ea0cbaa740bd7955e0eda7d8c1a47677df26e9e0e6
Instruction ID: cb1aa6914996cf9ef4a8aa15920a83ec1ee13eb5fd8b1a834437dba341fd0f7a
Opcode Fuzzy Hash: ee4b704ae72f122ba5f380ea0cbaa740bd7955e0eda7d8c1a47677df26e9e0e6
Instruction Fuzzy Hash: 6931DEB1740340AADB10EBB5FD86B2536E8E709705B52653BF041F7291D6B9A810CF1D

Uniqueness

Uniqueness Score: -1.00%

Function 004059DC, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
stringlibraryfileCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004059DC(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				_Unknown_base(*)()* _v28;
				struct _WIN32_FIND_DATAA _v346;
				char _v607;
				char* _t75;
				char* _t85;
				void* _t108;
				void* _t112;
				struct HINSTANCE__* _t114;
				void* _t115;
				void* _t116;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t114 = GetModuleHandleA("kernel32.dll");
				if(_t114 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_v20 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_v20 = E004059B0(_v8 + 2);
							if( *_v20 != 0) {
								_v20 = E004059B0(_v20 + 1);
								if( *_v20 != 0) {
									L10:
									_t108 = _v20 - _v8;
									_push(_t108 + 1);
									_push(_v8);
									_push( &_v607);
									L004012D4();
									while( *_v20 != 0) {
										_v24 = E004059B0(_v20 + 1);
										_t112 = _v24 - _v20;
										if(_t112 + _t108 + 1 <= 0x105) {
											_push(_t112 + 1);
											_push(_v20);
											_push( &(( &_v607)[_t108]));
											L004012D4();
											_t115 = FindFirstFileA( &_v607,  &_v346);
											if(_t115 != 0xffffffff) {
												FindClose(_t115);
												_t75 =  &(_v346.cFileName);
												_push(_t75);
												L004012DC();
												if(_t75 + _t108 + 1 + 1 <= 0x105) {
													 *((char*)(_t116 + _t108 - 0x25b)) = 0x5c;
													_push(0x105 - _t108 - 1);
													_push( &(_v346.cFileName));
													_push( &(( &(( &_v607)[_t108]))[1]));
													L004012D4();
													_t85 =  &(_v346.cFileName);
													_push(_t85);
													L004012DC();
													_t108 = _t108 + _t85 + 1;
													_v20 = _v24;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v607);
									_push(_v8);
									L004012D4();
								}
							}
						}
					}
				} else {
					_v28 = GetProcAddress(_t114, "GetLongPathNameA");
					if(_v28 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v607);
						_push(_v8);
						if(_v28() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v607);
							_push(_v8);
							L004012D4();
						}
					}
				}
				L17:
				return _v16;
			}

0x004059e8
0x004059eb
0x004059f1
0x004059fe
0x00405a02
0x00405a48
0x00405a4e
0x00405a97
0x00000000
0x00405a50
0x00405a57
0x00405a68
0x00405a71
0x00405a80
0x00405a89
0x00405a9a
0x00405a9d
0x00405aa3
0x00405aa7
0x00405aae
0x00405aaf
0x00405b64
0x00405ac2
0x00405ac8
0x00405ad5
0x00405adc
0x00405ae0
0x00405ae9
0x00405aea
0x00405b02
0x00405b07
0x00405b0a
0x00405b0f
0x00405b15
0x00405b16
0x00405b26
0x00405b28
0x00405b38
0x00405b3f
0x00405b49
0x00405b4a
0x00405b4f
0x00405b55
0x00405b56
0x00405b5c
0x00405b61
0x00000000
0x00405b61
0x00405b26
0x00405b07
0x00000000
0x00405ad5
0x00405b73
0x00405b7a
0x00405b7e
0x00405b7f
0x00405b7f
0x00405a89
0x00405a71
0x00405a57
0x00405a04
0x00405a0f
0x00405a16
0x00000000
0x00405a18
0x00405a18
0x00405a23
0x00405a27
0x00405a2d
0x00000000
0x00405a2f
0x00405a32
0x00405a39
0x00405a3d
0x00405a3e
0x00405a3e
0x00405a2d
0x00405a16
0x00405b84
0x00405b8d

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,?,004560C8), ref: 004059F9
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405A0A
lstrcpyn.KERNEL32(?,?,?,?,?,004560C8), ref: 00405A3E
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,?,?,004560C8), ref: 00405AAF
lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll,?,?,004560C8), ref: 00405AEA
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll,?,?,004560C8), ref: 00405AFD
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll,?,?,004560C8), ref: 00405B0A
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,?,?,004560C8), ref: 00405B16
lstrcpyn.KERNEL32(?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 00405B4A
lstrlen.KERNEL32(?,?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 00405B56
lstrcpyn.KERNEL32(?,?,?,?,?,?,00000104,?,00000000,?,?,?,?,?,?,?), ref: 00405B7F

Strings

GetLongPathNameA, xrefs: 00405A04
\, xrefs: 00405B28
kernel32.dll, xrefs: 004059F4

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: cb82f55bc071bfd935a3173fa00620c8d26b72bb097a24879e6a42148c320e5a
Instruction ID: 3a5d998a4001e452502604f5e8684c3d44c703c8cecc0b39923a9e13a090a1bc
Opcode Fuzzy Hash: cb82f55bc071bfd935a3173fa00620c8d26b72bb097a24879e6a42148c320e5a
Instruction Fuzzy Hash: 5F512871E00559AFDB11DBE9CC89AEFB7B8EF44314F1405AAA544F7281D738AE408F98

Uniqueness

Uniqueness Score: -1.00%

Function 00438128, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00438128(void* __eax) {
				void* _v28;
				struct _WINDOWPLACEMENT _v56;
				struct tagPOINT _v64;
				intOrPtr _v68;
				void* _t43;
				struct HWND__* _t45;
				struct tagPOINT* _t47;

				_t47 =  &(_v64.y);
				_t43 = __eax;
				if(IsIconic( *(__eax + 0x180)) == 0) {
					GetWindowRect( *(_t43 + 0x180), _t47);
				} else {
					_v56.length = 0x2c;
					GetWindowPlacement( *(_t43 + 0x180),  &_v56);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if((GetWindowLongA( *(_t43 + 0x180), 0xfffffff0) & 0x40000000) != 0) {
					_t45 = GetWindowLongA( *(_t43 + 0x180), 0xfffffff8);
					if(_t45 != 0) {
						ScreenToClient(_t45, _t47);
						ScreenToClient(_t45,  &_v64);
					}
				}
				 *(_t43 + 0x40) = _t47->x;
				 *((intOrPtr*)(_t43 + 0x44)) = _v68;
				 *((intOrPtr*)(_t43 + 0x48)) = _v64.x - _t47->x;
				 *((intOrPtr*)(_t43 + 0x4c)) = _v64.y.x - _v68;
				return E00430C70(_t43);
			}

0x0043812b
0x0043812e
0x0043813e
0x0043816d
0x00438140
0x00438140
0x00438154
0x0043815f
0x00438160
0x00438161
0x00438162
0x00438162
0x00438185
0x00438195
0x00438199
0x0043819d
0x004381a8
0x004381a8
0x00438199
0x004381b0
0x004381b7
0x004381c1
0x004381cc
0x004381dc

APIs

IsIconic.USER32 ref: 00438137
GetWindowPlacement.USER32(?,0000002C), ref: 00438154
GetWindowRect.USER32 ref: 0043816D
GetWindowLongA.USER32 ref: 0043817B
GetWindowLongA.USER32 ref: 00438190
ScreenToClient.USER32 ref: 0043819D
ScreenToClient.USER32 ref: 004381A8

Strings

,, xrefs: 00438140

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: 2ce57d909c520d19255312579823a140203676e4b4c1be59cad719544be3e4e9
Instruction ID: a02bd8e2a1462c49ac9f0c1cdc0a697620d2f40758102ad21cb2c5320a0d8253
Opcode Fuzzy Hash: 2ce57d909c520d19255312579823a140203676e4b4c1be59cad719544be3e4e9
Instruction Fuzzy Hash: A6116A71504201AFCB01DF6DC885A8B77E8AF4D314F144A2EBD58DB286DB39E9058B66

Uniqueness

Uniqueness Score: -1.00%

Function 0044583C, Relevance: 10.9, APIs: 7, Instructions: 405
nativeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0044583C(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				struct HMENU__* _v12;
				signed int _v16;
				char _v17;
				intOrPtr _v24;
				int _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr _t137;
				signed int _t138;
				intOrPtr _t144;
				signed int _t150;
				signed int _t151;
				intOrPtr* _t153;
				void* _t158;
				struct HMENU__* _t160;
				intOrPtr* _t165;
				void* _t173;
				signed int _t177;
				signed int _t181;
				void* _t182;
				void* _t186;
				void* _t214;
				void* _t218;
				struct HDC__* _t221;
				void* _t251;
				void* _t253;
				signed int _t257;
				void* _t265;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t275;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t287;
				signed int _t290;
				signed int _t291;
				intOrPtr _t306;
				intOrPtr _t328;
				intOrPtr _t337;
				intOrPtr _t341;
				intOrPtr* _t348;
				signed int _t350;
				intOrPtr* _t351;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				intOrPtr* _t370;
				void* _t372;
				void* _t373;
				intOrPtr _t374;
				void* _t375;

				_t372 = _t373;
				_t374 = _t373 + 0xffffffd0;
				_t292 = 0;
				_v52 = 0;
				_t370 = __edx;
				_v8 = __eax;
				_push(_t372);
				_push(0x445d6f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t374;
				_t137 =  *__edx;
				_t375 = _t137 - 0x111;
				if(_t375 > 0) {
					_t138 = _t137 - 0x117;
					__eflags = _t138;
					if(_t138 == 0) {
						_t271 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t271;
						if(_t271 < 0) {
							goto L67;
						} else {
							_t272 = _t271 + 1;
							_t362 = 0;
							__eflags = 0;
							while(1) {
								_t150 = E00444BB8(E0041449C(_v8, _t292, _t362),  *(_t370 + 4), __eflags);
								__eflags = _t150;
								if(_t150 != 0) {
									goto L68;
								}
								_t362 = _t362 + 1;
								_t272 = _t272 - 1;
								__eflags = _t272;
								if(_t272 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
					} else {
						_t151 = _t138 - 8;
						__eflags = _t151;
						if(_t151 == 0) {
							_v17 = 0;
							__eflags =  *(__edx + 6) & 0x00000010;
							if(( *(__edx + 6) & 0x00000010) != 0) {
								_v17 = 1;
							}
							_t274 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t274;
							if(__eflags < 0) {
								L32:
								_t153 =  *0x46b67c; // 0x46cb44
								E00451DC4( *_t153, 0, __eflags);
								goto L67;
							} else {
								_t275 = _t274 + 1;
								_t363 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _v17 - 1;
									if(_v17 != 1) {
										_v12 =  *(_t370 + 4) & 0x0000ffff;
									} else {
										_t160 =  *(_t370 + 8);
										__eflags = _t160;
										if(_t160 == 0) {
											_v12 = 0xffffffff;
										} else {
											_v12 = GetSubMenu(_t160,  *(_t370 + 4) & 0x0000ffff);
										}
									}
									_t158 = E0041449C(_v8, _t292, _t363);
									_t292 = _v17;
									_v16 = E00444AFC(_t158, _v17, _v12);
									__eflags = _v16;
									if(__eflags != 0) {
										break;
									}
									_t363 = _t363 + 1;
									_t275 = _t275 - 1;
									__eflags = _t275;
									if(__eflags != 0) {
										continue;
									} else {
										goto L32;
									}
									goto L68;
								}
								E0042E710( *((intOrPtr*)(_v16 + 0x58)), _t292,  &_v52, __eflags);
								_t165 =  *0x46b67c; // 0x46cb44
								E00451DC4( *_t165, _v52, __eflags);
							}
						} else {
							__eflags = _t151 == 1;
							if(_t151 == 1) {
								_t277 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t277;
								if(_t277 < 0) {
									goto L67;
								} else {
									_t278 = _t277 + 1;
									_t364 = 0;
									__eflags = 0;
									while(1) {
										_v48 = E0041449C(_v8, _t292, _t364);
										_t173 =  *((intOrPtr*)( *_v48 + 0x34))();
										__eflags = _t173 -  *(_t370 + 8);
										if(_t173 ==  *(_t370 + 8)) {
											break;
										}
										_t292 = 1;
										_t177 = E00444AFC(_v48, 1,  *(_t370 + 8));
										__eflags = _t177;
										if(_t177 == 0) {
											_t364 = _t364 + 1;
											_t278 = _t278 - 1;
											__eflags = _t278;
											if(_t278 != 0) {
												continue;
											} else {
												goto L67;
											}
										} else {
											break;
										}
										goto L68;
									}
									E0044542C(_v48, _t370);
								}
							} else {
								goto L67;
							}
						}
					}
					goto L68;
				} else {
					if(_t375 == 0) {
						_t280 =  *((intOrPtr*)(_v8 + 8)) - 1;
						__eflags = _t280;
						if(_t280 < 0) {
							goto L67;
						} else {
							_t281 = _t280 + 1;
							_t365 = 0;
							__eflags = 0;
							while(1) {
								E0041449C(_v8, _t292, _t365);
								_t181 = E00444B9C( *(_t370 + 4), __eflags);
								__eflags = _t181;
								if(_t181 != 0) {
									goto L68;
								}
								_t365 = _t365 + 1;
								_t281 = _t281 - 1;
								__eflags = _t281;
								if(_t281 != 0) {
									continue;
								} else {
									goto L67;
								}
								goto L68;
							}
						}
						goto L68;
					} else {
						_t182 = _t137 - 0x2b;
						if(_t182 == 0) {
							_v40 =  *((intOrPtr*)(__edx + 8));
							_t283 =  *((intOrPtr*)(_v8 + 8)) - 1;
							__eflags = _t283;
							if(_t283 < 0) {
								goto L67;
							} else {
								_t284 = _t283 + 1;
								_t366 = 0;
								__eflags = 0;
								while(1) {
									_t186 = E0041449C(_v8, _t292, _t366);
									_t292 = 0;
									_v16 = E00444AFC(_t186, 0,  *((intOrPtr*)(_v40 + 8)));
									__eflags = _v16;
									if(_v16 != 0) {
										break;
									}
									_t366 = _t366 + 1;
									_t284 = _t284 - 1;
									__eflags = _t284;
									if(_t284 != 0) {
										continue;
									} else {
										goto L67;
									}
									goto L69;
								}
								_v24 = E0041D8F8(0, 1);
								_push(_t372);
								_push(0x445ba2);
								_push( *[fs:eax]);
								 *[fs:eax] = _t374;
								_v28 = SaveDC( *(_v40 + 0x18));
								_push(_t372);
								_push(0x445b85);
								_push( *[fs:eax]);
								 *[fs:eax] = _t374;
								E0041DEB4(_v24,  *(_v40 + 0x18));
								E0041DD54(_v24);
								E00446014(_v16, _v40 + 0x1c, _v24,  *((intOrPtr*)(_v40 + 0x10)));
								_pop(_t328);
								 *[fs:eax] = _t328;
								_push(0x445b8c);
								__eflags = 0;
								E0041DEB4(_v24, 0);
								return RestoreDC( *(_v40 + 0x18), _v28);
							}
						} else {
							_t214 = _t182 - 1;
							if(_t214 == 0) {
								_v44 =  *((intOrPtr*)(__edx + 8));
								_t286 =  *((intOrPtr*)(_v8 + 8)) - 1;
								__eflags = _t286;
								if(_t286 < 0) {
									goto L67;
								} else {
									_t287 = _t286 + 1;
									_t367 = 0;
									__eflags = 0;
									while(1) {
										_t218 = E0041449C(_v8, _t292, _t367);
										_t292 = 0;
										_v16 = E00444AFC(_t218, 0,  *((intOrPtr*)(_v44 + 8)));
										__eflags = _v16;
										if(_v16 != 0) {
											break;
										}
										_t367 = _t367 + 1;
										_t287 = _t287 - 1;
										__eflags = _t287;
										if(_t287 != 0) {
											continue;
										} else {
											goto L67;
										}
										goto L69;
									}
									_t221 =  *((intOrPtr*)(_v8 + 0x10));
									L00406F84();
									_v32 = _t221;
									 *[fs:eax] = _t374;
									_v24 = E0041D8F8(0, 1);
									 *[fs:eax] = _t374;
									_v28 = SaveDC(_v32);
									 *[fs:eax] = _t374;
									E0041DEB4(_v24, _v32);
									E0041DD54(_v24);
									 *((intOrPtr*)( *_v16 + 0x38))(_v44 + 0x10,  *[fs:eax], 0x445ca3, _t372,  *[fs:eax], 0x445cc0, _t372,  *[fs:eax], 0x445ce5, _t372, _t221);
									_pop(_t337);
									 *[fs:eax] = _t337;
									_push(0x445caa);
									__eflags = 0;
									E0041DEB4(_v24, 0);
									return RestoreDC(_v32, _v28);
								}
							} else {
								if(_t214 == 0x27) {
									_v36 =  *((intOrPtr*)(__edx + 8));
									_t290 =  *((intOrPtr*)(_v8 + 8)) - 1;
									__eflags = _t290;
									if(_t290 < 0) {
										goto L67;
									} else {
										_t291 = _t290 + 1;
										_t368 = 0;
										__eflags = 0;
										while(1) {
											_t251 =  *((intOrPtr*)( *((intOrPtr*)(E0041449C(_v8, _t292, _t368))) + 0x34))();
											_t341 = _v36;
											__eflags = _t251 -  *((intOrPtr*)(_t341 + 0xc));
											if(_t251 !=  *((intOrPtr*)(_t341 + 0xc))) {
												_t253 = E0041449C(_v8, _t292, _t368);
												_t292 = 1;
												_v16 = E00444AFC(_t253, 1,  *((intOrPtr*)(_v36 + 0xc)));
											} else {
												_v16 =  *((intOrPtr*)(E0041449C(_v8, _t292, _t368) + 0x34));
											}
											__eflags = _v16;
											if(_v16 != 0) {
												break;
											}
											_t368 = _t368 + 1;
											_t291 = _t291 - 1;
											__eflags = _t291;
											if(_t291 != 0) {
												continue;
											} else {
												goto L67;
											}
											goto L68;
										}
										_t257 = E00444B2C(E0041449C(_v8, _t292, _t368), 1,  *((intOrPtr*)(_v36 + 8)));
										__eflags = _t257;
										if(_t257 == 0) {
											_t265 = E0041449C(_v8, 1, _t368);
											__eflags = 0;
											_t257 = E00444B2C(_t265, 0,  *((intOrPtr*)(_v36 + 0xc)));
										}
										_t348 =  *0x46b7bc; // 0x46cb48
										_t56 =  *_t348 + 0x6c; // 0x2131e80
										_t350 =  *_t56;
										__eflags = _t350;
										if(_t350 != 0) {
											__eflags = _t257;
											if(_t257 == 0) {
												_t57 = _t350 + 0x158; // 0x0
												_t257 =  *_t57;
											}
											__eflags =  *(_t350 + 0x228) & 0x00000008;
											if(( *(_t350 + 0x228) & 0x00000008) == 0) {
												_t351 =  *0x46b67c; // 0x46cb44
												E00451A38( *_t351, _t291, _t257, _t368, _t370);
											} else {
												E00451AC0();
											}
										}
									}
								} else {
									L67:
									_push( *(_t370 + 8));
									_push( *(_t370 + 4));
									_push( *_t370);
									_t144 =  *((intOrPtr*)(_v8 + 0x10));
									_push(_t144);
									L00406D94();
									 *((intOrPtr*)(_t370 + 0xc)) = _t144;
								}
								L68:
								_pop(_t306);
								 *[fs:eax] = _t306;
								_push(0x445d76);
								return E004048D8( &_v52);
							}
						}
					}
				}
				L69:
			}

0x0044583d
0x0044583f
0x00445845
0x00445847
0x0044584a
0x0044584c
0x00445851
0x00445852
0x00445857
0x0044585a
0x0044585d
0x0044585f
0x00445864
0x00445886
0x00445886
0x0044588b
0x004458da
0x004458db
0x004458dd
0x00000000
0x004458e3
0x004458e3
0x004458e4
0x004458e4
0x004458e6
0x004458f3
0x004458f8
0x004458fa
0x00000000
0x00000000
0x00445900
0x00445901
0x00445901
0x00445902
0x00000000
0x00445904
0x00000000
0x00445904
0x00000000
0x00445902
0x004458e6
0x0044588d
0x0044588d
0x0044588d
0x00445890
0x00445909
0x0044590d
0x00445911
0x00445913
0x00445913
0x0044591d
0x0044591e
0x00445920
0x00445996
0x00445996
0x0044599f
0x00000000
0x00445922
0x00445922
0x00445923
0x00445923
0x00445925
0x00445925
0x00445929
0x0044594f
0x0044592b
0x0044592b
0x0044592e
0x00445930
0x00445942
0x00445932
0x0044593d
0x0044593d
0x00445930
0x00445957
0x0044595c
0x00445967
0x0044596a
0x0044596e
0x00000000
0x00000000
0x00445992
0x00445993
0x00445993
0x00445994
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00445994
0x00445979
0x00445981
0x00445988
0x00445988
0x00445892
0x00445892
0x00445893
0x00445cfc
0x00445cfd
0x00445cff
0x00000000
0x00445d01
0x00445d01
0x00445d02
0x00445d02
0x00445d04
0x00445d0e
0x00445d16
0x00445d19
0x00445d1c
0x00000000
0x00000000
0x00445d21
0x00445d26
0x00445d2b
0x00445d2d
0x00445d3b
0x00445d3c
0x00445d3c
0x00445d3d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00445d2d
0x00445d34
0x00445d34
0x00445899
0x00000000
0x00445899
0x00445893
0x00445890
0x00000000
0x00445866
0x00445866
0x004458a4
0x004458a5
0x004458a7
0x00000000
0x004458ad
0x004458ad
0x004458ae
0x004458ae
0x004458b0
0x004458b5
0x004458be
0x004458c3
0x004458c5
0x00000000
0x00000000
0x004458cb
0x004458cc
0x004458cc
0x004458cd
0x00000000
0x004458cf
0x00000000
0x004458cf
0x00000000
0x004458cd
0x004458b0
0x00000000
0x00445868
0x00445868
0x0044586b
0x00445aae
0x00445ab7
0x00445ab8
0x00445aba
0x00000000
0x00445ac0
0x00445ac0
0x00445ac1
0x00445ac1
0x00445ac3
0x00445ac8
0x00445ad3
0x00445ada
0x00445add
0x00445ae1
0x00000000
0x00000000
0x00445ba9
0x00445baa
0x00445baa
0x00445bab
0x00000000
0x00445bb1
0x00000000
0x00445bb1
0x00000000
0x00445bab
0x00445af3
0x00445af8
0x00445af9
0x00445afe
0x00445b01
0x00445b10
0x00445b15
0x00445b16
0x00445b1b
0x00445b1e
0x00445b2a
0x00445b3f
0x00445b58
0x00445b5f
0x00445b62
0x00445b65
0x00445b6a
0x00445b6f
0x00445b84
0x00445b84
0x00445871
0x00445871
0x00445872
0x00445bb9
0x00445bc2
0x00445bc3
0x00445bc5
0x00000000
0x00445bcb
0x00445bcb
0x00445bcc
0x00445bcc
0x00445bce
0x00445bd3
0x00445bde
0x00445be5
0x00445be8
0x00445bec
0x00000000
0x00000000
0x00445cec
0x00445ced
0x00445ced
0x00445cee
0x00000000
0x00445cf4
0x00000000
0x00445cf4
0x00000000
0x00445cee
0x00445bf5
0x00445bf9
0x00445bfe
0x00445c0c
0x00445c1b
0x00445c29
0x00445c35
0x00445c43
0x00445c4c
0x00445c61
0x00445c7b
0x00445c80
0x00445c83
0x00445c86
0x00445c8b
0x00445c90
0x00445ca2
0x00445ca2
0x00445878
0x0044587b
0x004459ac
0x004459b5
0x004459b6
0x004459b8
0x00000000
0x004459be
0x004459be
0x004459bf
0x004459bf
0x004459c1
0x004459cd
0x004459d0
0x004459d3
0x004459d6
0x004459ef
0x004459fa
0x00445a01
0x004459d8
0x004459e5
0x004459e5
0x00445a04
0x00445a08
0x00000000
0x00000000
0x00445a9e
0x00445a9f
0x00445a9f
0x00445aa0
0x00000000
0x00445aa6
0x00000000
0x00445aa6
0x00000000
0x00445aa0
0x00445a20
0x00445a25
0x00445a27
0x00445a2e
0x00445a39
0x00445a3b
0x00445a3b
0x00445a40
0x00445a48
0x00445a48
0x00445a4b
0x00445a4d
0x00445a53
0x00445a55
0x00445a5c
0x00445a5c
0x00445a5c
0x00445a68
0x00445a6f
0x00445a8b
0x00445a94
0x00445a71
0x00445a81
0x00445a81
0x00445a6f
0x00445a4d
0x00445881
0x00445d3f
0x00445d42
0x00445d46
0x00445d49
0x00445d4d
0x00445d50
0x00445d51
0x00445d56
0x00445d56
0x00445d59
0x00445d5b
0x00445d5e
0x00445d61
0x00445d6e
0x00445d6e
0x00445872
0x0044586b
0x00445866
0x00000000

APIs

SaveDC.GDI32(?), ref: 00445B0B
RestoreDC.GDI32(?,?), ref: 00445B7F
7378B080.USER32(?,00000000,00445D6F), ref: 00445BF9
SaveDC.GDI32(?), ref: 00445C30
RestoreDC.GDI32(?,?), ref: 00445C9D
NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00445D6F), ref: 00445D51

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$7378B080NtdllProc_Window
String ID:
API String ID: 1084412598-0
Opcode ID: 051f5da74b0adfc5a7e7fc71adeffe088e1aab332110b1679cccc9978ddfd646
Instruction ID: 9d567d800dbd2131d1a226ab537104c531ffb24c83616d4e44e3273bfdd94d80
Opcode Fuzzy Hash: 051f5da74b0adfc5a7e7fc71adeffe088e1aab332110b1679cccc9978ddfd646
Instruction Fuzzy Hash: 19E13E74A00A09DFEF14DFAAC485A9EF7F5FF88304B258566E401A7362C638ED41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044AA44, Relevance: 9.3, APIs: 6, Instructions: 284
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0044AA44(intOrPtr __eax, struct HWND__** __edx) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				struct HDC__* _v20;
				struct HWND__* _v24;
				void* __ebp;
				struct HWND__* _t92;
				intOrPtr _t112;
				intOrPtr _t115;
				struct HWND__* _t121;
				struct HWND__* _t124;
				intOrPtr _t128;
				struct HWND__* _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				struct HWND__* _t133;
				struct HWND__* _t136;
				intOrPtr _t142;
				intOrPtr _t172;
				struct HDC__* _t177;
				struct HWND__** _t200;
				struct HWND__* _t218;
				struct HWND__* _t219;
				intOrPtr _t228;
				void* _t230;
				void* _t231;
				intOrPtr _t237;
				intOrPtr _t245;
				struct HWND__* _t249;
				struct HWND__* _t250;
				struct HWND__* _t255;
				struct HWND__* _t256;
				void* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t267;

				_t258 = _t260;
				_t261 = _t260 + 0xffffffec;
				_t200 = __edx;
				_v8 = __eax;
				_t92 =  *__edx;
				_t218 = _t92;
				_t263 = _t218 - 0x46;
				if(_t263 > 0) {
					_t219 = _t218 - 0xb01a;
					__eflags = _t219;
					if(_t219 == 0) {
						__eflags =  *(_v8 + 0xa0);
						if(__eflags != 0) {
							E00403D6C(_v8, __eflags);
						}
					} else {
						__eflags = _t219 == 1;
						if(_t219 == 1) {
							__eflags =  *(_v8 + 0xa0);
							if(__eflags != 0) {
								E00403D6C(_v8, __eflags);
							}
						} else {
							goto L41;
						}
					}
					goto L43;
				} else {
					if(_t263 == 0) {
						_t112 = _v8;
						_t228 =  *0x44ae78; // 0x1
						__eflags = _t228 - ( *(_t112 + 0x1c) &  *0x44ae74);
						if(_t228 == ( *(_t112 + 0x1c) &  *0x44ae74)) {
							_t115 = _v8;
							__eflags =  *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff;
							if( *((intOrPtr*)(_t115 + 0x230)) - 0xffffffffffffffff < 0) {
								_t128 = _v8;
								__eflags =  *((char*)(_t128 + 0x22b)) - 2;
								if( *((char*)(_t128 + 0x22b)) != 2) {
									_t129 = __edx[2];
									_t26 = _t129 + 0x18;
									 *_t26 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t26;
								}
							}
							_t121 =  *((intOrPtr*)(_v8 + 0x230)) - 1;
							__eflags = _t121;
							if(_t121 == 0) {
								L30:
								_t124 =  *((intOrPtr*)(_v8 + 0x229)) - 2;
								__eflags = _t124;
								if(_t124 == 0) {
									L32:
									 *( *((intOrPtr*)(_t200 + 8)) + 0x18) =  *( *((intOrPtr*)(_t200 + 8)) + 0x18) | 0x00000001;
								} else {
									__eflags = _t124 == 3;
									if(_t124 == 3) {
										goto L32;
									}
								}
							} else {
								__eflags = _t121 == 2;
								if(_t121 == 2) {
									goto L30;
								}
							}
						}
						goto L43;
					} else {
						_t230 = _t218 + 0xfffffffa - 3;
						if(_t230 < 0) {
							__eflags =  *0x456c94;
							if( *0x456c94 != 0) {
								__eflags =  *__edx - 7;
								if( *__edx != 7) {
									goto L43;
								} else {
									_t130 = _v8;
									__eflags =  *(_t130 + 0x1c) & 0x00000010;
									if(( *(_t130 + 0x1c) & 0x00000010) != 0) {
										goto L43;
									} else {
										_t255 = 0;
										_t131 = _v8;
										__eflags =  *((char*)(_t131 + 0x22f)) - 2;
										if( *((char*)(_t131 + 0x22f)) != 2) {
											_t133 =  *(_v8 + 0x220);
											__eflags = _t133;
											if(_t133 != 0) {
												__eflags = _t133 - _v8;
												if(_t133 != _v8) {
													_t255 = E00437E18(_t133);
												}
											}
										} else {
											_t136 = E0044B370(_v8);
											__eflags = _t136;
											if(_t136 != 0) {
												_t255 = E00437E18(E0044B370(_v8));
											}
										}
										__eflags = _t255;
										if(_t255 == 0) {
											goto L43;
										} else {
											_t92 = SetFocus(_t255);
										}
									}
								}
							}
							goto L44;
						} else {
							_t231 = _t230 - 0x22;
							if(_t231 == 0) {
								_v24 = __edx[2];
								__eflags = _v24->i - 1;
								if(_v24->i != 1) {
									goto L43;
								} else {
									_t142 = _v8;
									__eflags =  *(_t142 + 0x248);
									if( *(_t142 + 0x248) == 0) {
										goto L43;
									} else {
										_t249 = E00444AFC( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_v24 + 8)));
										__eflags = _t249;
										if(_t249 == 0) {
											goto L43;
										} else {
											_v16 = E0041D8F8(0, 1);
											_push(_t258);
											_push(0x44acbd);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											_v12 = SaveDC( *(_v24 + 0x18));
											_push(_t258);
											_push(0x44aca0);
											_push( *[fs:eax]);
											 *[fs:eax] = _t261;
											E0041DEB4(_v16,  *(_v24 + 0x18));
											E0041DD54(_v16);
											E00446014(_t249, _v24 + 0x1c, _v16,  *((intOrPtr*)(_v24 + 0x10)));
											_pop(_t237);
											 *[fs:eax] = _t237;
											_push(0x44aca7);
											__eflags = 0;
											E0041DEB4(_v16, 0);
											return RestoreDC( *(_v24 + 0x18), _v12);
										}
									}
								}
							} else {
								if(_t231 == 1) {
									_t256 = __edx[2];
									__eflags = _t256->i - 1;
									if(_t256->i != 1) {
										goto L43;
									} else {
										_t172 = _v8;
										__eflags =  *(_t172 + 0x248);
										if( *(_t172 + 0x248) == 0) {
											goto L43;
										} else {
											_t250 = E00444AFC( *((intOrPtr*)(_v8 + 0x248)), 0,  *((intOrPtr*)(_t256 + 8)));
											__eflags = _t250;
											if(_t250 == 0) {
												goto L43;
											} else {
												_t177 = E00437E18(_v8);
												L00406F84();
												_v20 = _t177;
												 *[fs:eax] = _t261;
												_v16 = E0041D8F8(0, 1);
												 *[fs:eax] = _t261;
												_v12 = SaveDC(_v20);
												 *[fs:eax] = _t261;
												E0041DEB4(_v16, _v20);
												E0041DD54(_v16);
												 *((intOrPtr*)(_t250->i + 0x38))(_t256 + 0x10,  *[fs:eax], 0x44ada7, _t258,  *[fs:eax], 0x44adc4, _t258,  *[fs:eax], 0x44adeb, _t258, _t177);
												_pop(_t245);
												 *[fs:eax] = _t245;
												_push(0x44adae);
												__eflags = 0;
												E0041DEB4(_v16, 0);
												return RestoreDC(_v20, _v12);
											}
										}
									}
								} else {
									L41:
									_t267 = _t92 -  *0x46cb50; // 0xc075
									if(_t267 == 0) {
										E004327D0(_v8, 0, 0xb025, 0);
										E004327D0(_v8, 0, 0xb024, 0);
										E004327D0(_v8, 0, 0xb035, 0);
										E004327D0(_v8, 0, 0xb009, 0);
										E004327D0(_v8, 0, 0xb008, 0);
										E004327D0(_v8, 0, 0xb03d, 0);
									}
									L43:
									_t92 = E0043582C(_v8, _t200);
									L44:
									return _t92;
								}
							}
						}
					}
				}
			}

0x0044aa45
0x0044aa47
0x0044aa4d
0x0044aa4f
0x0044aa52
0x0044aa54
0x0044aa56
0x0044aa59
0x0044aa7e
0x0044aa7e
0x0044aa84
0x0044ab30
0x0044ab37
0x0044ab44
0x0044ab44
0x0044aa8a
0x0044aa8a
0x0044aa8b
0x0044ab0f
0x0044ab16
0x0044ab23
0x0044ab23
0x0044aa8d
0x00000000
0x0044aa8d
0x0044aa8b
0x00000000
0x0044aa5b
0x0044aa5b
0x0044ab4e
0x0044ab5c
0x0044ab63
0x0044ab66
0x0044ab6c
0x0044ab76
0x0044ab78
0x0044ab7a
0x0044ab7d
0x0044ab84
0x0044ab86
0x0044ab89
0x0044ab89
0x0044ab89
0x0044ab89
0x0044ab84
0x0044ab96
0x0044ab96
0x0044ab98
0x0044aba2
0x0044abab
0x0044abab
0x0044abad
0x0044abb7
0x0044abba
0x0044abaf
0x0044abaf
0x0044abb1
0x00000000
0x00000000
0x0044abb1
0x0044ab9a
0x0044ab9a
0x0044ab9c
0x00000000
0x00000000
0x0044ab9c
0x0044ab98
0x00000000
0x0044aa61
0x0044aa64
0x0044aa67
0x0044aa92
0x0044aa99
0x0044aa9f
0x0044aaa2
0x00000000
0x0044aaa8
0x0044aaa8
0x0044aaab
0x0044aaaf
0x00000000
0x0044aab5
0x0044aab5
0x0044aab7
0x0044aaba
0x0044aac1
0x0044aae3
0x0044aae9
0x0044aaeb
0x0044aaed
0x0044aaf0
0x0044aaf7
0x0044aaf7
0x0044aaf0
0x0044aac3
0x0044aac6
0x0044aacb
0x0044aacd
0x0044aadc
0x0044aadc
0x0044aacd
0x0044aaf9
0x0044aafb
0x00000000
0x0044ab01
0x0044ab02
0x0044ab02
0x0044aafb
0x0044aaaf
0x0044aaa2
0x00000000
0x0044aa69
0x0044aa69
0x0044aa6c
0x0044abc6
0x0044abcc
0x0044abcf
0x00000000
0x0044abd5
0x0044abd5
0x0044abd8
0x0044abdf
0x00000000
0x0044abe5
0x0044abfb
0x0044abfd
0x0044abff
0x00000000
0x0044ac05
0x0044ac11
0x0044ac16
0x0044ac17
0x0044ac1c
0x0044ac1f
0x0044ac2e
0x0044ac33
0x0044ac34
0x0044ac39
0x0044ac3c
0x0044ac48
0x0044ac5b
0x0044ac73
0x0044ac7a
0x0044ac7d
0x0044ac80
0x0044ac85
0x0044ac8a
0x0044ac9f
0x0044ac9f
0x0044abff
0x0044abdf
0x0044aa72
0x0044aa73
0x0044acc4
0x0044acc7
0x0044acca
0x00000000
0x0044acd0
0x0044acd0
0x0044acd3
0x0044acda
0x00000000
0x0044ace0
0x0044acf3
0x0044acf5
0x0044acf7
0x00000000
0x0044acfd
0x0044ad00
0x0044ad06
0x0044ad0b
0x0044ad19
0x0044ad28
0x0044ad36
0x0044ad42
0x0044ad50
0x0044ad59
0x0044ad6c
0x0044ad7f
0x0044ad84
0x0044ad87
0x0044ad8a
0x0044ad8f
0x0044ad94
0x0044ada6
0x0044ada6
0x0044acf7
0x0044acda
0x0044aa79
0x0044adf2
0x0044adf2
0x0044adf8
0x0044ae06
0x0044ae17
0x0044ae28
0x0044ae39
0x0044ae4a
0x0044ae5b
0x0044ae5b
0x0044ae60
0x0044ae65
0x0044ae6a
0x0044ae70
0x0044ae70
0x0044aa73
0x0044aa6c
0x0044aa67
0x0044aa5b

APIs

SetFocus.USER32(00000000), ref: 0044AB02
SaveDC.GDI32(?), ref: 0044AC29
RestoreDC.GDI32(?,?), ref: 0044AC9A
7378B080.USER32(00000000), ref: 0044AD06
SaveDC.GDI32(?), ref: 0044AD3D
RestoreDC.GDI32(?,?), ref: 0044ADA1

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: RestoreSave$7378B080Focus
String ID:
API String ID: 1567250974-0
Opcode ID: 89fa0f0d4d91a934aa410302bd3c834cbc599e512b9c295449a72006b64b9c69
Instruction ID: 4f48ea31a6fa0cf83b4987a4dc533616a04af14ccce6ff5dd008ea2e041f7ade
Opcode Fuzzy Hash: 89fa0f0d4d91a934aa410302bd3c834cbc599e512b9c295449a72006b64b9c69
Instruction Fuzzy Hash: EEB1B474A40104DFEB14DF69C586AAFB3F2EF08704F6584A6F410AB351C738AE50CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00450DE8, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00450DE8(void* __eax) {
				struct HWND__* _t21;
				intOrPtr* _t26;
				signed int _t29;
				intOrPtr* _t30;
				int _t33;
				intOrPtr _t36;
				void* _t51;
				int _t60;

				_t51 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 != 0) {
					SetActiveWindow( *(_t51 + 0x30));
					if( *((intOrPtr*)(_t51 + 0x44)) == 0 ||  *((char*)(_t51 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t51 + 0x44)) + 0x57)) == 0) {
						L6:
						E0044FD40( *(_t51 + 0x30), 9, __eflags);
					} else {
						_t60 = IsWindowEnabled(E00437E18( *((intOrPtr*)(_t51 + 0x44))));
						if(_t60 == 0) {
							goto L6;
						} else {
							_push(0);
							_push(0xf120);
							_push(0x112);
							_push( *(_t51 + 0x30));
							L00406D94();
						}
					}
					_t26 =  *0x46b530; // 0x46c8f8
					_t29 =  *((intOrPtr*)( *_t26))(1, 0, 0, 0x40) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					_t30 =  *0x46b530; // 0x46c8f8
					_t33 =  *((intOrPtr*)( *_t30))(0, _t29) >> 1;
					if(_t60 < 0) {
						asm("adc eax, 0x0");
					}
					SetWindowPos( *(_t51 + 0x30), 0, _t33, ??, ??, ??, ??);
					_t36 =  *((intOrPtr*)(_t51 + 0x44));
					if(_t36 != 0 &&  *((char*)(_t36 + 0x22b)) == 1 &&  *((char*)(_t36 + 0x57)) == 0) {
						E0044BA18(_t36, 0);
						E0044DE3C( *((intOrPtr*)(_t51 + 0x44)));
					}
					E00450434(_t51);
					_t21 =  *0x46cb48; // 0x2130e74
					_t15 = _t21 + 0x64; // 0x2134aa4
					_t55 =  *_t15;
					if( *_t15 != 0) {
						_t21 = SetFocus(E00437E18(_t55));
					}
					if( *((short*)(_t51 + 0x122)) != 0) {
						return  *((intOrPtr*)(_t51 + 0x120))();
					}
				}
				return _t21;
			}

0x00450dea
0x00450df0
0x00450df7
0x00450e01
0x00450e0a
0x00450e44
0x00450e4c
0x00450e1b
0x00450e29
0x00450e2b
0x00000000
0x00450e2d
0x00450e2d
0x00450e2f
0x00450e34
0x00450e3c
0x00450e3d
0x00450e3d
0x00450e2b
0x00450e59
0x00450e62
0x00450e64
0x00450e66
0x00450e66
0x00450e6c
0x00450e75
0x00450e77
0x00450e79
0x00450e79
0x00450e83
0x00450e88
0x00450e8d
0x00450ea0
0x00450ea8
0x00450ea8
0x00450eaf
0x00450eb4
0x00450eb9
0x00450eb9
0x00450ebe
0x00450ec8
0x00450ec8
0x00450ed5
0x00000000
0x00450edf
0x00450ed5
0x00450ee7

APIs

IsIconic.USER32 ref: 00450DF0
SetActiveWindow.USER32(?,?,?,?,00450815,00000000,00450CD3), ref: 00450E01
IsWindowEnabled.USER32(00000000), ref: 00450E24
NtdllDefWindowProc_A.USER32(?,00000112,0000F120,00000000,00000000,?,?,?,?,00450815,00000000,00450CD3), ref: 00450E3D
SetWindowPos.USER32(?,00000000,00000000,?,?,00450815,00000000,00450CD3), ref: 00450E83
SetFocus.USER32(00000000,?,00000000,00000000,?,?,00450815,00000000,00450CD3), ref: 00450EC8

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledFocusIconicNtdllProc_
String ID:
API String ID: 3996302123-0
Opcode ID: 88a5a310b23f179d859cf50f1fbef575907af14263f574b33b8507a934354dcc
Instruction ID: 8ccc148c8f1d096736d0f22ff69425416809e5adc915f46e1d0536fb0e7d9ec0
Opcode Fuzzy Hash: 88a5a310b23f179d859cf50f1fbef575907af14263f574b33b8507a934354dcc
Instruction Fuzzy Hash: E2312F757042409BEB20AB69CC87B5A3798AF04705F1808AAFE40DF2D7D67DEC448759

Uniqueness

Uniqueness Score: -1.00%

Function 00437804, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00437804(void* __eax, int __ecx, int __edx, int _a4, int _a8) {
				void* _v20;
				struct _WINDOWPLACEMENT _v48;
				char _v64;
				void* _t31;
				int _t45;
				int _t51;
				void* _t52;
				int _t56;
				int _t58;

				_t56 = __ecx;
				_t58 = __edx;
				_t52 = __eax;
				if(__edx !=  *((intOrPtr*)(__eax + 0x40)) || __ecx !=  *((intOrPtr*)(__eax + 0x44)) || _a8 !=  *((intOrPtr*)(__eax + 0x48))) {
					L4:
					if(E0043811C(_t52) == 0) {
						L7:
						 *(_t52 + 0x40) = _t58;
						 *(_t52 + 0x44) = _t56;
						 *((intOrPtr*)(_t52 + 0x48)) = _a8;
						 *((intOrPtr*)(_t52 + 0x4c)) = _a4;
						_t31 = E0043811C(_t52);
						__eflags = _t31;
						if(_t31 != 0) {
							_v48.length = 0x2c;
							GetWindowPlacement( *(_t52 + 0x180),  &_v48);
							E00430FBC(_t52,  &_v64);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							SetWindowPlacement( *(_t52 + 0x180),  &_v48);
						}
						L9:
						E00430C70(_t52);
						return E00403D6C(_t52, _t66);
					}
					_t45 = IsIconic( *(_t52 + 0x180));
					_t66 = _t45;
					if(_t45 != 0) {
						goto L7;
					}
					SetWindowPos( *(_t52 + 0x180), 0, _t58, _t56, _a8, _a4, 0x14);
					goto L9;
				} else {
					_t51 = _a4;
					if(_t51 ==  *((intOrPtr*)(__eax + 0x4c))) {
						return _t51;
					}
					goto L4;
				}
			}

0x0043780d
0x0043780f
0x00437811
0x00437816
0x00437831
0x0043783a
0x00437868
0x00437868
0x0043786b
0x00437871
0x00437877
0x0043787c
0x00437881
0x00437883
0x00437885
0x00437897
0x004378a1
0x004378ac
0x004378ad
0x004378ae
0x004378af
0x004378bb
0x004378bb
0x004378c0
0x004378c2
0x00000000
0x004378cd
0x00437843
0x00437848
0x0043784a
0x00000000
0x00000000
0x00437861
0x00000000
0x00437825
0x00437825
0x0043782b
0x004378d8
0x004378d8
0x00000000
0x0043782b

APIs

IsIconic.USER32 ref: 00437843
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00437861
GetWindowPlacement.USER32(?,0000002C), ref: 00437897
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004378BB

Strings

,, xrefs: 00437885

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 6d19ddfc6e42aaa1f9b09c71d16d78231acab21901191c45fe94c016505a3cb9
Instruction ID: 142a6d770a674521eb170067fbf8e4c828f2f5faba7e8faaa3e207a9e9dbcd9e
Opcode Fuzzy Hash: 6d19ddfc6e42aaa1f9b09c71d16d78231acab21901191c45fe94c016505a3cb9
Instruction Fuzzy Hash: 3A214171A04208ABCF24EF6DC8C599A77A8AF0D314F04946AFD54EF346D775E904CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00422ECC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00422ECC(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t19;
				struct HWND__* _t22;

				_t19 = _a8;
				_t22 = _a4;
				if( *0x46c921 != 0) {
					if((_t19 & 0x00000003) == 0) {
						if(IsIconic(_t22) == 0) {
							GetWindowRect(_t22,  &(_v48.rcNormalPosition));
						} else {
							GetWindowPlacement(_t22,  &_v48);
						}
						return E00422E3C( &(_v48.rcNormalPosition), _t19);
					}
					return 0x12340042;
				}
				 *0x46c8fc = E00422CC0(1, _t19, "MonitorFromWindow",  *0x46c8fc, _t22);
				return  *0x46c8fc(_t22, _t19);
			}

0x00422ed4
0x00422ed7
0x00422ee1
0x00422f0b
0x00422f1c
0x00422f2f
0x00422f1e
0x00422f23
0x00422f23
0x00000000
0x00422f39
0x00000000
0x00422f0d
0x00422ef5
0x00000000

APIs

Part of subcall function 00422CC0: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00422D44

MonitorFromWindow.USER32(?,?), ref: 00422EFC

Strings

MonitorFromWindow, xrefs: 00422EE3

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFromMonitorProcWindow
String ID: MonitorFromWindow
API String ID: 2184870004-2842599566
Opcode ID: f4d97818a95fe711d1813190c5fd1e756858527267e283103b4495daa7d9a6ad
Instruction ID: bea91e739fa0780ca038685e43877c9900138f0376f9887598b73d0ab256a406
Opcode Fuzzy Hash: f4d97818a95fe711d1813190c5fd1e756858527267e283103b4495daa7d9a6ad
Instruction Fuzzy Hash: B501A2716041297AC710EB51AE819FBB3AC9F05354B814027F865A3242E7BC9E02A7BE

Uniqueness

Uniqueness Score: -1.00%

Function 00450D38, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00450D38(void* __eax) {
				struct HWND__* _t21;
				void* _t40;

				_t40 = __eax;
				_t21 = IsIconic( *(__eax + 0x30));
				if(_t21 == 0) {
					E00450424();
					SetActiveWindow( *(_t40 + 0x30));
					if( *((intOrPtr*)(_t40 + 0x44)) == 0 ||  *((char*)(_t40 + 0x5b)) == 0 &&  *((char*)( *((intOrPtr*)(_t40 + 0x44)) + 0x57)) == 0 || IsWindowEnabled(E00437E18( *((intOrPtr*)(_t40 + 0x44)))) == 0) {
						_t21 = E0044FD40( *(_t40 + 0x30), 6, __eflags);
					} else {
						_t43 =  *((intOrPtr*)(_t40 + 0x44));
						SetWindowPos( *(_t40 + 0x30), E00437E18( *((intOrPtr*)(_t40 + 0x44))),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x40),  *( *((intOrPtr*)(_t40 + 0x44)) + 0x44),  *(_t43 + 0x48), 0, 0x40);
						_push(0);
						_push(0xf020);
						_push(0x112);
						_t21 =  *(_t40 + 0x30);
						_push(_t21);
						L00406D94();
					}
					if( *((short*)(_t40 + 0x11a)) != 0) {
						return  *((intOrPtr*)(_t40 + 0x118))();
					}
				}
				return _t21;
			}

0x00450d3a
0x00450d40
0x00450d47
0x00450d4f
0x00450d58
0x00450d61
0x00450dc8
0x00450d84
0x00450d88
0x00450da4
0x00450da9
0x00450dab
0x00450db0
0x00450db5
0x00450db8
0x00450db9
0x00450db9
0x00450dd5
0x00000000
0x00450ddf
0x00450dd5
0x00450de7

APIs

IsIconic.USER32 ref: 00450D40
SetActiveWindow.USER32(?,?,?,?,00451484), ref: 00450D58
IsWindowEnabled.USER32(00000000), ref: 00450D7B
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?,00451484), ref: 00450DA4
NtdllDefWindowProc_A.USER32(?,00000112,0000F020,00000000,?,00000000,?,?,?,00000000,00000040,00000000,?,?), ref: 00450DB9

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ActiveEnabledIconicNtdllProc_
String ID:
API String ID: 1720852555-0
Opcode ID: 6fd1644a67d1a0210af61e546b946bbe3030eb8050a86207d1c5016e0d0fb183
Instruction ID: f5469dbe84813134c5d684cb0d5dba89dc0a75f8940be094a434df06504a7677
Opcode Fuzzy Hash: 6fd1644a67d1a0210af61e546b946bbe3030eb8050a86207d1c5016e0d0fb183
Instruction Fuzzy Hash: 2411D0716002009BDB54EFA9C9C6B9737E8AF08345F0414AABE04DF29BD679FC488768

Uniqueness

Uniqueness Score: -1.00%

Function 0042BDC8, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042BDC8(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				CHAR* _t20;
				long _t25;
				intOrPtr _t30;
				void* _t34;
				intOrPtr _t37;

				_push(0);
				_t34 = __eax;
				_push(_t37);
				_push(0x42be45);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E0042B828(__eax);
				_t25 = GetTickCount();
				do {
					Sleep(0);
				} while (GetTickCount() - _t25 <= 0x3e8);
				E0042B428(_t34, _t25,  &_v8, 0, __edi, _t34);
				if(_v8 != 0) {
					_t20 = E00404D98(_v8);
					WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x1c)))) + 0xc))(), _t20, 9, 0);
				}
				_pop(_t30);
				 *[fs:eax] = _t30;
				_push(0x42be4c);
				return E004048D8( &_v8);
			}

0x0042bdcb
0x0042bdcf
0x0042bdd3
0x0042bdd4
0x0042bdd9
0x0042bddc
0x0042bde1
0x0042bdeb
0x0042bded
0x0042bdef
0x0042bdfb
0x0042be09
0x0042be12
0x0042be1b
0x0042be2a
0x0042be2a
0x0042be31
0x0042be34
0x0042be37
0x0042be44

APIs

Part of subcall function 0042B828: WinHelpA.USER32 ref: 0042B837

GetTickCount.KERNEL32 ref: 0042BDE6
Sleep.KERNEL32(00000000,00000000,0042BE45,?,?,00000000,00000000,?,0042BDBE), ref: 0042BDEF
GetTickCount.KERNEL32 ref: 0042BDF4
WinHelpA.USER32 ref: 0042BE2A

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: a775950c82080626549b62edd62db4fc1a955b1c7ffdc58f616a4530ccede91e
Instruction ID: e33f99e21296c24fe32ac405ad3ba610c2783c0bc3a5ead65157321dd16c6b68
Opcode Fuzzy Hash: a775950c82080626549b62edd62db4fc1a955b1c7ffdc58f616a4530ccede91e
Instruction Fuzzy Hash: 8B018F30700214AFE311FB6ADC42B6E73E8DF89704F924476F505E66C2DB78AD0095A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044FB78, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044FB78() {
				struct tagPOINT _v12;
				void* _t5;
				long _t6;

				 *0x46cb54 = GetCurrentThreadId();
				L5:
				_t5 =  *0x46cb58; // 0x0
				_t6 = WaitForSingleObject(_t5, 0x64);
				if(_t6 == 0x102) {
					if( *0x46cb44 != 0 &&  *((intOrPtr*)( *0x46cb44 + 0x60)) != 0) {
						GetCursorPos( &_v12);
						if(E0042FE94( &_v12) == 0) {
							E0045215C( *0x46cb44);
						}
					}
					goto L5;
				}
				return _t6;
			}

0x0044fb89
0x0044fbb9
0x0044fbbb
0x0044fbc1
0x0044fbcb
0x0044fb93
0x0044fba1
0x0044fbb0
0x0044fbb4
0x0044fbb4
0x0044fbb0
0x00000000
0x0044fb93
0x0044fbd1

APIs

GetCurrentThreadId.KERNEL32 ref: 0044FB84
GetCursorPos.USER32(?), ref: 0044FBA1
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0044FBC1

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: 8e6975e78f7e00dad3a4f90f8a1aa30cdb93cf4deae3c9d42a8e8648b6410ebe
Instruction ID: 3307b4e3c94b7fc80d3f53fc498e6aa0241e34d88a66f1a92114bb91d362a592
Opcode Fuzzy Hash: 8e6975e78f7e00dad3a4f90f8a1aa30cdb93cf4deae3c9d42a8e8648b6410ebe
Instruction Fuzzy Hash: 46F0B432104354CBEB10EBAAEC96B5633A8DB01304F4000B7E140976D3E77EB958C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00436F50, Relevance: 3.1, APIs: 2, Instructions: 63
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00436F50(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				void* __ecx;
				void* _t25;
				intOrPtr* _t31;
				void* _t34;
				intOrPtr* _t37;
				void* _t45;

				_v8 = __edx;
				_t37 = __eax;
				if(( *(_v8 + 4) & 0x0000fff0) != 0xf100 ||  *((short*)(_v8 + 8)) == 0x20 ||  *((short*)(_v8 + 8)) == 0x2d || IsIconic( *(__eax + 0x180)) != 0 || GetCapture() != 0) {
					L8:
					if(( *(_v8 + 4) & 0x0000fff0) != 0xf100) {
						L10:
						return  *((intOrPtr*)( *_t37 - 0x10))();
					}
					_t25 = E00436EA0(_t37, _t45);
					if(_t25 == 0) {
						goto L10;
					}
				} else {
					_t31 =  *0x46b67c; // 0x46cb44
					_t9 =  *_t31 + 0x44; // 0x2131e80
					if(_t37 ==  *_t9) {
						goto L8;
					} else {
						_t34 = E00448668(_t37);
						_t44 = _t34;
						if(_t34 == 0) {
							goto L8;
						} else {
							_t25 = E004327D0(_t44, 0, 0xb017, _v8);
							if(_t25 == 0) {
								goto L8;
							}
						}
					}
				}
				return _t25;
			}

0x00436f56
0x00436f59
0x00436f6b
0x00436fc9
0x00436fd9
0x00436fe8
0x00000000
0x00436fef
0x00436fde
0x00436fe6
0x00000000
0x00000000
0x00436f9a
0x00436f9a
0x00436fa1
0x00436fa4
0x00000000
0x00436fa6
0x00436fa8
0x00436fad
0x00436fb1
0x00000000
0x00436fb3
0x00436fc0
0x00436fc7
0x00000000
0x00000000
0x00436fc7
0x00436fb1
0x00436fa4
0x00436ff6

APIs

IsIconic.USER32 ref: 00436F88
GetCapture.USER32 ref: 00436F91

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: c60cbe9ca65f2177fadf5dd975cd3f465a128026bb7c832ccea1575808f43986
Instruction ID: 6bdf39b1eb7b7b70fb14ad533833fa08823aaa64f0ba358e430d9587bf1dca5d
Opcode Fuzzy Hash: c60cbe9ca65f2177fadf5dd975cd3f465a128026bb7c832ccea1575808f43986
Instruction Fuzzy Hash: 37114F31700206EFDB20DB9AE98596AB3E4EF08304F26947BF404DB756DB78ED449758

Uniqueness

Uniqueness Score: -1.00%

Function 0041E178, Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041E178(void* __ebx) {
				char _v260;
				char _v264;
				long _t21;
				void* _t22;
				intOrPtr _t27;
				void* _t32;

				_v264 = 0;
				_push(_t32);
				_push(0x41e214);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32 + 0xfffffefc;
				_t21 = GetLastError();
				if(_t21 == 0 || FormatMessageA(0x1000, 0, _t21, 0x400,  &_v260, 0x100, 0) == 0) {
					E0041E124(_t22);
				} else {
					E00404B48( &_v264, 0x100,  &_v260);
					E0040BE04(_v264, 1);
					E004042EC();
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(0x41e21b);
				return E004048D8( &_v264);
			}

0x0041e184
0x0041e18c
0x0041e18d
0x0041e192
0x0041e195
0x0041e19d
0x0041e1a1
0x0041e1f6
0x0041e1c7
0x0041e1d8
0x0041e1ea
0x0041e1ef
0x0041e1ef
0x0041e1fd
0x0041e200
0x0041e203
0x0041e213

APIs

GetLastError.KERNEL32(00000000,0041E214), ref: 0041E198
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0041E214), ref: 0041E1BE

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b79ee083070b56a3e8f70f45dbfab71d3188b8151b68f87061e10e7460f95db4
Instruction ID: 239a93124edfeb2226ecf4fa2c44a483a5e97de9900a5b512c434030a024f723
Opcode Fuzzy Hash: b79ee083070b56a3e8f70f45dbfab71d3188b8151b68f87061e10e7460f95db4
Instruction Fuzzy Hash: A801AC742442055BD721EB628C92BE673BCEB48704F5144BBBB44A26C1DAF86DC4899D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC84, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040CC84(int __eax, void* __ebx, void* __eflags) {
				char _v11;
				char _v16;
				intOrPtr _t28;
				void* _t31;
				void* _t33;

				_t33 = __eflags;
				_v16 = 0;
				_push(_t31);
				_push(0x40cce8);
				_push( *[fs:edx]);
				 *[fs:edx] = _t31 + 0xfffffff4;
				GetLocaleInfoA(__eax, 0x1004,  &_v11, 7);
				E00404B48( &_v16, 7,  &_v11);
				_push(_v16);
				E004088D4(7, GetACP(), _t33);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E0040CCEF);
				return E004048D8( &_v16);
			}

0x0040cc84
0x0040cc8d
0x0040cc92
0x0040cc93
0x0040cc98
0x0040cc9b
0x0040ccaa
0x0040ccba
0x0040ccc2
0x0040cccb
0x0040ccd4
0x0040ccd7
0x0040ccda
0x0040cce7

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040CCE8), ref: 0040CCAA
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040CCE8), ref: 0040CCC3

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9b058a0f280dbd531dbb8fcee07effb0c78697e079fbed73726f6e42ee2569ca
Instruction ID: 7a152a0d8b7ce9094ccea42c5f69027743e07681634708d112d786943b51e68a
Opcode Fuzzy Hash: 9b058a0f280dbd531dbb8fcee07effb0c78697e079fbed73726f6e42ee2569ca
Instruction Fuzzy Hash: E8F0F671E08308BBEB00FBA2C85299DB3AAE7C5714F51C57AB210F36C0EA7C65008758

Uniqueness

Uniqueness Score: -1.00%

Function 00408D92, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408D92(CHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				CHAR* _v32;
				CHAR* _t28;
				int _t35;
				intOrPtr _t40;
				intOrPtr _t43;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr _t53;
				intOrPtr _t55;

				_t28 = _a4;
				if(_t28 == 0) {
					_v32 = 0;
				} else {
					_v32 = _t28;
				}
				_t35 = GetDiskFreeSpaceA(_v32,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t53 = _v24;
				_t40 = E00405680(_v28, _t53, _v16, 0);
				_t48 = _a8;
				 *_t48 = _t40;
				 *((intOrPtr*)(_t48 + 4)) = _t53;
				_t55 = _v24;
				_t43 = E00405680(_v28, _t55, _v20, 0);
				_t49 = _a12;
				 *_t49 = _t43;
				 *((intOrPtr*)(_t49 + 4)) = _t55;
				return _t35;
			}

0x00408d9b
0x00408da0
0x00408da9
0x00408da2
0x00408da2
0x00408da2
0x00408dc0
0x00408dcf
0x00408dd2
0x00408ddf
0x00408de2
0x00408de7
0x00408dea
0x00408dec
0x00408df9
0x00408dfc
0x00408e01
0x00408e04
0x00408e06
0x00408e0f

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00408DC0

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: f5d6ef1d38133ac507867b29813ec2c003a2cfb9db24315c5f5863d809c8e7fb
Instruction ID: fe7a92b60f937ea874c386583370a2a771513d2f7e278f83b3d94de81b1436ae
Opcode Fuzzy Hash: f5d6ef1d38133ac507867b29813ec2c003a2cfb9db24315c5f5863d809c8e7fb
Instruction Fuzzy Hash: D211FAB1E00109AFDB40CFA9C981DBFF7F9EF8C314B50856AA519E7250E6359A018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00429488, Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00429488(intOrPtr __eax, intOrPtr* __edx) {
				intOrPtr _v8;
				intOrPtr _t12;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;

				_v8 = __eax;
				_t22 =  *__edx;
				_t26 = _t22 - 0x113;
				if(_t22 != 0x113) {
					_push( *((intOrPtr*)(__edx + 8)));
					_push( *((intOrPtr*)(__edx + 4)));
					_push(_t22);
					_t12 =  *((intOrPtr*)(_v8 + 0x34));
					_push(_t12);
					L00406D94();
					 *((intOrPtr*)(__edx + 0xc)) = _t12;
					return _t12;
				}
				_push(0x4294c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t25;
				E00403D6C(_v8, _t26);
				_pop(_t21);
				 *[fs:eax] = _t21;
				return 0;
			}

0x00429491
0x00429494
0x00429496
0x0042949c
0x004294e0
0x004294e4
0x004294e5
0x004294e9
0x004294ec
0x004294ed
0x004294f2
0x00000000
0x004294f2
0x004294a1
0x004294a6
0x004294a9
0x004294b3
0x004294ba
0x004294bd
0x00000000

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004294ED

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 8e7b6b7067e7fcb021eb96fb62cc71f1cc728ed39a56383a706017be58f0b6a7
Instruction ID: 8d8f69537ec3b688217af2f4d46c183d7bbe92228e5647b6f8f805d3ec9ce173
Opcode Fuzzy Hash: 8e7b6b7067e7fcb021eb96fb62cc71f1cc728ed39a56383a706017be58f0b6a7
Instruction Fuzzy Hash: D4F09076708214AF9B10DFAEE881C96BBECEF4A72079184B6F908D7641D275AD10CB74

Uniqueness

Uniqueness Score: -1.00%

Function 004064FC, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E004064FC(int __eax, void* __ebx, void* __eflags) {
				char _v8;
				char _v15;
				char _v20;
				intOrPtr _t29;
				void* _t32;

				_v20 = 0;
				_push(_t32);
				_push(0x406562);
				_push( *[fs:edx]);
				 *[fs:edx] = _t32 + 0xfffffff0;
				GetLocaleInfoA(__eax, 0x1004,  &_v15, 7);
				E00404B48( &_v20, 7,  &_v15);
				E0040359C(_v20,  &_v8);
				if(_v8 != 0) {
				}
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(E00406569);
				return E004048D8( &_v20);
			}

0x00406505
0x0040650a
0x0040650b
0x00406510
0x00406513
0x00406522
0x00406532
0x0040653d
0x00406548
0x00406548
0x0040654e
0x00406551
0x00406554
0x00406561

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00406562), ref: 00406522

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 0288798f4e14af2951222733280bd65a6c6dd719e34f07bf988b4cb5af5c4b36
Instruction ID: f5c271358e0f775210b176192ed5648615a4144a07b388cdfbcdf566fbb913a0
Opcode Fuzzy Hash: 0288798f4e14af2951222733280bd65a6c6dd719e34f07bf988b4cb5af5c4b36
Instruction Fuzzy Hash: 79F0C830A04309AFE715EEA1CC41AEEB37AF7C4714F41887AB110731D4E7786A14C648

Uniqueness

Uniqueness Score: -1.00%

Function 0040B638, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B638(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				char _v260;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				if(GetLocaleInfoA(__eax, __edx,  &_v260, 0x100) <= 0) {
					return E0040492C(_t10, _t18);
				}
				return E004049C8(_t10, _t5 - 1,  &_v260);
			}

0x0040b643
0x0040b645
0x0040b65d
0x00000000
0x0040b675
0x00000000

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B656

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07957efcaa9ec84a7c58a9a2face6a21399b12f88fab5edc8eb5dfcca6d4268f
Instruction ID: ac6b064f1aa1c416ff7ffd7bb800481caa10fa174d4bb5c5149fd0c67bd18d23
Opcode Fuzzy Hash: 07957efcaa9ec84a7c58a9a2face6a21399b12f88fab5edc8eb5dfcca6d4268f
Instruction Fuzzy Hash: 3CE092B170021456D310A5694C82EFB725CD758350F00427FBE05E73D2EEB59D9046ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040B684, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040B684(int __eax, char __ecx, int __edx) {
				char _v16;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				if(GetLocaleInfoA(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}

0x0040b687
0x0040b688
0x0040b69e
0x0040b6a5
0x0040b6a0
0x0040b6a0
0x0040b6a0
0x0040b6ab

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040CF9A,00000000,0040D1B3,?,?,00000000,00000000), ref: 0040B697

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f5654324c3e3ff5cc12b8213d291869ffed1b2313387b7580131e80416e355de
Instruction ID: fdb4c47110e18f2adb0f5a0c1c39d71412f41dcf28c50de3c97e35da7f5fa900
Opcode Fuzzy Hash: f5654324c3e3ff5cc12b8213d291869ffed1b2313387b7580131e80416e355de
Instruction Fuzzy Hash: 2CD02E6230D2802AF210910A2D80DBB4B9CCAC63B4F00443AB949D2242C2298C0297BA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A10C, Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A10C() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear;
			}

0x0040a110
0x0040a11c

APIs

GetLocalTime.KERNEL32 ref: 0040A110

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 74b7452db2bd60c96858ff2a580ea05cada1b0f277ced08f110e188a09fa4f31
Instruction ID: a6080b8fe6888523362cb0e08cdb707594a1e85145f7821fd34bcd4a1c7c09e2
Opcode Fuzzy Hash: 74b7452db2bd60c96858ff2a580ea05cada1b0f277ced08f110e188a09fa4f31
Instruction Fuzzy Hash: 9FA0120840484141D54033180C031543040A801720FC44754A8B8203D1E92D0130859B

Uniqueness

Uniqueness Score: -1.00%

Function 00424B84, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00424B84(void* __ebx, void* __ecx) {
				char _v5;
				intOrPtr _t2;
				intOrPtr _t6;
				intOrPtr _t108;
				intOrPtr _t111;

				_t2 =  *0x46ca40; // 0x2131908
				E0042497C(_t2);
				_push(_t111);
				_push(0x424f37);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				 *0x46ca3c =  *0x46ca3c + 1;
				if( *0x46ca38 == 0) {
					 *0x46ca38 = LoadLibraryA("uxtheme.dll");
					if( *0x46ca38 > 0) {
						 *0x46c978 = GetProcAddress( *0x46ca38, "OpenThemeData");
						 *0x46c97c = GetProcAddress( *0x46ca38, "CloseThemeData");
						 *0x46c980 = GetProcAddress( *0x46ca38, "DrawThemeBackground");
						 *0x46c984 = GetProcAddress( *0x46ca38, "DrawThemeText");
						 *0x46c988 = GetProcAddress( *0x46ca38, "GetThemeBackgroundContentRect");
						 *0x46c98c = GetProcAddress( *0x46ca38, "GetThemeBackgroundContentRect");
						 *0x46c990 = GetProcAddress( *0x46ca38, "GetThemePartSize");
						 *0x46c994 = GetProcAddress( *0x46ca38, "GetThemeTextExtent");
						 *0x46c998 = GetProcAddress( *0x46ca38, "GetThemeTextMetrics");
						 *0x46c99c = GetProcAddress( *0x46ca38, "GetThemeBackgroundRegion");
						 *0x46c9a0 = GetProcAddress( *0x46ca38, "HitTestThemeBackground");
						 *0x46c9a4 = GetProcAddress( *0x46ca38, "DrawThemeEdge");
						 *0x46c9a8 = GetProcAddress( *0x46ca38, "DrawThemeIcon");
						 *0x46c9ac = GetProcAddress( *0x46ca38, "IsThemePartDefined");
						 *0x46c9b0 = GetProcAddress( *0x46ca38, "IsThemeBackgroundPartiallyTransparent");
						 *0x46c9b4 = GetProcAddress( *0x46ca38, "GetThemeColor");
						 *0x46c9b8 = GetProcAddress( *0x46ca38, "GetThemeMetric");
						 *0x46c9bc = GetProcAddress( *0x46ca38, "GetThemeString");
						 *0x46c9c0 = GetProcAddress( *0x46ca38, "GetThemeBool");
						 *0x46c9c4 = GetProcAddress( *0x46ca38, "GetThemeInt");
						 *0x46c9c8 = GetProcAddress( *0x46ca38, "GetThemeEnumValue");
						 *0x46c9cc = GetProcAddress( *0x46ca38, "GetThemePosition");
						 *0x46c9d0 = GetProcAddress( *0x46ca38, "GetThemeFont");
						 *0x46c9d4 = GetProcAddress( *0x46ca38, "GetThemeRect");
						 *0x46c9d8 = GetProcAddress( *0x46ca38, "GetThemeMargins");
						 *0x46c9dc = GetProcAddress( *0x46ca38, "GetThemeIntList");
						 *0x46c9e0 = GetProcAddress( *0x46ca38, "GetThemePropertyOrigin");
						 *0x46c9e4 = GetProcAddress( *0x46ca38, "SetWindowTheme");
						 *0x46c9e8 = GetProcAddress( *0x46ca38, "GetThemeFilename");
						 *0x46c9ec = GetProcAddress( *0x46ca38, "GetThemeSysColor");
						 *0x46c9f0 = GetProcAddress( *0x46ca38, "GetThemeSysColorBrush");
						 *0x46c9f4 = GetProcAddress( *0x46ca38, "GetThemeSysBool");
						 *0x46c9f8 = GetProcAddress( *0x46ca38, "GetThemeSysSize");
						 *0x46c9fc = GetProcAddress( *0x46ca38, "GetThemeSysFont");
						 *0x46ca00 = GetProcAddress( *0x46ca38, "GetThemeSysString");
						 *0x46ca04 = GetProcAddress( *0x46ca38, "GetThemeSysInt");
						 *0x46ca08 = GetProcAddress( *0x46ca38, "IsThemeActive");
						 *0x46ca0c = GetProcAddress( *0x46ca38, "IsAppThemed");
						 *0x46ca10 = GetProcAddress( *0x46ca38, "GetWindowTheme");
						 *0x46ca14 = GetProcAddress( *0x46ca38, "EnableThemeDialogTexture");
						 *0x46ca18 = GetProcAddress( *0x46ca38, "IsThemeDialogTextureEnabled");
						 *0x46ca1c = GetProcAddress( *0x46ca38, "GetThemeAppProperties");
						 *0x46ca20 = GetProcAddress( *0x46ca38, "SetThemeAppProperties");
						 *0x46ca24 = GetProcAddress( *0x46ca38, "GetCurrentThemeName");
						 *0x46ca28 = GetProcAddress( *0x46ca38, "GetThemeDocumentationProperty");
						 *0x46ca2c = GetProcAddress( *0x46ca38, "DrawThemeParentBackground");
						 *0x46ca30 = GetProcAddress( *0x46ca38, "EnableTheming");
					}
				}
				_v5 =  *0x46ca38 > 0;
				_pop(_t108);
				 *[fs:eax] = _t108;
				_push(0x424f3e);
				_t6 =  *0x46ca40; // 0x2131908
				return E00424984(_t6);
			}

0x00424b8e
0x00424b93
0x00424b9a
0x00424b9b
0x00424ba0
0x00424ba3
0x00424ba6
0x00424baf
0x00424bbf
0x00424bc4
0x00424bd7
0x00424be9
0x00424bfb
0x00424c0d
0x00424c1f
0x00424c31
0x00424c43
0x00424c55
0x00424c67
0x00424c79
0x00424c8b
0x00424c9d
0x00424caf
0x00424cc1
0x00424cd3
0x00424ce5
0x00424cf7
0x00424d09
0x00424d1b
0x00424d2d
0x00424d3f
0x00424d51
0x00424d63
0x00424d75
0x00424d87
0x00424d99
0x00424dab
0x00424dbd
0x00424dcf
0x00424de1
0x00424df3
0x00424e05
0x00424e17
0x00424e29
0x00424e3b
0x00424e4d
0x00424e5f
0x00424e71
0x00424e83
0x00424e95
0x00424ea7
0x00424eb9
0x00424ecb
0x00424edd
0x00424eef
0x00424f01
0x00424f13
0x00424f13
0x00424bc4
0x00424f1b
0x00424f21
0x00424f24
0x00424f27
0x00424f2c
0x00424f36

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,00424F37), ref: 00424BBA
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 00424BD2
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 00424BE4
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 00424BF6
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 00424C08
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00424C1A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 00424C2C
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 00424C3E
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 00424C50
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 00424C62
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 00424C74
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 00424C86
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 00424C98
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 00424CAA
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 00424CBC
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 00424CCE
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 00424CE0
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 00424CF2
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 00424D04
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 00424D16
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 00424D28
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 00424D3A
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 00424D4C
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 00424D5E
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 00424D70
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 00424D82
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 00424D94
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 00424DA6
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00424DB8
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 00424DCA
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 00424DDC
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 00424DEE
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 00424E00
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 00424E12
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 00424E24
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 00424E36
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 00424E48
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00424E5A
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 00424E6C
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 00424E7E
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 00424E90
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 00424EA2
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 00424EB4
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 00424EC6
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 00424ED8
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 00424EEA
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 00424EFC
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 00424F0E

Strings

IsThemePartDefined, xrefs: 00424CB4
GetCurrentThemeName, xrefs: 00424ED0
GetThemePosition, xrefs: 00424D44
GetThemeDocumentationProperty, xrefs: 00424EE2
GetThemeFilename, xrefs: 00424DC2
GetThemeSysInt, xrefs: 00424E40
GetThemeSysColorBrush, xrefs: 00424DE6
GetThemeFont, xrefs: 00424D56
GetThemeMargins, xrefs: 00424D7A
SetThemeAppProperties, xrefs: 00424EBE
GetThemeBackgroundContentRect, xrefs: 00424C12, 00424C24
GetThemeRect, xrefs: 00424D68
GetThemeTextExtent, xrefs: 00424C48
IsThemeBackgroundPartiallyTransparent, xrefs: 00424CC6
uxtheme.dll, xrefs: 00424BB5
GetThemeSysColor, xrefs: 00424DD4
IsAppThemed, xrefs: 00424E64
GetThemeEnumValue, xrefs: 00424D32
GetThemeBool, xrefs: 00424D0E
GetThemeAppProperties, xrefs: 00424EAC
GetThemeSysString, xrefs: 00424E2E
GetThemeSysSize, xrefs: 00424E0A
GetThemeColor, xrefs: 00424CD8
GetThemeInt, xrefs: 00424D20
DrawThemeParentBackground, xrefs: 00424EF4
IsThemeActive, xrefs: 00424E52
HitTestThemeBackground, xrefs: 00424C7E
GetThemeSysBool, xrefs: 00424DF8
SetWindowTheme, xrefs: 00424DB0
GetWindowTheme, xrefs: 00424E76
GetThemeBackgroundRegion, xrefs: 00424C6C
GetThemeString, xrefs: 00424CFC
EnableTheming, xrefs: 00424F06
DrawThemeEdge, xrefs: 00424C90
CloseThemeData, xrefs: 00424BDC
DrawThemeText, xrefs: 00424C00
GetThemePropertyOrigin, xrefs: 00424D9E
GetThemeIntList, xrefs: 00424D8C
EnableThemeDialogTexture, xrefs: 00424E88
GetThemeTextMetrics, xrefs: 00424C5A
GetThemeMetric, xrefs: 00424CEA
IsThemeDialogTextureEnabled, xrefs: 00424E9A
OpenThemeData, xrefs: 00424BCA
GetThemeSysFont, xrefs: 00424E1C
DrawThemeIcon, xrefs: 00424CA2
DrawThemeBackground, xrefs: 00424BEE
GetThemePartSize, xrefs: 00424C36

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: 479414085f6acfd30a1776503b3281ffec02c6e744a7f6be8cb7fb6ffe6765c4
Instruction ID: d4031b9f0c29ed98ed8eb9e9f8a3878f39e7f6490e9749554a558af60323eee4
Opcode Fuzzy Hash: 479414085f6acfd30a1776503b3281ffec02c6e744a7f6be8cb7fb6ffe6765c4
Instruction Fuzzy Hash: 85A110B0B51661AFDB10FBA9EC82A3537E8EB0A7043515577F401EF295E6B89810CF1E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3C4, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 248
windowCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041E3C4(struct HDC__* __eax, void* __ebx, int __ecx, int __edx, void* __edi, void* __esi, int _a4, int _a8, struct HDC__* _a12, int _a16, int _a20, int _a24, int _a28, struct HDC__* _a32, int _a36, int _a40) {
				int _v8;
				int _v12;
				char _v13;
				struct HDC__* _v20;
				void* _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				intOrPtr* _t78;
				intOrPtr _t87;
				struct HDC__* _t88;
				intOrPtr _t91;
				struct HDC__* _t92;
				struct HDC__* _t135;
				int _t162;
				intOrPtr _t169;
				intOrPtr _t171;
				struct HDC__* _t173;
				int _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_t179 = _t178 + 0xffffffdc;
				_v12 = __ecx;
				_v8 = __edx;
				_t173 = __eax;
				_t175 = _a16;
				_t162 = _a20;
				_v13 = 1;
				_t78 =  *0x46b7d8; // 0x4560e8
				if( *_t78 != 2 || _t162 != _a40 || _t175 != _a36) {
					_v40 = 0;
					_push(0);
					L00406B8C();
					_v20 = E0041E220(0);
					_push(_t177);
					_push(0x41e644);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					_push(_t175);
					_push(_t162);
					_push(_a32);
					L00406B84();
					_v24 = E0041E220(_a32);
					_v28 = SelectObject(_v20, _v24);
					_push(0);
					_t87 =  *0x46c88c; // 0x4f080689
					_push(_t87);
					_t88 = _a32;
					_push(_t88);
					L00406CB4();
					_v40 = _t88;
					_push(0);
					_push(_v40);
					_push(_a32);
					L00406CB4();
					if(_v40 == 0) {
						_push(0xffffffff);
						_t91 =  *0x46c88c; // 0x4f080689
						_push(_t91);
						_t92 = _v20;
						_push(_t92);
						L00406CB4();
						_v40 = _t92;
					} else {
						_push(0xffffffff);
						_push(_v40);
						_t135 = _v20;
						_push(_t135);
						L00406CB4();
						_v40 = _t135;
					}
					_push(_v20);
					L00406C8C();
					StretchBlt(_v20, 0, 0, _t162, _t175, _a12, _a8, _a4, _t162, _t175, 0xcc0020);
					StretchBlt(_v20, 0, 0, _t162, _t175, _a32, _a28, _a24, _t162, _t175, 0x440328);
					_v32 = SetTextColor(_t173, 0);
					_v36 = SetBkColor(_t173, 0xffffff);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _a12, _a8, _a4, _t162, _t175, 0x8800c6);
					StretchBlt(_t173, _v8, _v12, _a40, _a36, _v20, 0, 0, _t162, _t175, 0x660046);
					SetTextColor(_t173, _v32);
					SetBkColor(_t173, _v36);
					if(_v28 != 0) {
						SelectObject(_v20, _v28);
					}
					DeleteObject(_v24);
					_pop(_t169);
					 *[fs:eax] = _t169;
					_push(0x41e64b);
					if(_v40 != 0) {
						_push(0);
						_push(_v40);
						_push(_v20);
						L00406CB4();
					}
					return DeleteDC(_v20);
				} else {
					_push(1);
					_push(1);
					_push(_a32);
					L00406B84();
					_v24 = E0041E220(_a32);
					_v24 = SelectObject(_a12, _v24);
					_push(_t177);
					_push(0x41e497);
					_push( *[fs:eax]);
					 *[fs:eax] = _t179;
					MaskBlt(_t173, _v8, _v12, _a40, _a36, _a32, _a28, _a24, _v24, _a8, _a4, E0040725C(0xaa0029, 0xcc0020));
					_pop(_t171);
					 *[fs:eax] = _t171;
					_push(0x41e64b);
					_v24 = SelectObject(_a12, _v24);
					return DeleteObject(_v24);
				}
			}

0x0041e3c5
0x0041e3c7
0x0041e3cd
0x0041e3d0
0x0041e3d3
0x0041e3d5
0x0041e3d8
0x0041e3db
0x0041e3df
0x0041e3e7
0x0041e4a0
0x0041e4a3
0x0041e4a5
0x0041e4af
0x0041e4b4
0x0041e4b5
0x0041e4ba
0x0041e4bd
0x0041e4c0
0x0041e4c1
0x0041e4c5
0x0041e4c6
0x0041e4d0
0x0041e4e0
0x0041e4e3
0x0041e4e5
0x0041e4ea
0x0041e4eb
0x0041e4ee
0x0041e4ef
0x0041e4f4
0x0041e4f7
0x0041e4fc
0x0041e500
0x0041e501
0x0041e50a
0x0041e520
0x0041e522
0x0041e527
0x0041e528
0x0041e52b
0x0041e52c
0x0041e531
0x0041e50c
0x0041e50c
0x0041e511
0x0041e512
0x0041e515
0x0041e516
0x0041e51b
0x0041e51b
0x0041e537
0x0041e538
0x0041e55a
0x0041e57c
0x0041e589
0x0041e597
0x0041e5be
0x0041e5e3
0x0041e5ed
0x0041e5f7
0x0041e600
0x0041e60a
0x0041e60a
0x0041e613
0x0041e61a
0x0041e61d
0x0041e620
0x0041e629
0x0041e62b
0x0041e630
0x0041e634
0x0041e635
0x0041e635
0x0041e643
0x0041e3ff
0x0041e3ff
0x0041e401
0x0041e406
0x0041e407
0x0041e411
0x0041e421
0x0041e426
0x0041e427
0x0041e42c
0x0041e42f
0x0041e46b
0x0041e472
0x0041e475
0x0041e478
0x0041e48a
0x0041e496
0x0041e496

APIs

7378A520.GDI32(?,00000001,00000001), ref: 0041E407
SelectObject.GDI32(?,?), ref: 0041E41C
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0041E497,?,?), ref: 0041E46B
SelectObject.GDI32(?,?), ref: 0041E485
DeleteObject.GDI32(?), ref: 0041E491
7378A590.GDI32(00000000), ref: 0041E4A5
7378A520.GDI32(?,?,?,00000000,0041E644,?,00000000), ref: 0041E4C6
SelectObject.GDI32(?,?), ref: 0041E4DB
7378B410.GDI32(?,4F080689,00000000,?,?,?,?,?,00000000,0041E644,?,00000000), ref: 0041E4EF
7378B410.GDI32(?,?,00000000,?,4F080689,00000000,?,?,?,?,?,00000000,0041E644,?,00000000), ref: 0041E501
7378B410.GDI32(?,00000000,000000FF,?,?,00000000,?,4F080689,00000000,?,?,?,?,?,00000000,0041E644), ref: 0041E516
7378B410.GDI32(?,4F080689,000000FF,?,?,00000000,?,4F080689,00000000,?,?,?,?,?,00000000,0041E644), ref: 0041E52C
7378B150.GDI32(?,?,4F080689,000000FF,?,?,00000000,?,4F080689,00000000,?,?,?,?,?,00000000), ref: 0041E538
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0041E55A
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0041E57C
SetTextColor.GDI32(?,00000000), ref: 0041E584
SetBkColor.GDI32(?,00FFFFFF), ref: 0041E592
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0041E5BE
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041E5E3
SetTextColor.GDI32(?,?), ref: 0041E5ED
SetBkColor.GDI32(?,?), ref: 0041E5F7
SelectObject.GDI32(?,00000000), ref: 0041E60A
DeleteObject.GDI32(?), ref: 0041E613
7378B410.GDI32(?,00000000,00000000,0041E64B,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0041E635
DeleteDC.GDI32(?), ref: 0041E63E

Strings

`E, xrefs: 0041E3DF

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$Object$B410$ColorSelectStretch$Delete$A520Text$A590B150Mask
String ID: `E
API String ID: 2689844912-2272938532
Opcode ID: 3e15a4943359e9f3ecb98942dad21a09bd7268da0f8010a91cc3fe01d971ac26
Instruction ID: 24fafe4f187de7e52addb30205e04efb5f17940355a9e404386ab5096df897f5
Opcode Fuzzy Hash: 3e15a4943359e9f3ecb98942dad21a09bd7268da0f8010a91cc3fe01d971ac26
Instruction Fuzzy Hash: A78193B1A04209AFDB50EFA9CD81EAF77FCEB0C714F114559FA18E7281C239A9508B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040E31C, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E31C() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleA("oleaut32.dll");
				 *0x46c7a0 = E0040E2E4("VariantChangeTypeEx", E0040DE80, _t91);
				 *0x46c7a4 = E0040E2E4("VarNeg", E0040DEB0, _t91);
				 *0x46c7a8 = E0040E2E4("VarNot", E0040DEB0, _t91);
				 *0x46c7ac = E0040E2E4("VarAdd", E0040DEBC, _t91);
				 *0x46c7b0 = E0040E2E4("VarSub", E0040DEBC, _t91);
				 *0x46c7b4 = E0040E2E4("VarMul", E0040DEBC, _t91);
				 *0x46c7b8 = E0040E2E4("VarDiv", E0040DEBC, _t91);
				 *0x46c7bc = E0040E2E4("VarIdiv", E0040DEBC, _t91);
				 *0x46c7c0 = E0040E2E4("VarMod", E0040DEBC, _t91);
				 *0x46c7c4 = E0040E2E4("VarAnd", E0040DEBC, _t91);
				 *0x46c7c8 = E0040E2E4("VarOr", E0040DEBC, _t91);
				 *0x46c7cc = E0040E2E4("VarXor", E0040DEBC, _t91);
				 *0x46c7d0 = E0040E2E4("VarCmp", E0040DEC8, _t91);
				 *0x46c7d4 = E0040E2E4("VarI4FromStr", E0040DED4, _t91);
				 *0x46c7d8 = E0040E2E4("VarR4FromStr", E0040DF40, _t91);
				 *0x46c7dc = E0040E2E4("VarR8FromStr", E0040DFAC, _t91);
				 *0x46c7e0 = E0040E2E4("VarDateFromStr", E0040E018, _t91);
				 *0x46c7e4 = E0040E2E4("VarCyFromStr", E0040E084, _t91);
				 *0x46c7e8 = E0040E2E4("VarBoolFromStr", E0040E0F0, _t91);
				 *0x46c7ec = E0040E2E4("VarBstrFromCy", E0040E170, _t91);
				 *0x46c7f0 = E0040E2E4("VarBstrFromDate", E0040E1E0, _t91);
				_t46 = E0040E2E4("VarBstrFromBool", E0040E250, _t91);
				 *0x46c7f4 = _t46;
				return _t46;
			}

0x0040e32a
0x0040e33e
0x0040e354
0x0040e36a
0x0040e380
0x0040e396
0x0040e3ac
0x0040e3c2
0x0040e3d8
0x0040e3ee
0x0040e404
0x0040e41a
0x0040e430
0x0040e446
0x0040e45c
0x0040e472
0x0040e488
0x0040e49e
0x0040e4b4
0x0040e4ca
0x0040e4e0
0x0040e4f6
0x0040e506
0x0040e50c
0x0040e513

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040E325

Part of subcall function 0040E2E4: GetProcAddress.KERNEL32(00000000), ref: 0040E302

Strings

VarBstrFromCy, xrefs: 0040E4D5
VarR4FromStr, xrefs: 0040E467
VarCyFromStr, xrefs: 0040E4A9
VarNeg, xrefs: 0040E349
VarCmp, xrefs: 0040E43B
VariantChangeTypeEx, xrefs: 0040E333
VarI4FromStr, xrefs: 0040E451
VarSub, xrefs: 0040E38B
VarMod, xrefs: 0040E3E3
VarOr, xrefs: 0040E40F
VarBstrFromDate, xrefs: 0040E4EB
VarDateFromStr, xrefs: 0040E493
VarNot, xrefs: 0040E35F
VarAnd, xrefs: 0040E3F9
VarDiv, xrefs: 0040E3B7
oleaut32.dll, xrefs: 0040E320
VarXor, xrefs: 0040E425
VarAdd, xrefs: 0040E375
VarBoolFromStr, xrefs: 0040E4BF
VarR8FromStr, xrefs: 0040E47D
VarBstrFromBool, xrefs: 0040E501
VarMul, xrefs: 0040E3A1
VarIdiv, xrefs: 0040E3CD

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: c8a8a07fdba941eccbc54199c6f657b234d0b44eab02e480c51f5dd3748f2949
Instruction ID: 09fc8788dcc2097c173e65a0789e62d1638ab119154da0915f2e4a0d111d4767
Opcode Fuzzy Hash: c8a8a07fdba941eccbc54199c6f657b234d0b44eab02e480c51f5dd3748f2949
Instruction Fuzzy Hash: 2D4148A1A042156BD3087BAF784142673C9E6847193A4CC7FF450BB7C0EF78AC608E6E

Uniqueness

Uniqueness Score: -1.00%

Function 00420340, Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00420340(void* __eax, long __ecx, intOrPtr __edx) {
				void* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct HDC__* _v20;
				char _v21;
				void* _v28;
				void* _v32;
				intOrPtr _v92;
				intOrPtr _v96;
				int _v108;
				int _v112;
				void _v116;
				void* _t64;
				int _t65;
				intOrPtr _t66;
				long _t77;
				void* _t107;
				intOrPtr _t116;
				intOrPtr _t117;
				long _t120;
				intOrPtr _t123;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t127 = _t129;
				_t130 = _t129 + 0xffffff90;
				_t120 = __ecx;
				_t123 = __edx;
				_t107 = __eax;
				_v8 = 0;
				if(__eax == 0 || GetObjectA(__eax, 0x54,  &_v116) == 0) {
					return _v8;
				} else {
					E0041F834(_t107);
					_v12 = 0;
					_v20 = 0;
					_push(_t127);
					_push(0x42053b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t130;
					_push(0);
					L00406E84();
					_v12 = E0041E220(0);
					_push(_v12);
					L00406B8C();
					_v20 = E0041E220(_v12);
					_push(0);
					_push(1);
					_push(1);
					_push(_v108);
					_t64 = _v112;
					_push(_t64);
					L00406B74();
					_v8 = _t64;
					if(_v8 == 0) {
						L17:
						_t65 = 0;
						_pop(_t116);
						 *[fs:eax] = _t116;
						_push(0x420542);
						if(_v20 != 0) {
							_t65 = DeleteDC(_v20);
						}
						if(_v12 != 0) {
							_t66 = _v12;
							_push(_t66);
							_push(0);
							L004070C4();
							return _t66;
						}
						return _t65;
					} else {
						_v32 = SelectObject(_v20, _v8);
						if(__ecx != 0x1fffffff) {
							_push(_v12);
							L00406B8C();
							_v16 = E0041E220(_v12);
							_push(_t127);
							_push(0x4204f3);
							_push( *[fs:eax]);
							 *[fs:eax] = _t130;
							if(_v96 == 0) {
								_v21 = 0;
							} else {
								_v21 = 1;
								_v92 = 0;
								_t107 = E0041FC78(_t107, _t123, _t123, 0,  &_v116);
							}
							_v28 = SelectObject(_v16, _t107);
							if(_t123 != 0) {
								_push(0);
								_push(_t123);
								_push(_v16);
								L00406CB4();
								_push(_v16);
								L00406C8C();
								_push(0);
								_push(_t123);
								_push(_v20);
								L00406CB4();
								_push(_v20);
								L00406C8C();
							}
							_t77 = SetBkColor(_v16, _t120);
							_push(0xcc0020);
							_push(0);
							_push(0);
							_push(_v16);
							_push(_v108);
							_push(_v112);
							_push(0);
							_push(0);
							_push(_v20);
							L00406B6C();
							SetBkColor(_v16, _t77);
							if(_v28 != 0) {
								SelectObject(_v16, _v28);
							}
							if(_v21 != 0) {
								DeleteObject(_t107);
							}
							_pop(_t117);
							 *[fs:eax] = _t117;
							_push(0x4204fa);
							return DeleteDC(_v16);
						} else {
							PatBlt(_v20, 0, 0, _v112, _v108, 0x42);
							if(_v32 != 0) {
								SelectObject(_v20, _v32);
							}
							goto L17;
						}
					}
				}
			}

0x00420341
0x00420343
0x00420349
0x0042034b
0x0042034d
0x00420351
0x00420356
0x0042054b
0x00420370
0x00420372
0x00420379
0x0042037e
0x00420383
0x00420384
0x00420389
0x0042038c
0x0042038f
0x00420391
0x0042039b
0x004203a1
0x004203a2
0x004203ac
0x004203af
0x004203b1
0x004203b3
0x004203b8
0x004203b9
0x004203bc
0x004203bd
0x004203c2
0x004203c9
0x0042050d
0x0042050d
0x0042050f
0x00420512
0x00420515
0x0042051e
0x00420524
0x00420524
0x0042052d
0x0042052f
0x00420532
0x00420533
0x00420535
0x00000000
0x00420535
0x0042053a
0x004203cf
0x004203dc
0x004203e5
0x00420406
0x00420407
0x00420411
0x00420416
0x00420417
0x0042041c
0x0042041f
0x00420426
0x00420446
0x00420428
0x00420428
0x0042042e
0x00420442
0x00420442
0x00420454
0x00420459
0x0042045b
0x0042045d
0x00420461
0x00420462
0x0042046a
0x0042046b
0x00420470
0x00420472
0x00420476
0x00420477
0x0042047f
0x00420480
0x00420480
0x0042048a
0x00420491
0x00420496
0x00420498
0x0042049d
0x004204a1
0x004204a5
0x004204a6
0x004204a8
0x004204ad
0x004204ae
0x004204b8
0x004204c1
0x004204cb
0x004204cb
0x004204d4
0x004204d7
0x004204d7
0x004204de
0x004204e1
0x004204e4
0x004204f2
0x004203e7
0x004203f9
0x004204fe
0x00420508
0x00420508
0x00000000
0x004204fe
0x004203e5
0x004203c9

APIs

GetObjectA.GDI32(?,00000054,?), ref: 00420363
7378AC50.USER32(00000000,00000000,0042053B,?,?,00000054,?), ref: 00420391
7378A590.GDI32(?,00000000,00000000,0042053B,?,?,00000054,?), ref: 004203A2
7378A410.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,0042053B,?,?,00000054,?), ref: 004203BD
SelectObject.GDI32(?,00000000), ref: 004203D7
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 004203F9
7378A590.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,0042053B,?,?,00000054,?), ref: 00420407
SelectObject.GDI32(?), ref: 0042044F
7378B410.GDI32(?,?,00000000,?,?,00000000,004204F3,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 00420462
7378B150.GDI32(?,?,?,00000000,?,?,00000000,004204F3,?,?,?,00000000,?,?,00000001,00000001), ref: 0042046B
7378B410.GDI32(?,?,00000000,?,?,?,00000000,?,?,00000000,004204F3,?,?,?,00000000,?), ref: 00420477
7378B150.GDI32(?,?,?,00000000,?,?,?,00000000,?,?,00000000,004204F3,?,?,?,00000000), ref: 00420480
SetBkColor.GDI32(?), ref: 0042048A
737997E0.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,?,?,?,00000000,004204F3), ref: 004204AE
SetBkColor.GDI32(?,00000000), ref: 004204B8
SelectObject.GDI32(?,00000000), ref: 004204CB
DeleteObject.GDI32 ref: 004204D7
DeleteDC.GDI32(?), ref: 004204ED
SelectObject.GDI32(?,00000000), ref: 00420508
DeleteDC.GDI32(00000000), ref: 00420524
7378B380.USER32(00000000,00000000,00420542,00000001,00000000,?,00000000,00000000,0042053B,?,?,00000054,?), ref: 00420535

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$Object$Select$Delete$A590B150B410Color$737997A410B380
String ID:
API String ID: 2769308743-0
Opcode ID: 24ca239afbac552e561edab304dc03cdb0b99dce29339b4fbadf10d669f00e36
Instruction ID: ad2c4d5129dd3a5c09ab742c3bac2f79c09cfbac04a263bf5ba477cf52eab05a
Opcode Fuzzy Hash: 24ca239afbac552e561edab304dc03cdb0b99dce29339b4fbadf10d669f00e36
Instruction Fuzzy Hash: D6515F71E04215AFEB10EBE9DC45FAFB7FCEB08304F51446AB605E7282C67999408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00421064, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00421064(intOrPtr __eax, void* __ebx, void* __ecx, intOrPtr* __edx, void* __edi, void* __esi, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v16;
				struct HDC__* _v20;
				char _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v37;
				intOrPtr _v44;
				void* _v48;
				struct HDC__* _v52;
				intOrPtr _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				short _v66;
				short _v68;
				signed short _v70;
				signed short _v72;
				void* _v76;
				intOrPtr _v172;
				char _v174;
				intOrPtr _t150;
				signed int _t160;
				intOrPtr _t163;
				void* _t166;
				void* _t174;
				void* _t183;
				signed int _t188;
				intOrPtr _t189;
				struct HDC__* _t190;
				struct HDC__* _t204;
				signed int _t208;
				signed short _t214;
				intOrPtr _t241;
				intOrPtr* _t245;
				intOrPtr _t251;
				char* _t278;
				intOrPtr _t289;
				intOrPtr _t290;
				intOrPtr _t295;
				signed int _t297;
				signed int _t317;
				void* _t319;
				void* _t320;
				signed int _t321;
				void* _t322;
				void* _t323;
				void* _t324;
				intOrPtr _t325;

				_t316 = __edi;
				_t323 = _t324;
				_t325 = _t324 + 0xffffff54;
				_t319 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v52 = 0;
				_v44 = 0;
				_v60 = 0;
				_t278 =  &_v36;
				 *((intOrPtr*)( *_v12 + 0xc))(__edi, __esi, __ebx, _t322);
				_v37 = _v36 == 0xc;
				if(_v37 != 0) {
					_v36 = 0x28;
				}
				_v28 = E00402A68(_v36 + 0x40c, 4, _t278);
				_v64 = _v28;
				_push(_t323);
				_push(0x421581);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_push(_t323);
				_push(0x421554);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				if(_v37 == 0) {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t320 = _t319 - _v36;
					_t150 =  *((intOrPtr*)(_v64 + 0x10));
					if(_t150 != 3 && _t150 != 0) {
						_v60 = E00403B34(1);
						if(_a4 == 0) {
							E00403458( &_v174, 0xe);
							_v174 = 0x4d42;
							_v172 = _v36 + _t320;
							_a4 =  &_v174;
						}
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						 *((intOrPtr*)( *_v60 + 0x10))();
						E00416410(_v60,  *_v60, _v36 - 4, _v12, _t316, _t320, _t320, 0);
						 *((intOrPtr*)( *_v60 + 0x14))();
						_v12 = _v60;
					}
				} else {
					 *((intOrPtr*)( *_v12 + 0xc))();
					_t251 = _v64;
					E00403458(_t251, 0x28);
					_t241 = _t251;
					 *(_t241 + 4) = _v72 & 0x0000ffff;
					 *(_t241 + 8) = _v70 & 0x0000ffff;
					 *((short*)(_t241 + 0xc)) = _v68;
					 *((short*)(_t241 + 0xe)) = _v66;
					_t320 = _t319 - 0xc;
				}
				_t245 = _v64;
				 *_t245 = _v36;
				_v32 = _v28 + _v36;
				if( *((short*)(_t245 + 0xc)) != 1) {
					E0041E10C();
				}
				if(_v36 == 0x28) {
					_t214 =  *(_t245 + 0xe);
					if(_t214 == 0x10 || _t214 == 0x20) {
						if( *((intOrPtr*)(_t245 + 0x10)) == 3) {
							E004163A0(_v12, 0xc, _v32);
							_v32 = _v32 + 0xc;
							_t320 = _t320 - 0xc;
						}
					}
				}
				if( *(_t245 + 0x20) == 0) {
					 *(_t245 + 0x20) = E0041E390( *(_t245 + 0xe));
				}
				_t317 = _v37 & 0x000000ff;
				_t257 =  *(_t245 + 0x20) * 0;
				E004163A0(_v12,  *(_t245 + 0x20) * 0, _v32);
				_t321 = _t320 -  *(_t245 + 0x20) * 0;
				if( *(_t245 + 0x14) == 0) {
					_t297 =  *(_t245 + 0xe) & 0x0000ffff;
					_t208 = E0041E3B0( *((intOrPtr*)(_t245 + 4)), 0x20, _t297);
					asm("cdq");
					_t257 = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
					 *(_t245 + 0x14) = _t208 * (( *(_t245 + 8) ^ _t297) - _t297);
				}
				_t160 =  *(_t245 + 0x14);
				if(_t321 > _t160) {
					_t321 = _t160;
				}
				if(_v37 != 0) {
					_t160 = E0041E658(_v32);
				}
				_push(0);
				L00406E84();
				_v16 = E0041E220(_t160);
				_push(_t323);
				_push(0x4214cf);
				_push( *[fs:edx]);
				 *[fs:edx] = _t325;
				_t163 =  *((intOrPtr*)(_v64 + 0x10));
				if(_t163 == 0 || _t163 == 3) {
					if( *0x456468 == 0) {
						_push(0);
						_push(0);
						_push( &_v24);
						_push(0);
						_push(_v28);
						_t166 = _v16;
						_push(_t166);
						L00406B94();
						_v44 = _t166;
						if(_v44 == 0 || _v24 == 0) {
							if(GetLastError() != 0) {
								E0040D268(_t245, _t257, _t317, _t321);
							} else {
								E0041E10C();
							}
						}
						_push(_t323);
						_push( *[fs:eax]);
						 *[fs:eax] = _t325;
						E004163A0(_v12, _t321, _v24);
						_pop(_t289);
						 *[fs:eax] = _t289;
						_t290 = 0x42149e;
						 *[fs:eax] = _t290;
						_push(0x4214d6);
						_t174 = _v16;
						_push(_t174);
						_push(0);
						L004070C4();
						return _t174;
					} else {
						goto L27;
					}
				} else {
					L27:
					_v20 = 0;
					_v24 = E00402A68(_t321, _t257, 0);
					_push(_t323);
					_push(0x421437);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_t263 = _t321;
					E004163A0(_v12, _t321, _v24);
					_push(_v16);
					L00406B8C();
					_v20 = E0041E220(_v16);
					_push(1);
					_push(1);
					_t183 = _v16;
					_push(_t183);
					L00406B84();
					_v48 = SelectObject(_v20, _t183);
					_v56 = 0;
					_t188 =  *(_v64 + 0x20);
					if(_t188 > 0) {
						_t263 = _t188;
						_v52 = E0041E91C(0, _t188);
						_push(0);
						_push(_v52);
						_t204 = _v20;
						_push(_t204);
						L00406CB4();
						_v56 = _t204;
						_push(_v20);
						L00406C8C();
					}
					_push(_t323);
					_push(0x42140b);
					_push( *[fs:edx]);
					 *[fs:edx] = _t325;
					_push(0);
					_t189 = _v28;
					_push(_t189);
					_push(_v24);
					_push(4);
					_push(_t189);
					_t190 = _v20;
					_push(_t190);
					L00406B9C();
					_v44 = _t190;
					if(_v44 == 0) {
						if(GetLastError() != 0) {
							E0040D268(_t245, _t263, _t317, _t321);
						} else {
							E0041E10C();
						}
					}
					_pop(_t295);
					 *[fs:eax] = _t295;
					_push(0x421412);
					if(_v56 != 0) {
						_push(0xffffffff);
						_push(_v56);
						_push(_v20);
						L00406CB4();
					}
					return DeleteObject(SelectObject(_v20, _v48));
				}
			}

0x00421064
0x00421065
0x00421067
0x00421070
0x00421072
0x00421075
0x0042107a
0x0042107f
0x00421084
0x00421087
0x00421094
0x0042109b
0x004210a3
0x004210a5
0x004210a5
0x004210bc
0x004210c2
0x004210c7
0x004210c8
0x004210cd
0x004210d0
0x004210d5
0x004210d6
0x004210db
0x004210de
0x004210e5
0x00421144
0x00421147
0x0042114d
0x00421153
0x0042116d
0x00421174
0x00421183
0x00421188
0x00421196
0x004211a2
0x004211a2
0x004211b2
0x004211c2
0x004211d6
0x004211e5
0x004211f7
0x004211fd
0x004211fd
0x004210e7
0x004210f7
0x004210fa
0x00421106
0x0042110b
0x00421111
0x00421118
0x0042111f
0x00421127
0x0042112b
0x0042112b
0x00421200
0x00421206
0x0042120e
0x00421216
0x00421218
0x00421218
0x00421221
0x00421223
0x0042122b
0x00421237
0x00421244
0x00421249
0x0042124d
0x0042124d
0x00421237
0x0042122b
0x00421254
0x0042125f
0x0042125f
0x00421265
0x00421271
0x0042127a
0x0042128c
0x00421292
0x00421294
0x004212a0
0x004212aa
0x004212af
0x004212b2
0x004212b2
0x004212b5
0x004212ba
0x004212bc
0x004212bc
0x004212c2
0x004212c7
0x004212c7
0x004212cc
0x004212ce
0x004212d8
0x004212dd
0x004212de
0x004212e3
0x004212e6
0x004212ec
0x004212f1
0x004212ff
0x0042143e
0x00421440
0x00421445
0x00421446
0x0042144b
0x0042144c
0x0042144f
0x00421450
0x00421455
0x0042145c
0x0042146b
0x00421474
0x0042146d
0x0042146d
0x0042146d
0x0042146b
0x0042147b
0x00421481
0x00421484
0x0042148f
0x00421496
0x00421499
0x004214b8
0x004214bb
0x004214be
0x004214c3
0x004214c6
0x004214c7
0x004214c9
0x004214ce
0x00000000
0x00000000
0x00000000
0x00421305
0x00421305
0x00421307
0x00421311
0x00421316
0x00421317
0x0042131c
0x0042131f
0x00421325
0x0042132a
0x00421332
0x00421333
0x0042133d
0x00421340
0x00421342
0x00421344
0x00421347
0x00421348
0x00421357
0x0042135c
0x00421362
0x00421367
0x00421369
0x00421375
0x00421378
0x0042137d
0x0042137e
0x00421381
0x00421382
0x00421387
0x0042138d
0x0042138e
0x0042138e
0x00421395
0x00421396
0x0042139b
0x0042139e
0x004213a1
0x004213a3
0x004213a6
0x004213aa
0x004213ab
0x004213ad
0x004213ae
0x004213b1
0x004213b2
0x004213b7
0x004213be
0x004213c7
0x004213d0
0x004213c9
0x004213c9
0x004213c9
0x004213c7
0x004213d7
0x004213da
0x004213dd
0x004213e6
0x004213e8
0x004213ed
0x004213f1
0x004213f2
0x004213f2
0x0042140a
0x0042140a

APIs

7378AC50.USER32(00000000,?,00000000,00421581,?,?), ref: 004212CE
7378A590.GDI32(00000001,00000000,00421437,?,00000000,004214CF,?,00000000,?,00000000,00421581,?,?), ref: 00421333
7378A520.GDI32(00000001,00000001,00000001,00000001,00000000,00421437,?,00000000,004214CF,?,00000000,?,00000000,00421581,?,?), ref: 00421348
SelectObject.GDI32(?,00000000), ref: 00421352
7378B410.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00421437,?,00000000,004214CF,?,00000000), ref: 00421382
7378B150.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,00421437,?,00000000,004214CF), ref: 0042138E
7378A7F0.GDI32(?,?,00000004,00000000,?,00000000,00000000,0042140B,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004213B2
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0042140B,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 004213C0
7378B410.GDI32(?,00000000,000000FF,00421412,00000000,?,00000000,00000000,0042140B,?,?,00000000,00000001,00000001,00000001,00000001), ref: 004213F2
SelectObject.GDI32(?,?), ref: 004213FF
DeleteObject.GDI32(00000000), ref: 00421405

Strings

x(A, xrefs: 00421163
BM, xrefs: 00421188
(, xrefs: 0042121D

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$Object$B410Select$A520A590B150DeleteErrorLast
String ID: ($BM$x(A
API String ID: 929566397-3213120183
Opcode ID: 816f0c5239eb3834bd897dfcc23be836caf1bfeadcd6b40001dac5f867c72d1b
Instruction ID: 5a0639d66de9f38e9790a3819161d19ef312b426a5b6b14e4a087fdf39675f80
Opcode Fuzzy Hash: 816f0c5239eb3834bd897dfcc23be836caf1bfeadcd6b40001dac5f867c72d1b
Instruction Fuzzy Hash: 92D14C74A002189FDF04DFA9D885AAEBBF5EF48304F51846AF905E7395D7389840CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00453644, Relevance: 23.0, APIs: 15, Instructions: 468
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00453644(intOrPtr __eax, char __edx) {
				intOrPtr _v8;
				char _v9;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				char _v44;
				char _v60;
				void* __edi;
				void* __ebp;
				signed int _t170;
				signed int _t176;
				void* _t209;
				void* _t213;
				intOrPtr _t218;
				intOrPtr _t241;
				void* _t254;
				void* _t325;
				void* _t345;
				void* _t361;
				void* _t368;
				intOrPtr _t382;
				intOrPtr _t388;
				struct HDC__* _t392;
				struct HDC__* _t393;
				struct HDC__* _t394;
				void* _t421;
				void* _t422;
				void* _t423;
				intOrPtr _t447;
				intOrPtr _t464;
				void* _t478;
				signed int _t486;
				void* _t491;
				void* _t493;
				void* _t495;
				intOrPtr _t496;
				void* _t506;

				_t493 = _t495;
				_t496 = _t495 + 0xffffffc8;
				_v9 = __edx;
				_v8 = __eax;
				if(_v9 == 2 &&  *(_v8 + 0x20) < 3) {
					_v9 = 0;
				}
				_t388 =  *((intOrPtr*)(_v8 + 0xc));
				if(_t388 != 0xffffffff) {
					L24:
					return _t388;
				} else {
					_t170 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
					if((_t170 |  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))()) == 0) {
						goto L24;
					} else {
						_t176 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x2c))();
						asm("cdq");
						_t486 = _t176 / ( *(_v8 + 0x20) & 0x000000ff);
						_t491 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x20))();
						if( *((intOrPtr*)(_v8 + 8)) == 0) {
							_t503 =  *0x456dd4;
							if( *0x456dd4 == 0) {
								 *0x456dd4 = E0045333C(1);
							}
							_t382 =  *0x456dd4; // 0x2133c2c
							 *((intOrPtr*)(_v8 + 8)) = E004533B0(_t382, _t491, _t486);
						}
						_v16 = E0042054C(1);
						 *[fs:eax] = _t496;
						 *((intOrPtr*)( *_v16 + 0x40))( *[fs:eax], 0x453bf3, _t493);
						 *((intOrPtr*)( *_v16 + 0x34))();
						E00413054(0, _t486, 0,  &_v44, _t491);
						E0041D7A8( *((intOrPtr*)(E00420B1C(_v16) + 0x14)), _t486, 0xff00000f, _t486, _t493, _t503);
						E004202DC( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 4)))) + 0x24))());
						 *((intOrPtr*)( *_v16 + 0x38))();
						if(_v9 >=  *(_v8 + 0x20)) {
						}
						E00413054(0 * _t486, 1 * _t486, 0,  &_v60, _t491);
						_t209 = _v9 - 1;
						_t506 = _t209;
						if(_t506 < 0) {
							L14:
							_push( &_v60);
							_t213 = E00420B1C( *((intOrPtr*)(_v8 + 4)));
							E0041DA18(E00420B1C(_v16),  &_v44, _t507, _t213);
							_t218 =  *((intOrPtr*)(_v8 + 4));
							_t508 =  *((char*)(_t218 + 0x38)) - 1;
							if( *((char*)(_t218 + 0x38)) != 1) {
								 *((intOrPtr*)(_v8 + 0xc)) = E004532E0( *((intOrPtr*)(_v8 + 8)), 0x20000000, _v16, __eflags);
							} else {
								 *((intOrPtr*)(_v8 + 0xc)) = E004532E0( *((intOrPtr*)(_v8 + 8)),  *((intOrPtr*)(_v8 + 0x1c)), _v16, _t508);
							}
							goto L23;
						} else {
							if(_t506 == 0) {
								_v24 = 0;
								_v20 = 0;
								 *[fs:eax] = _t496;
								_v24 = E0042054C(1);
								_v20 = E0042054C(1);
								 *((intOrPtr*)( *_v20 + 8))( *[fs:eax], 0x453bb7, _t493);
								 *((intOrPtr*)( *_v20 + 0x6c))();
								_t241 = _v8;
								__eflags =  *((char*)(_t241 + 0x20)) - 1;
								if( *((char*)(_t241 + 0x20)) <= 1) {
									 *((intOrPtr*)( *_v24 + 8))();
									 *((intOrPtr*)( *_v24 + 0x6c))();
									E0041D7A8( *((intOrPtr*)(E00420B1C(_v24) + 0x14)),  *_v24, 0, _t486, _t493, __eflags);
									_t415 =  *_v24;
									 *((intOrPtr*)( *_v24 + 0x40))();
									_t254 = E00420BD8(_v24);
									__eflags = _t254;
									if(_t254 != 0) {
										E0041CFDC( *((intOrPtr*)(E00420B1C(_v24) + 0xc)), 0xffffff);
										__eflags = 0;
										E0042188C(_v24, 0);
										E0041D7A8( *((intOrPtr*)(E00420B1C(_v24) + 0x14)), _t415, 0xffffff, _t486, _t493, __eflags);
									}
									E0042188C(_v24, 1);
									_t391 = E00420B1C(_v16);
									E0041D7A8( *((intOrPtr*)(_t258 + 0x14)), _t415, 0xff00000f, _t486, _t493, __eflags);
									E0041DB4C(_t258,  &_v44);
									E0041D7A8( *((intOrPtr*)(_t258 + 0x14)), _t415, 0xff000014, _t486, _t493, __eflags);
									SetTextColor(E0041DE34(_t391), 0);
									SetBkColor(E0041DE34(_t391), 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E0041DE34(E00420B1C(_v24)));
									_push(_t491);
									_push(_t486);
									_push(1);
									_push(1);
									_push(E0041DE34(_t391));
									L00406B6C();
									E0041D7A8( *((intOrPtr*)(_t391 + 0x14)), _t415, 0xff000010, _t486, _t493, __eflags);
									SetTextColor(E0041DE34(_t391), 0);
									SetBkColor(E0041DE34(_t391), 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E0041DE34(E00420B1C(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(E0041DE34(_t391));
									L00406B6C();
								} else {
									_v28 = E00420B1C(_v16);
									E00420B1C(_v20);
									E0041DA18(_v28,  &_v44, __eflags,  &_v60);
									E0042188C(_v24, 1);
									 *((intOrPtr*)( *_v24 + 0x40))();
									 *((intOrPtr*)( *_v24 + 0x34))();
									E0041D7A8( *((intOrPtr*)(E00420B1C(_v20) + 0x14)),  *_v24, 0xffffff, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E00420B1C(_v20));
									_t325 = E00420B1C(_v24);
									_pop(_t421);
									E0041DA18(_t325,  &_v44, __eflags);
									E0041D7A8( *((intOrPtr*)(_v28 + 0x14)), _t421, 0xff000014, _t486, _t493, __eflags);
									_t392 = E0041DE34(_v28);
									SetTextColor(_t392, 0);
									SetBkColor(_t392, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E0041DE34(E00420B1C(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t392);
									L00406B6C();
									E0041D7A8( *((intOrPtr*)(E00420B1C(_v20) + 0x14)), _t421, 0x808080, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E00420B1C(_v20));
									_t345 = E00420B1C(_v24);
									_pop(_t422);
									E0041DA18(_t345,  &_v44, __eflags);
									E0041D7A8( *((intOrPtr*)(_v28 + 0x14)), _t422, 0xff000010, _t486, _t493, __eflags);
									_t393 = E0041DE34(_v28);
									SetTextColor(_t393, 0);
									SetBkColor(_t393, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E0041DE34(E00420B1C(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t393);
									L00406B6C();
									_push(E0041CB1C( *((intOrPtr*)(_v8 + 0x1c))));
									_t361 = E00420B1C(_v20);
									_pop(_t478);
									E0041D7A8( *((intOrPtr*)(_t361 + 0x14)), _t422, _t478, _t486, _t493, __eflags);
									_push( &_v60);
									_push(E00420B1C(_v20));
									_t368 = E00420B1C(_v24);
									_pop(_t423);
									E0041DA18(_t368,  &_v44, __eflags);
									E0041D7A8( *((intOrPtr*)(_v28 + 0x14)), _t423, 0xff00000f, _t486, _t493, __eflags);
									_t394 = E0041DE34(_v28);
									SetTextColor(_t394, 0);
									SetBkColor(_t394, 0xffffff);
									_push(0xe20746);
									_push(0);
									_push(0);
									_push(E0041DE34(E00420B1C(_v24)));
									_push(_t491);
									_push(_t486);
									_push(0);
									_push(0);
									_push(_t394);
									L00406B6C();
								}
								__eflags = 0;
								_pop(_t464);
								 *[fs:eax] = _t464;
								_push(0x453bbe);
								E00403B64(_v20);
								return E00403B64(_v24);
							} else {
								_t507 = _t209 - 0xffffffffffffffff;
								if(_t209 - 0xffffffffffffffff < 0) {
									goto L14;
								}
								L23:
								_pop(_t447);
								 *[fs:eax] = _t447;
								_push(0x453bfa);
								return E00403B64(_v16);
							}
						}
					}
				}
			}

0x00453645
0x00453647
0x0045364d
0x00453650
0x00453657
0x00453662
0x00453662
0x0045366e
0x00453675
0x00453c11
0x00453c19
0x0045367b
0x00453683
0x00453695
0x00000000
0x0045369b
0x004536a3
0x004536af
0x004536b2
0x004536bf
0x004536c8
0x004536ca
0x004536d1
0x004536df
0x004536df
0x004536e8
0x004536f5
0x004536f5
0x00453704
0x00453712
0x0045371c
0x00453726
0x00453734
0x00453749
0x00453759
0x00453765
0x00453771
0x00453771
0x0045378a
0x00453792
0x00453792
0x00453794
0x004537a1
0x004537a4
0x004537ab
0x004537bd
0x004537c5
0x004537c8
0x004537cc
0x0045380e
0x004537ce
0x004537ea
0x004537ea
0x00000000
0x00453796
0x00453796
0x00453819
0x0045381e
0x0045382c
0x0045383b
0x0045384a
0x00453858
0x00453862
0x00453865
0x00453868
0x0045386c
0x00453a55
0x00453a5f
0x00453a6f
0x00453a79
0x00453a7b
0x00453a81
0x00453a86
0x00453a88
0x00453a9a
0x00453a9f
0x00453aa4
0x00453ab9
0x00453ab9
0x00453ac3
0x00453ad0
0x00453ada
0x00453ae4
0x00453af1
0x00453b00
0x00453b12
0x00453b17
0x00453b1c
0x00453b1e
0x00453b2d
0x00453b2e
0x00453b2f
0x00453b30
0x00453b32
0x00453b3b
0x00453b3c
0x00453b49
0x00453b58
0x00453b6a
0x00453b6f
0x00453b74
0x00453b76
0x00453b85
0x00453b86
0x00453b87
0x00453b88
0x00453b8a
0x00453b93
0x00453b94
0x00453872
0x0045387a
0x00453884
0x00453891
0x0045389b
0x004538a7
0x004538b1
0x004538c4
0x004538cc
0x004538d5
0x004538d9
0x004538e1
0x004538e2
0x004538f2
0x004538ff
0x00453904
0x0045390f
0x00453914
0x00453919
0x0045391b
0x0045392a
0x0045392b
0x0045392c
0x0045392d
0x0045392f
0x00453931
0x00453932
0x00453947
0x0045394f
0x00453958
0x0045395c
0x00453964
0x00453965
0x00453975
0x00453982
0x00453987
0x00453992
0x00453997
0x0045399c
0x0045399e
0x004539ad
0x004539ae
0x004539af
0x004539b0
0x004539b2
0x004539b4
0x004539b5
0x004539c5
0x004539c9
0x004539d1
0x004539d2
0x004539da
0x004539e3
0x004539e7
0x004539ef
0x004539f0
0x00453a00
0x00453a0d
0x00453a12
0x00453a1d
0x00453a22
0x00453a27
0x00453a29
0x00453a38
0x00453a39
0x00453a3a
0x00453a3b
0x00453a3d
0x00453a3f
0x00453a40
0x00453a40
0x00453b99
0x00453b9b
0x00453b9e
0x00453ba1
0x00453ba9
0x00453bb6
0x00453798
0x00453799
0x0045379b
0x00000000
0x00000000
0x00453bdd
0x00453bdf
0x00453be2
0x00453be5
0x00453bf2
0x00453bf2
0x00453796
0x00453794
0x00453695

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1422b59f110c886b2a9f759a43448da14a0ed5891e7c9bf8c2b223c02a95dc1a
Instruction ID: 3ee7636a5c885d5d2ebf60448ce038c74c21fdec0bf5a3910ae4591f3ac018b0
Opcode Fuzzy Hash: 1422b59f110c886b2a9f759a43448da14a0ed5891e7c9bf8c2b223c02a95dc1a
Instruction Fuzzy Hash: E4025574B00104AFC710FFA5D986E9EBBF5AF44309F10406AF805AB397CA39ED459B19

Uniqueness

Uniqueness Score: -1.00%

Function 0042084C, Relevance: 21.2, APIs: 14, Instructions: 217
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0042084C(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				void* _v12;
				char _v13;
				struct tagPOINT _v21;
				struct HDC__* _v28;
				void* _v32;
				intOrPtr _t78;
				struct HDC__* _t80;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				char _t85;
				void* _t92;
				struct HDC__* _t115;
				void* _t136;
				struct HDC__* _t160;
				intOrPtr* _t164;
				intOrPtr _t172;
				intOrPtr _t176;
				intOrPtr _t178;
				intOrPtr _t180;
				int* _t184;
				intOrPtr _t186;
				void* _t188;
				void* _t189;
				intOrPtr _t190;

				_t165 = __ecx;
				_t188 = _t189;
				_t190 = _t189 + 0xffffffe4;
				_t184 = __ecx;
				_v8 = __edx;
				_t164 = __eax;
				_t186 =  *((intOrPtr*)(__eax + 0x28));
				_t172 =  *0x420a98; // 0xf
				E0041DF08(_v8, __ecx, _t172);
				E00420DDC(_t164);
				_v12 = 0;
				_v13 = 0;
				_t78 =  *((intOrPtr*)(_t186 + 0x10));
				if(_t78 != 0) {
					_push(0xffffffff);
					_push(_t78);
					_t160 =  *(_v8 + 4);
					_push(_t160);
					L00406CB4();
					_v12 = _t160;
					_push( *(_v8 + 4));
					L00406C8C();
					_v13 = 1;
				}
				_push(0xc);
				_t80 =  *(_v8 + 4);
				_push(_t80);
				L00406C1C();
				_push(_t80);
				_push(0xe);
				_t82 =  *(_v8 + 4);
				L00406C1C();
				_t83 = _t82;
				_t84 = _t83 * _t82;
				if(_t84 > 8) {
					L4:
					_t85 = 0;
				} else {
					_t165 =  *(_t186 + 0x28) & 0x0000ffff;
					if(_t84 < ( *(_t186 + 0x2a) & 0x0000ffff) * ( *(_t186 + 0x28) & 0x0000ffff)) {
						_t85 = 1;
					} else {
						goto L4;
					}
				}
				if(_t85 == 0) {
					if(E00420BD8(_t164) == 0) {
						SetStretchBltMode(E0041DE34(_v8), 3);
					}
				} else {
					GetBrushOrgEx( *(_v8 + 4),  &_v21);
					SetStretchBltMode( *(_v8 + 4), 4);
					SetBrushOrgEx( *(_v8 + 4), _v21, _v21.y,  &_v21);
				}
				_push(_t188);
				_push(0x420a88);
				_push( *[fs:eax]);
				 *[fs:eax] = _t190;
				if( *((intOrPtr*)( *_t164 + 0x28))() != 0) {
					E00420D7C(_t164, _t165);
				}
				_t92 = E00420B1C(_t164);
				_t176 =  *0x420a98; // 0xf
				E0041DF08(_t92, _t165, _t176);
				if( *((intOrPtr*)( *_t164 + 0x28))() == 0) {
					StretchBlt( *(_v8 + 4),  *_t184, _t184[1], _t184[2] -  *_t184, _t184[3] - _t184[1],  *(E00420B1C(_t164) + 4), 0, 0,  *(_t186 + 0x1c),  *(_t186 + 0x20),  *(_v8 + 0x20));
					_pop(_t178);
					 *[fs:eax] = _t178;
					_push(0x420a8f);
					if(_v13 != 0) {
						_push(0xffffffff);
						_push(_v12);
						_t115 =  *(_v8 + 4);
						_push(_t115);
						L00406CB4();
						return _t115;
					}
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					_push(_t188);
					_push(0x420a1d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t190;
					L00406B8C();
					_v28 = E0041E220(0);
					_v32 = SelectObject(_v28,  *(_t186 + 0xc));
					E0041E3C4( *(_v8 + 4), _t164, _t184[1],  *_t184, _t184, _t186, 0, 0, _v28,  *(_t186 + 0x20),  *(_t186 + 0x1c), 0, 0,  *(E00420B1C(_t164) + 4), _t184[3] - _t184[1], _t184[2] -  *_t184);
					_t136 = 0;
					_t180 = 0;
					 *[fs:eax] = _t180;
					_push(0x420a62);
					if(_v32 != 0) {
						_t136 = SelectObject(_v28, _v32);
					}
					if(_v28 != 0) {
						return DeleteDC(_v28);
					}
					return _t136;
				}
			}

0x0042084c
0x0042084d
0x0042084f
0x00420855
0x00420857
0x0042085a
0x0042085c
0x0042085f
0x00420868
0x0042086f
0x00420876
0x00420879
0x0042087d
0x00420882
0x00420884
0x00420886
0x0042088a
0x0042088d
0x0042088e
0x00420893
0x0042089c
0x0042089d
0x004208a2
0x004208a2
0x004208a6
0x004208ab
0x004208ae
0x004208af
0x004208b4
0x004208b5
0x004208ba
0x004208be
0x004208c5
0x004208c6
0x004208cb
0x004208dc
0x004208dc
0x004208cd
0x004208d1
0x004208da
0x004208e0
0x00000000
0x00000000
0x00000000
0x004208da
0x004208e4
0x00420927
0x00420934
0x00420934
0x004208e6
0x004208f1
0x004208ff
0x00420917
0x00420917
0x0042093b
0x0042093c
0x00420941
0x00420944
0x00420950
0x00420954
0x00420954
0x0042095b
0x00420960
0x00420966
0x00420974
0x00420a5d
0x00420a64
0x00420a67
0x00420a6a
0x00420a73
0x00420a75
0x00420a7a
0x00420a7e
0x00420a81
0x00420a82
0x00000000
0x00420a82
0x00420a87
0x0042097a
0x0042097c
0x00420981
0x00420986
0x00420987
0x0042098c
0x0042098f
0x00420994
0x0042099e
0x004209ae
0x004209e8
0x004209ed
0x004209ef
0x004209f2
0x004209f5
0x004209fe
0x00420a08
0x00420a08
0x00420a11
0x00000000
0x00420a17
0x00420a1c
0x00420a1c

APIs

Part of subcall function 00420DDC: 7378AC50.USER32(00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E32
Part of subcall function 00420DDC: 7378AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E47
Part of subcall function 00420DDC: 7378AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E51
Part of subcall function 00420DDC: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E75
Part of subcall function 00420DDC: 7378B380.USER32(00000000,00000000,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E80

7378B410.GDI32(?,?,000000FF), ref: 0042088E
7378B150.GDI32(?,?,?,000000FF), ref: 0042089D
7378AD70.GDI32(?,0000000C), ref: 004208AF
7378AD70.GDI32(?,0000000E,00000000,?,0000000C), ref: 004208BE
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 004208F1
SetStretchBltMode.GDI32(?,00000004), ref: 004208FF
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00420917
SetStretchBltMode.GDI32(00000000,00000003), ref: 00420934
7378A590.GDI32(00000000,00000000,00420A1D,?,?,0000000E,00000000,?,0000000C), ref: 00420994
SelectObject.GDI32(?,?), ref: 004209A9
SelectObject.GDI32(?,00000000), ref: 00420A08
DeleteDC.GDI32(00000000), ref: 00420A17

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$BrushModeObjectSelectStretch$A590B150B380B410CreateDeleteHalftonePalette
String ID:
API String ID: 3450332414-0
Opcode ID: fafde4be3415603625319d8613307d87c8cf35f7d48107975cc7ccc0c4123c53
Instruction ID: b3242f1dbf9aa1fc813372d1706e8fa7c0ceb453b3612e573ff439b93e105e4c
Opcode Fuzzy Hash: fafde4be3415603625319d8613307d87c8cf35f7d48107975cc7ccc0c4123c53
Instruction Fuzzy Hash: B5714AB5B04205AFDB50DFA9D985F5ABBF8EF08304F51456AF509E7282C638ED40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041E230, Relevance: 21.1, APIs: 14, Instructions: 131
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0041E230(struct HDC__* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				void* _v20;
				int _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				int _v48;
				int _v52;
				void _v56;
				int _t37;
				void* _t41;
				int _t43;
				void* _t47;
				void* _t72;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;

				_t87 = _t88;
				_t89 = _t88 + 0xffffffcc;
				asm("movsd");
				asm("movsd");
				_t71 = __ecx;
				_v8 = __eax;
				_push(0);
				L00406B8C();
				_v28 = __eax;
				_push(0);
				L00406B8C();
				_v32 = __eax;
				_push(_t87);
				_push(0x41e37e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				_t37 = GetObjectA(_v8, 0x18,  &_v56);
				if(__ecx == 0) {
					_push(0);
					L00406E84();
					_v24 = _t37;
					if(_v24 == 0) {
						E0041E178(__ecx);
					}
					_push(_t87);
					_push(0x41e2ed);
					_push( *[fs:eax]);
					 *[fs:eax] = _t89;
					_push(_v12);
					_push(_v16);
					_t41 = _v24;
					_push(_t41);
					L00406B84();
					_v20 = _t41;
					if(_v20 == 0) {
						E0041E178(_t71);
					}
					_pop(_t79);
					 *[fs:eax] = _t79;
					_push(0x41e2f4);
					_t43 = _v24;
					_push(_t43);
					_push(0);
					L004070C4();
					return _t43;
				} else {
					_push(0);
					_push(1);
					_push(1);
					_push(_v12);
					_t47 = _v16;
					_push(_t47);
					L00406B74();
					_v20 = _t47;
					if(_v20 != 0) {
						_t72 = SelectObject(_v28, _v8);
						_t85 = SelectObject(_v32, _v20);
						StretchBlt(_v32, 0, 0, _v16, _v12, _v28, 0, 0, _v52, _v48, 0xcc0020);
						if(_t72 != 0) {
							SelectObject(_v28, _t72);
						}
						if(_t85 != 0) {
							SelectObject(_v32, _t85);
						}
					}
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(0x41e385);
					DeleteDC(_v28);
					return DeleteDC(_v32);
				}
			}

0x0041e231
0x0041e233
0x0041e23e
0x0041e23f
0x0041e240
0x0041e242
0x0041e245
0x0041e247
0x0041e24c
0x0041e24f
0x0041e251
0x0041e256
0x0041e25b
0x0041e25c
0x0041e261
0x0041e264
0x0041e271
0x0041e278
0x0041e292
0x0041e294
0x0041e299
0x0041e2a0
0x0041e2a2
0x0041e2a2
0x0041e2a9
0x0041e2aa
0x0041e2af
0x0041e2b2
0x0041e2b8
0x0041e2bc
0x0041e2bd
0x0041e2c0
0x0041e2c1
0x0041e2c6
0x0041e2cd
0x0041e2cf
0x0041e2cf
0x0041e2d6
0x0041e2d9
0x0041e2dc
0x0041e2e1
0x0041e2e4
0x0041e2e5
0x0041e2e7
0x0041e2ec
0x0041e27a
0x0041e27a
0x0041e27c
0x0041e27e
0x0041e283
0x0041e284
0x0041e287
0x0041e288
0x0041e28d
0x0041e2f8
0x0041e307
0x0041e316
0x0041e33d
0x0041e344
0x0041e34b
0x0041e34b
0x0041e352
0x0041e359
0x0041e359
0x0041e352
0x0041e360
0x0041e363
0x0041e366
0x0041e36f
0x0041e37d
0x0041e37d

APIs

7378A590.GDI32(00000000), ref: 0041E247
7378A590.GDI32(00000000,00000000), ref: 0041E251
GetObjectA.GDI32(?,00000018,?), ref: 0041E271
7378A410.GDI32(?,?,00000001,00000001,00000000,00000000,0041E37E,?,00000000,00000000), ref: 0041E288
7378AC50.USER32(00000000,00000000,0041E37E,?,00000000,00000000), ref: 0041E294
7378A520.GDI32(00000000,?,?,00000000,0041E2ED,?,00000000,00000000,0041E37E,?,00000000,00000000), ref: 0041E2C1
7378B380.USER32(00000000,00000000,0041E2F4,00000000,0041E2ED,?,00000000,00000000,0041E37E,?,00000000,00000000), ref: 0041E2E7
SelectObject.GDI32(?,?), ref: 0041E302
SelectObject.GDI32(?,00000000), ref: 0041E311
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041E33D
SelectObject.GDI32(?,00000000), ref: 0041E34B
SelectObject.GDI32(?,00000000), ref: 0041E359
DeleteDC.GDI32(?), ref: 0041E36F
DeleteDC.GDI32(?), ref: 0041E378

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$Object$Select$A590Delete$A410A520B380Stretch
String ID:
API String ID: 1734081924-0
Opcode ID: d2e944ba5cb3a417f5a33b5f74d0160470267c3607cb23597eb84491c90ac652
Instruction ID: 1b6157bfc3df5ce6d5d3e8b361fc7b5dc2281b80aea38ebd507e602dbdc66332
Opcode Fuzzy Hash: d2e944ba5cb3a417f5a33b5f74d0160470267c3607cb23597eb84491c90ac652
Instruction Fuzzy Hash: D6411075E04219AFEB10DBE9CC52FAFB7FCEB08704F114466BA14F7281C67969408768

Uniqueness

Uniqueness Score: -1.00%

Function 00438C0C, Relevance: 19.7, APIs: 13, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00438C0C(intOrPtr* __eax, intOrPtr __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				struct HDC__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* _v64;
				struct HDC__* _t120;
				void* _t171;
				intOrPtr* _t193;
				intOrPtr* _t196;
				intOrPtr _t205;
				void* _t208;
				intOrPtr _t216;
				signed int _t234;
				void* _t237;
				void* _t239;
				intOrPtr _t240;

				_t237 = _t239;
				_t240 = _t239 + 0xffffffc4;
				_v12 = __edx;
				_v8 = __eax;
				if( *(_v8 + 0x165) != 0 ||  *(_v8 + 0x16c) > 0) {
					_t120 = E00437E18(_v8);
					_push(_t120);
					L00406F84();
					_v16 = _t120;
					_push(_t237);
					_push(0x438e72);
					_push( *[fs:edx]);
					 *[fs:edx] = _t240;
					GetClientRect(E00437E18(_v8),  &_v32);
					GetWindowRect(E00437E18(_v8),  &_v48);
					MapWindowPoints(0, E00437E18(_v8),  &_v48, 2);
					OffsetRect( &_v32,  ~(_v48.left),  ~(_v48.top));
					ExcludeClipRect(_v16, _v32, _v32.top, _v32.right, _v32.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					InflateRect( &_v32,  *(_v8 + 0x16c),  *(_v8 + 0x16c));
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *(_v8 + 0x165) != 0) {
						_t208 = 0;
						if( *(_v8 + 0x163) != 0) {
							_t208 = 0 +  *((intOrPtr*)(_v8 + 0x168));
						}
						if( *(_v8 + 0x164) != 0) {
							_t208 = _t208 +  *((intOrPtr*)(_v8 + 0x168));
						}
						_t234 = GetWindowLongA(E00437E18(_v8), 0xfffffff0);
						if(( *(_v8 + 0x162) & 0x00000001) != 0) {
							_v48.left = _v48.left - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000002) != 0) {
							_v48.top = _v48.top - _t208;
						}
						if(( *(_v8 + 0x162) & 0x00000004) != 0) {
							_v48.right = _v48.right + _t208;
						}
						if((_t234 & 0x00200000) != 0) {
							_t196 =  *0x46b530; // 0x46c8f8
							_v48.right = _v48.right +  *((intOrPtr*)( *_t196))(0x14);
						}
						if(( *(_v8 + 0x162) & 0x00000008) != 0) {
							_v48.bottom = _v48.bottom + _t208;
						}
						if((_t234 & 0x00100000) != 0) {
							_t193 =  *0x46b530; // 0x46c8f8
							_v48.bottom = _v48.bottom +  *((intOrPtr*)( *_t193))(0x15);
						}
						DrawEdge(_v16,  &_v48,  *(0x456b14 + ( *(_v8 + 0x163) & 0x000000ff) * 4) |  *(0x456b24 + ( *(_v8 + 0x164) & 0x000000ff) * 4),  *(_v8 + 0x162) & 0x000000ff |  *(0x456b34 + ( *(_v8 + 0x165) & 0x000000ff) * 4) |  *(0x456b44 + ( *(_v8 + 0x1a5) & 0x000000ff) * 4) | 0x00002000);
					}
					IntersectClipRect(_v16, _v48.left, _v48.top, _v48.right, _v48.bottom);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					OffsetRect( &_v48,  ~_v48,  ~(_v48.top));
					FillRect(_v16,  &_v48, E0041D7DC( *((intOrPtr*)(_v8 + 0x170))));
					_pop(_t216);
					 *[fs:eax] = _t216;
					_push(0x438e79);
					_push(_v16);
					_t171 = E00437E18(_v8);
					_push(_t171);
					L004070C4();
					return _t171;
				} else {
					 *((intOrPtr*)( *_v8 - 0x10))();
					_t205 = E004256B0(E004255A8());
					if(_t205 != 0) {
						_t205 = _v8;
						if(( *(_t205 + 0x52) & 0x00000002) != 0) {
							_t205 = E00425D98(E004255A8(), 0, _v8);
						}
					}
					return _t205;
				}
			}

0x00438c0d
0x00438c0f
0x00438c15
0x00438c18
0x00438c25
0x00438c3a
0x00438c3f
0x00438c40
0x00438c45
0x00438c4a
0x00438c4b
0x00438c50
0x00438c53
0x00438c63
0x00438c75
0x00438c8b
0x00438ca0
0x00438cb9
0x00438cc4
0x00438cc5
0x00438cc6
0x00438cc7
0x00438cd7
0x00438ce2
0x00438ce3
0x00438ce4
0x00438ce5
0x00438cf0
0x00438cf6
0x00438d02
0x00438d07
0x00438d07
0x00438d17
0x00438d1c
0x00438d1c
0x00438d32
0x00438d3e
0x00438d40
0x00438d40
0x00438d4d
0x00438d4f
0x00438d4f
0x00438d5c
0x00438d5e
0x00438d5e
0x00438d67
0x00438d6b
0x00438d74
0x00438d74
0x00438d81
0x00438d83
0x00438d83
0x00438d8c
0x00438d90
0x00438d99
0x00438d99
0x00438df9
0x00438df9
0x00438e12
0x00438e1d
0x00438e1e
0x00438e1f
0x00438e20
0x00438e31
0x00438e4d
0x00438e54
0x00438e57
0x00438e5a
0x00438e62
0x00438e66
0x00438e6b
0x00438e6c
0x00438e71
0x00438e79
0x00438e81
0x00438e89
0x00438e90
0x00438e92
0x00438e99
0x00438ea5
0x00438ea5
0x00438e99
0x00438eb0
0x00438eb0

APIs

7378B080.USER32(00000000), ref: 00438C40
GetClientRect.USER32 ref: 00438C63
GetWindowRect.USER32 ref: 00438C75
MapWindowPoints.USER32 ref: 00438C8B
OffsetRect.USER32(?,?,?), ref: 00438CA0
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,?), ref: 00438CB9
InflateRect.USER32(?,00000000,00000000), ref: 00438CD7
GetWindowLongA.USER32 ref: 00438D2D
DrawEdge.USER32(?,?,00000000,00000008), ref: 00438DF9
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00438E12
OffsetRect.USER32(?,?,?), ref: 00438E31
FillRect.USER32 ref: 00438E4D
7378B380.USER32(00000000,?,00438E79,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 00438E6C

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$7378ClipOffset$B080B380ClientDrawEdgeExcludeFillInflateIntersectLongPoints
String ID:
API String ID: 1602842641-0
Opcode ID: 0965f533961112806ecb4031343d35f84dd99aafb3beea42e5915191f527f402
Instruction ID: 4f10b6a1eb5a1ec7d139492d73758f5f0992a4455be4c2738ead1c79bb329bae
Opcode Fuzzy Hash: 0965f533961112806ecb4031343d35f84dd99aafb3beea42e5915191f527f402
Instruction Fuzzy Hash: 7B911B71E04248AFCB01DBA9C885EDEB7F9AF09314F1441AAF554F7292C779AE00DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00407354, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61
registryclipboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407354(intOrPtr* __eax, int* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				struct HWND__* _t19;
				int* _t20;
				int* _t26;
				int* _t27;

				_t26 = _t20;
				_t27 = __edx;
				_v8 = __eax;
				_t19 = FindWindowA("MouseZ", "Magellan MSWHEEL");
				 *_v8 = RegisterClipboardFormatA("MSWHEEL_ROLLMSG");
				 *_t27 = RegisterClipboardFormatA("MSH_WHEELSUPPORT_MSG");
				 *_t26 = RegisterClipboardFormatA("MSH_SCROLL_LINES_MSG");
				if( *_t27 == 0 || _t19 == 0) {
					 *_a8 = 0;
				} else {
					 *_a8 = SendMessageA(_t19,  *_t27, 0, 0);
				}
				if( *_t26 == 0 || _t19 == 0) {
					 *_a4 = 3;
				} else {
					 *_a4 = SendMessageA(_t19,  *_t26, 0, 0);
				}
				return _t19;
			}

0x0040735b
0x0040735d
0x0040735f
0x00407371
0x00407380
0x0040738c
0x00407398
0x0040739d
0x004073bc
0x004073a3
0x004073b3
0x004073b3
0x004073c1
0x004073de
0x004073c7
0x004073d7
0x004073d7
0x004073eb

APIs

FindWindowA.USER32 ref: 0040736C
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 00407378
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 00407387
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00407393
SendMessageA.USER32 ref: 004073AB
SendMessageA.USER32 ref: 004073CF

Strings

MSH_SCROLL_LINES_MSG, xrefs: 0040738E
MSH_WHEELSUPPORT_MSG, xrefs: 00407382
Magellan MSWHEEL, xrefs: 00407362
MouseZ, xrefs: 00407367
MSWHEEL_ROLLMSG, xrefs: 00407373

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: 3031b8641fdc385c523e1082785c9c5fdb382e477e6bfa0a7d8062c888f50b01
Instruction ID: bcb88bbf9a254717313446d33e070c9ab5a8527f82732502e6218ded90e12fe7
Opcode Fuzzy Hash: 3031b8641fdc385c523e1082785c9c5fdb382e477e6bfa0a7d8062c888f50b01
Instruction Fuzzy Hash: 62114F70A48341AFE7109F55CC81B66B7A8EF44710F204177BD44AB3C1D6B9AD40D7AA

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD4, Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402CD4(CHAR* __eax, CHAR* __edx) {
				char _t67;
				char _t68;
				char _t69;
				CHAR** _t74;
				CHAR** _t75;
				void* _t76;
				void* _t77;
				CHAR** _t78;

				_t78[1] = __edx;
				 *_t78 = __eax;
				_t75 = _t78;
				_t74 =  &(_t78[5]);
				while(1) {
					L2:
					_t67 =  *( *_t75);
					if(_t67 != 0 && _t67 <= 0x20) {
						 *_t75 = CharNextA( *_t75);
					}
					L2:
					_t67 =  *( *_t75);
					if(_t67 != 0 && _t67 <= 0x20) {
						 *_t75 = CharNextA( *_t75);
					}
					L4:
					if( *( *_t75) != 0x22 || ( *_t75)[1] != 0x22) {
						_t76 = 0;
						_t78[3] =  *_t75;
						while( *( *_t75) > 0x20) {
							if( *( *_t75) != 0x22) {
								 *_t74 = CharNextA( *_t75);
								_t76 = _t76 +  *_t74 -  *_t75;
								 *_t75 =  *_t74;
								continue;
							}
							 *_t75 = CharNextA( *_t75);
							while(1) {
								_t69 =  *( *_t75);
								if(_t69 == 0 || _t69 == 0x22) {
									break;
								}
								 *_t74 = CharNextA( *_t75);
								_t76 = _t76 +  *_t74 -  *_t75;
								 *_t75 =  *_t74;
							}
							if( *( *_t75) != 0) {
								 *_t75 = CharNextA( *_t75);
							}
						}
						E00404F24(_t78[1], _t76);
						 *_t75 = _t78[3];
						_t78[4] =  *(_t78[1]);
						_t77 = 0;
						while( *( *_t75) > 0x20) {
							if( *( *_t75) != 0x22) {
								 *_t74 = CharNextA( *_t75);
								if( *_t75 >=  *_t74) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									_t78[4][_t77] =  *( *_t75);
									 *_t75 =  &(( *_t75)[1]);
									_t77 = _t77 + 1;
								} while ( *_t75 <  *_t74);
								continue;
							}
							 *_t75 = CharNextA( *_t75);
							while(1) {
								_t68 =  *( *_t75);
								if(_t68 == 0 || _t68 == 0x22) {
									break;
								}
								 *_t74 = CharNextA( *_t75);
								if( *_t75 >=  *_t74) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									_t78[4][_t77] =  *( *_t75);
									 *_t75 =  &(( *_t75)[1]);
									_t77 = _t77 + 1;
								} while ( *_t75 <  *_t74);
							}
							if( *( *_t75) != 0) {
								 *_t75 = CharNextA( *_t75);
							}
						}
						_t78[2] =  *_t75;
						return _t78[2];
					} else {
						 *_t75 =  &(( *_t75)[2]);
						continue;
					}
				}
			}

0x00402cdb
0x00402cdf
0x00402ce2
0x00402ce4
0x00402cf4
0x00402cf4
0x00402cf6
0x00402cfa
0x00402cf2
0x00402cf2
0x00402cf4
0x00402cf6
0x00402cfa
0x00402cf2
0x00402cf2
0x00402d01
0x00402d06
0x00402d15
0x00402d19
0x00402d7a
0x00402d24
0x00402d6e
0x00402d74
0x00402d78
0x00000000
0x00402d78
0x00402d2e
0x00402d46
0x00402d48
0x00402d4c
0x00000000
0x00000000
0x00402d3a
0x00402d40
0x00402d44
0x00402d44
0x00402d58
0x00402d62
0x00402d62
0x00402d58
0x00402d87
0x00402d90
0x00402d98
0x00402d9c
0x00402e1b
0x00402da5
0x00402dff
0x00402e05
0x00000000
0x00000000
0x00000000
0x00000000
0x00402e07
0x00402e07
0x00402e0f
0x00402e12
0x00402e14
0x00402e17
0x00000000
0x00402e07
0x00402daf
0x00402dd7
0x00402dd9
0x00402ddd
0x00000000
0x00000000
0x00402dbb
0x00402dc1
0x00000000
0x00000000
0x00000000
0x00000000
0x00402dc3
0x00402dc3
0x00402dcb
0x00402dce
0x00402dd0
0x00402dd3
0x00402dc3
0x00402de9
0x00402df3
0x00402df3
0x00402de9
0x00402e28
0x00402e37
0x00402d10
0x00402d10
0x00000000
0x00402d10
0x00402d06

APIs

CharNextA.USER32(00000000), ref: 00402D29
CharNextA.USER32(00000000,00000000), ref: 00402D35
CharNextA.USER32(00000000,00000000), ref: 00402D5D
CharNextA.USER32(00000000), ref: 00402D69
CharNextA.USER32(?,00000000), ref: 00402DAA
CharNextA.USER32(00000000,?,00000000), ref: 00402DB6
CharNextA.USER32(00000000,?,00000000), ref: 00402DEE
CharNextA.USER32(?,00000000), ref: 00402DFA

Strings

", xrefs: 00402DDF
, xrefs: 00402CFC
", xrefs: 00402D4E

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID: $"$"
API String ID: 3213498283-938660540
Opcode ID: d6d905222ce9a1e5395728ee25e8ea3374312ba5263673085f4c23e2273775cc
Instruction ID: 34073b3ffb9fc3bdde704dcbca90249daea41721d7b77d078b8e4200871d7f09
Opcode Fuzzy Hash: d6d905222ce9a1e5395728ee25e8ea3374312ba5263673085f4c23e2273775cc
Instruction Fuzzy Hash: E951EA706042819FD771EF68C588A56FBE4EF5A340B2408AEE4C5EB391D378AC81DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00425D98, Relevance: 18.1, APIs: 12, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00425D98(void* __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct HDC__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				char _v56;
				char _v72;
				signed char _t43;
				struct HDC__* _t55;
				void* _t74;
				signed int _t77;
				int _t78;
				int _t79;
				void* _t92;
				intOrPtr _t105;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t120 = _t122;
				_t123 = _t122 + 0xffffffbc;
				_t92 = __ecx;
				_v8 = __edx;
				_t114 = __eax;
				_t43 = GetWindowLongA(E00437E18(_v8), 0xffffffec);
				if((_t43 & 0x00000002) == 0) {
					return _t43;
				} else {
					GetWindowRect(E00437E18(_v8),  &_v44);
					OffsetRect( &_v44,  ~(_v44.left),  ~(_v44.top));
					_t55 = E00437E18(_v8);
					_push(_t55);
					L00406F84();
					_v12 = _t55;
					_push(_t120);
					_push(0x425ef3);
					_push( *[fs:edx]);
					 *[fs:edx] = _t123;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t117 = _t114;
					if(_t92 != 0) {
						_t77 = GetWindowLongA(E00437E18(_v8), 0xfffffff0);
						if((_t77 & 0x00100000) != 0 && (_t77 & 0x00200000) != 0) {
							_t78 = GetSystemMetrics(2);
							_t79 = GetSystemMetrics(3);
							InflateRect( &_v28, 0xfffffffe, 0xfffffffe);
							E00413054(_v28.right - _t78, _v28.right, _v28.bottom - _t79,  &_v72, _v28.bottom);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t117 = _t117;
							FillRect(_v12,  &_v28, GetSysColorBrush(0xf));
						}
					}
					ExcludeClipRect(_v12, _v44.left + 2, _v44.top + 2, _v44.right - 2, _v44.bottom - 2);
					E00425934( &_v56, 2);
					E004257BC(_t117,  &_v56, _v12, 0,  &_v44);
					_pop(_t105);
					 *[fs:eax] = _t105;
					_push(0x425efa);
					_push(_v12);
					_t74 = E00437E18(_v8);
					_push(_t74);
					L004070C4();
					return _t74;
				}
			}

0x00425d99
0x00425d9b
0x00425da1
0x00425da3
0x00425da6
0x00425db3
0x00425dbb
0x00425f00
0x00425dc1
0x00425dce
0x00425de3
0x00425deb
0x00425df0
0x00425df1
0x00425df6
0x00425dfb
0x00425dfc
0x00425e01
0x00425e04
0x00425e0e
0x00425e0f
0x00425e10
0x00425e11
0x00425e12
0x00425e15
0x00425e22
0x00425e2c
0x00425e37
0x00425e40
0x00425e4f
0x00425e69
0x00425e75
0x00425e76
0x00425e77
0x00425e78
0x00425e79
0x00425e8a
0x00425e8a
0x00425e2c
0x00425eaf
0x00425ebb
0x00425ece
0x00425ed5
0x00425ed8
0x00425edb
0x00425ee3
0x00425ee7
0x00425eec
0x00425eed
0x00425ef2
0x00425ef2

APIs

GetWindowLongA.USER32 ref: 00425DB3
GetWindowRect.USER32 ref: 00425DCE
OffsetRect.USER32(?,?,?), ref: 00425DE3
7378B080.USER32(00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00425DF1
GetWindowLongA.USER32 ref: 00425E22
GetSystemMetrics.USER32 ref: 00425E37
GetSystemMetrics.USER32 ref: 00425E40
InflateRect.USER32(?,000000FE,000000FE), ref: 00425E4F
GetSysColorBrush.USER32(0000000F), ref: 00425E7C
FillRect.USER32 ref: 00425E8A
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,00425EF3,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00425EAF
7378B380.USER32(00000000,?,00425EFA,?,?,00000000,00425EF3,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 00425EED

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$7378LongMetricsSystem$B080B380BrushClipColorExcludeFillInflateOffset
String ID:
API String ID: 3946395549-0
Opcode ID: 231176750a3b5992fed4e171d16e2e48a2e58e709a2d31485af9f78e67068a4e
Instruction ID: a1a2f6a594ea96d2ed38365610b5a1cfe167930b1740d7a92f8c7e62ff3f1468
Opcode Fuzzy Hash: 231176750a3b5992fed4e171d16e2e48a2e58e709a2d31485af9f78e67068a4e
Instruction Fuzzy Hash: 2F418372A00119AFCB00EBA9DC42EDFB7BDEF49314F51016AF515F7291CA39AE018764

Uniqueness

Uniqueness Score: -1.00%

Function 00423278, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00423278(struct HDC__* _a4, RECT* _a8, _Unknown_base(*)()* _a12, long _a16) {
				struct tagPOINT _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t60;
				int _t61;
				RECT* _t64;
				struct HDC__* _t65;

				_t64 = _a8;
				_t65 = _a4;
				if( *0x46c927 != 0) {
					_t61 = 0;
					if(_a12 == 0) {
						L14:
						return _t61;
					}
					_v32.left = 0;
					_v32.top = 0;
					_v32.right = GetSystemMetrics(0);
					_v32.bottom = GetSystemMetrics(1);
					if(_t65 == 0) {
						if(_t64 == 0 || IntersectRect( &_v32,  &_v32, _t64) != 0) {
							L13:
							_t61 = _a12(0x12340042, _t65,  &_v32, _a16);
						} else {
							_t61 = 1;
						}
						goto L14;
					}
					_v16 = GetClipBox(_t65,  &_v48);
					if(GetDCOrgEx(_t65,  &_v12) == 0) {
						goto L14;
					}
					OffsetRect( &_v32,  ~(_v12.x),  ~(_v12.y));
					if(IntersectRect( &_v32,  &_v32,  &_v48) == 0 || _t64 != 0) {
						if(IntersectRect( &_v32,  &_v32, _t64) != 0) {
							goto L13;
						}
						if(_v16 == 1) {
							_t61 = 1;
						}
						goto L14;
					} else {
						goto L13;
					}
				}
				 *0x46c914 = E00422CC0(7, _t60, "EnumDisplayMonitors",  *0x46c914, _t65);
				_t61 = EnumDisplayMonitors(_t65, _t64, _a12, _a16);
				goto L14;
			}

0x00423281
0x00423284
0x0042328e
0x004232be
0x004232c4
0x00423380
0x00423388
0x00423388
0x004232cc
0x004232d1
0x004232dc
0x004232e7
0x004232ec
0x00423355
0x0042336d
0x0042337e
0x00423369
0x00423369
0x00423369
0x00000000
0x00423355
0x004232f8
0x00423307
0x00000000
0x00000000
0x00423319
0x00423331
0x00423347
0x00000000
0x00000000
0x0042334d
0x0042334f
0x0042334f
0x00000000
0x00000000
0x00000000
0x00000000
0x00423331
0x004232a2
0x004232b7
0x00000000

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 004232B1
GetSystemMetrics.USER32 ref: 004232D6
GetSystemMetrics.USER32 ref: 004232E1
GetClipBox.GDI32(?,?), ref: 004232F3
GetDCOrgEx.GDI32(?,?), ref: 00423300
OffsetRect.USER32(?,?,?), ref: 00423319
IntersectRect.USER32 ref: 0042332A
IntersectRect.USER32 ref: 00423340

Part of subcall function 00422CC0: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00422D44

Strings

EnumDisplayMonitors, xrefs: 00423290

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: 74196e96f2e32982a7e466ce847eb7702364f58093ab8a8599b2aa039c4d4229
Instruction ID: c1d9165fac128c842ff83a0808b73ee03bb1484af95237f5af31bf5e4a8da203
Opcode Fuzzy Hash: 74196e96f2e32982a7e466ce847eb7702364f58093ab8a8599b2aa039c4d4229
Instruction Fuzzy Hash: 42311E71A01219AFDB10DFA5D8459FF77FCAB09315F40412BED11E3241EA7C9B048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401C90, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00401C90() {
				void* _v8;
				intOrPtr* _v12;
				void* _t13;
				void* _t15;
				intOrPtr* _t18;
				void* _t31;
				void* _t37;
				intOrPtr _t42;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t44 = _t46;
				_t47 = _t46 + 0xfffffff8;
				if( *0x46c5c0 == 0) {
					return _t13;
				} else {
					_push(_t44);
					_push("�+%");
					_push( *[fs:eax]);
					 *[fs:eax] = _t47;
					if( *0x46c049 != 0) {
						_push(0x46c5c8);
						L00401398();
					}
					 *0x46c5c0 = 0;
					_t15 =  *0x46c620; // 0x6b1510
					LocalFree(_t15);
					 *0x46c620 = 0;
					_t18 =  *0x46c5e8; // 0x6b2b44
					_v12 = _t18;
					while(0x46c5e8 != _v12) {
						VirtualFree( *(_v12 + 8), 0, 0x8000);
						_v12 =  *_v12;
					}
					E00401434(0x46c5e8);
					E00401434(0x46c5f8);
					E00401434(0x46c624);
					_t31 =  *0x46c5e0; // 0x6b2510
					_v8 = _t31;
					while(_v8 != 0) {
						 *0x46c5e0 =  *_v8;
						LocalFree(_v8);
						_t37 =  *0x46c5e0; // 0x6b2510
						_v8 = _t37;
					}
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(0x401d8b);
					if( *0x46c049 != 0) {
						_push(0x46c5c8);
						L004013A0();
					}
					_push(0x46c5c8);
					L004013A8();
					return 0;
				}
			}

0x00401c91
0x00401c93
0x00401c9d
0x00401d8e
0x00401ca3
0x00401ca5
0x00401ca6
0x00401cab
0x00401cae
0x00401cb8
0x00401cba
0x00401cbf
0x00401cbf
0x00401cc4
0x00401ccb
0x00401cd1
0x00401cd8
0x00401cdd
0x00401ce2
0x00401d02
0x00401cf5
0x00401cff
0x00401cff
0x00401d11
0x00401d1b
0x00401d25
0x00401d2a
0x00401d2f
0x00401d36
0x00401d3d
0x00401d46
0x00401d4b
0x00401d50
0x00401d53
0x00401d5b
0x00401d5e
0x00401d61
0x00401d6d
0x00401d6f
0x00401d74
0x00401d74
0x00401d79
0x00401d7e
0x00401d83
0x00401d83

APIs

RtlEnterCriticalSection.KERNEL32(0046C5C8,00000000,+%), ref: 00401CBF
LocalFree.KERNEL32(006B1510,00000000,+%), ref: 00401CD1
VirtualFree.KERNEL32(?,00000000,00008000,006B1510,00000000,+%), ref: 00401CF5
LocalFree.KERNEL32(00000000,?,00000000,00008000,006B1510,00000000,+%), ref: 00401D46
RtlLeaveCriticalSection.KERNEL32(0046C5C8,00401D8B,006B1510,00000000,+%), ref: 00401D74
RtlDeleteCriticalSection.KERNEL32(0046C5C8,00401D8B,006B1510,00000000,+%), ref: 00401D7E

Strings

4+k, xrefs: 00401D16
D+k, xrefs: 00401CDD, 00401D02, 00401D0C
+%, xrefs: 00401CA6
$+k, xrefs: 00401D20

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: $+k$4+k$D+k$+%
API String ID: 3782394904-655086484
Opcode ID: 86f52c0f737e103479608009de0fae5f6ce9bdb777f05cbe2f5b23db02d7aadb
Instruction ID: 3864dd8f0c2d71706640a1f021470215e9420f89c65dee868a7a37d212a851c6
Opcode Fuzzy Hash: 86f52c0f737e103479608009de0fae5f6ce9bdb777f05cbe2f5b23db02d7aadb
Instruction Fuzzy Hash: 9B215CB0A04744EED710EBA8D885B6977E4AB49304F9040BBE441E32F1E67CA940DB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00435FA8, Relevance: 16.6, APIs: 11, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00435FA8(intOrPtr* __eax, void* __edx) {
				struct HDC__* _v8;
				void* _v12;
				void* _v16;
				struct tagPAINTSTRUCT _v80;
				intOrPtr _v84;
				void* _v96;
				struct HDC__* _v104;
				void* _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t38;
				struct HDC__* _t47;
				struct HDC__* _t55;
				intOrPtr* _t83;
				intOrPtr _t102;
				void* _t103;
				void* _t108;
				void* _t111;
				void* _t113;
				intOrPtr _t114;

				_t111 = _t113;
				_t114 = _t113 + 0xffffff94;
				_push(_t103);
				_t108 = __edx;
				_t83 = __eax;
				if( *((char*)(__eax + 0x1f8)) == 0 ||  *((intOrPtr*)(__edx + 4)) != 0) {
					if(( *(_t83 + 0x55) & 0x00000001) != 0 || E00434B48(_t83) != 0) {
						_t38 = E00435ACC(_t83, _t83, _t108, _t103, _t108);
					} else {
						_t38 =  *((intOrPtr*)( *_t83 - 0x10))();
					}
					return _t38;
				} else {
					L00406E84();
					 *((intOrPtr*)( *__eax + 0x44))();
					 *((intOrPtr*)( *__eax + 0x44))();
					_t47 = _v104;
					L00406B84();
					_v12 = _t47;
					L004070C4();
					L00406B8C();
					_v8 = _t47;
					_v16 = SelectObject(_v8, _v12);
					 *[fs:eax] = _t114;
					_t55 = BeginPaint(E00437E18(_t83),  &_v80);
					E004327D0(_t83, _v8, 0x14, _v8);
					 *((intOrPtr*)(_t108 + 4)) = _v8;
					E00435FA8(_t83, _t108);
					 *((intOrPtr*)(_t108 + 4)) = 0;
					 *((intOrPtr*)( *_t83 + 0x44))(_v8, 0, 0, 0xcc0020,  *[fs:eax], 0x4360fa, _t111, 0, 0, __eax, __eax, _t47, _v84, 0);
					 *((intOrPtr*)( *_t83 + 0x44))(_v84);
					_push(_v104);
					_push(0);
					_push(0);
					L00406B6C();
					EndPaint(E00437E18(_t83),  &_v80);
					_t102 = _t55;
					 *[fs:eax] = _t102;
					_push(0x436101);
					SelectObject(_v8, _v16);
					DeleteDC(_v8);
					return DeleteObject(_v12);
				}
			}

0x00435fa9
0x00435fab
0x00435fb0
0x00435fb1
0x00435fb3
0x00435fbc
0x00435fc8
0x00435fe7
0x00435fd5
0x00435fdb
0x00435fdb
0x00436107
0x00435ff1
0x00435ff3
0x00436001
0x0043600f
0x00436012
0x00436017
0x0043601c
0x00436022
0x00436029
0x0043602e
0x0043603e
0x0043604c
0x0043605b
0x00436070
0x00436078
0x0043607f
0x00436086
0x0043609d
0x004360ab
0x004360b1
0x004360b2
0x004360b4
0x004360b7
0x004360c8
0x004360cf
0x004360d2
0x004360d5
0x004360e2
0x004360eb
0x004360f9
0x004360f9

APIs

7378AC50.USER32(00000000), ref: 00435FF3
7378A520.GDI32(00000000,?), ref: 00436017
7378B380.USER32(00000000,00000000,00000000,?), ref: 00436022
7378A590.GDI32(00000000,00000000,00000000,00000000,?), ref: 00436029
SelectObject.GDI32(00000000,?), ref: 00436039
BeginPaint.USER32(00000000,?,00000000,004360FA,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 0043605B
737997E0.GDI32(00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004360B7
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000,?), ref: 004360C8
SelectObject.GDI32(00000000,?), ref: 004360E2
DeleteDC.GDI32(00000000), ref: 004360EB
DeleteObject.GDI32(?), ref: 004360F4

Part of subcall function 00435ACC: BeginPaint.USER32(00000000,?), ref: 00435AF2
Part of subcall function 00435ACC: EndPaint.USER32(00000000,?,00435BF3), ref: 00435BE6

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378Paint$Object$BeginDeleteSelect$737997A520A590B380
String ID:
API String ID: 2313290061-0
Opcode ID: d0a9d3123e2b3e14d796849ae66a12f69f9d09326393a37ecc9c12220f59c283
Instruction ID: 77d5a0ea31af2bcfef21ae13256e508d3f21bd10d4ca2716db4a3839e020943b
Opcode Fuzzy Hash: d0a9d3123e2b3e14d796849ae66a12f69f9d09326393a37ecc9c12220f59c283
Instruction Fuzzy Hash: 66412E75B00204AFDB10EBA9CC85F9EB7F8AF48704F11547AB906EB281DA79AD05CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00435C24, Relevance: 15.2, APIs: 10, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435C24(void* __eax, struct HDC__* __ecx, struct HDC__* __edx) {
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _v68;
				int _v80;
				int _t79;
				struct HDC__* _t134;
				int _t135;
				void* _t136;
				void* _t155;
				void* _t156;
				void* _t157;
				struct HDC__* _t158;
				intOrPtr* _t159;

				_t137 = __ecx;
				_t159 =  &(_v44.bottom);
				_t134 = __ecx;
				_t158 = __edx;
				_t157 = __eax;
				if( *((char*)(__eax + 0x1a8)) != 0 &&  *((char*)(__eax + 0x1a7)) != 0 &&  *(__eax + 0x17c) != 0) {
					_t137 =  *( *(__eax + 0x17c));
					 *((intOrPtr*)( *( *(__eax + 0x17c)) + 0x20))();
				}
				_t78 =  *((intOrPtr*)(_t157 + 0x198));
				if( *((intOrPtr*)(_t157 + 0x198)) == 0) {
					L17:
					_t79 =  *(_t157 + 0x19c);
					if(_t79 == 0) {
						L27:
						return _t79;
					}
					_t79 =  *((intOrPtr*)(_t79 + 8)) - 1;
					if(_t79 < 0) {
						goto L27;
					}
					_v44.right = _t79 + 1;
					_t155 = 0;
					do {
						_t79 = E0041449C( *(_t157 + 0x19c), _t137, _t155);
						_t135 = _t79;
						if( *((char*)(_t135 + 0x1a5)) != 0 && ( *(_t135 + 0x50) & 0x00000010) != 0 && ( *((char*)(_t135 + 0x57)) != 0 || ( *(_t135 + 0x1c) & 0x00000010) != 0 && ( *(_t135 + 0x51) & 0x00000004) == 0)) {
							_v44.left = CreateSolidBrush(E0041CB1C(0xff000010));
							E00413054( *((intOrPtr*)(_t135 + 0x40)) - 1,  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)),  *((intOrPtr*)(_t135 + 0x44)) - 1,  &(_v44.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)));
							FrameRect(_t158,  &_v44, _v44);
							DeleteObject(_v60.right);
							_v60.left = CreateSolidBrush(E0041CB1C(0xff000014));
							_t137 =  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1;
							E00413054( *((intOrPtr*)(_t135 + 0x40)),  *((intOrPtr*)(_t135 + 0x40)) +  *((intOrPtr*)(_t135 + 0x48)) + 1,  *((intOrPtr*)(_t135 + 0x44)),  &(_v60.right),  *((intOrPtr*)(_t135 + 0x44)) +  *((intOrPtr*)(_t135 + 0x4c)) + 1);
							FrameRect(_t158,  &_v60, _v60);
							_t79 = DeleteObject(_v68);
						}
						_t155 = _t155 + 1;
						_t75 =  &(_v44.right);
						 *_t75 = _v44.right - 1;
					} while ( *_t75 != 0);
					goto L27;
				}
				_t156 = 0;
				if(_t134 != 0) {
					_t156 = E00414500(_t78, _t134);
					if(_t156 < 0) {
						_t156 = 0;
					}
				}
				 *_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x198)) + 8));
				if(_t156 <  *_t159) {
					do {
						_t136 = E0041449C( *((intOrPtr*)(_t157 + 0x198)), _t137, _t156);
						if( *((char*)(_t136 + 0x57)) != 0 || ( *(_t136 + 0x1c) & 0x00000010) != 0 && ( *(_t136 + 0x51) & 0x00000004) == 0) {
							_t137 =  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48);
							E00413054( *((intOrPtr*)(_t136 + 0x40)),  *((intOrPtr*)(_t136 + 0x40)) +  *(_t136 + 0x48),  *((intOrPtr*)(_t136 + 0x44)),  &(_v44.bottom),  *((intOrPtr*)(_t136 + 0x44)) +  *(_t136 + 0x4c));
							if(RectVisible(_t158,  &(_v44.top)) != 0) {
								if(( *(_t157 + 0x54) & 0x00000080) != 0) {
									 *(_t136 + 0x54) =  *(_t136 + 0x54) | 0x00000080;
								}
								_v60.top = SaveDC(_t158);
								E0042FF58(_t158,  *((intOrPtr*)(_t136 + 0x44)),  *((intOrPtr*)(_t136 + 0x40)));
								IntersectClipRect(_t158, 0, 0,  *(_t136 + 0x48),  *(_t136 + 0x4c));
								_t137 = _t158;
								E004327D0(_t136, _t158, 0xf, 0);
								RestoreDC(_t158, _v80);
								 *(_t136 + 0x54) =  *(_t136 + 0x54) & 0x0000ff7f;
							}
						}
						_t156 = _t156 + 1;
					} while (_t156 < _v60.top);
				}
			}

0x00435c24
0x00435c28
0x00435c2b
0x00435c2d
0x00435c2f
0x00435c38
0x00435c54
0x00435c56
0x00435c56
0x00435c59
0x00435c61
0x00435d46
0x00435d46
0x00435d4e
0x00435e53
0x00435e53
0x00435e53
0x00435d57
0x00435d5a
0x00000000
0x00000000
0x00435d61
0x00435d65
0x00435d67
0x00435d6f
0x00435d74
0x00435d7d
0x00435db7
0x00435dda
0x00435de5
0x00435def
0x00435e04
0x00435e20
0x00435e27
0x00435e32
0x00435e3c
0x00435e3c
0x00435e41
0x00435e42
0x00435e42
0x00435e42
0x00000000
0x00435d67
0x00435c67
0x00435c6b
0x00435c74
0x00435c78
0x00435c7a
0x00435c7a
0x00435c78
0x00435c85
0x00435c8b
0x00435c91
0x00435c9e
0x00435ca4
0x00435cc9
0x00435cd2
0x00435ce4
0x00435cea
0x00435cec
0x00435cec
0x00435cf8
0x00435d04
0x00435d16
0x00435d1d
0x00435d26
0x00435d31
0x00435d36
0x00435d36
0x00435ce4
0x00435d3c
0x00435d3d
0x00435c91

APIs

RectVisible.GDI32(?,?), ref: 00435CDD
SaveDC.GDI32(?), ref: 00435CF3
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00435D16
RestoreDC.GDI32(?,?), ref: 00435D31
CreateSolidBrush.GDI32(00000000), ref: 00435DB2
FrameRect.USER32 ref: 00435DE5
DeleteObject.GDI32(?), ref: 00435DEF
CreateSolidBrush.GDI32(00000000), ref: 00435DFF
FrameRect.USER32 ref: 00435E32
DeleteObject.GDI32(?), ref: 00435E3C

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 1084d6525cf5101de6515fdf8d71a7da76d1bb3481092f6f53f713a5a15f2de7
Instruction ID: d20c3d6b23c4ebf62227b8ccf9ed78fda5232f8b36514a5ba725acd7e563480b
Opcode Fuzzy Hash: 1084d6525cf5101de6515fdf8d71a7da76d1bb3481092f6f53f713a5a15f2de7
Instruction Fuzzy Hash: 5D516D712047449BDB18DF69C8C4B5B7BE8AF49308F04546EFE89CB286D639EC44CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00402F88, Relevance: 15.1, APIs: 10, Instructions: 129
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00402F88(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x402edc;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E00402F1C;
				}
				_t59[9] = E00402F68;
				_t59[8] = E00402F18;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E00402F18;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x46c3e4) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E00402F1C;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}

0x00402f89
0x00402f8d
0x00402f90
0x00402f9c
0x00402fa9
0x00402fae
0x00402fb3
0x00402fb8
0x00402f9e
0x00402f9f
0x00402fc1
0x00402fc6
0x00402fcb
0x00402fa1
0x00402fa2
0x00000000
0x00000000
0x00402fd2
0x00402fd7
0x00402fdc
0x00402fdc
0x00402fe1
0x00402fe1
0x00402fe8
0x00402fef
0x00402ffa
0x004030b8
0x004030bf
0x004030c6
0x004030cf
0x004030db
0x004030e1
0x004030dd
0x004030dd
0x004030dd
0x004030d1
0x004030d1
0x004030d1
0x004030e3
0x004030eb
0x00000000
0x00000000
0x004030ed
0x00000000
0x00403000
0x00403010
0x00403018
0x00403126
0x00403126
0x00000000
0x0040312c
0x0040301e
0x00403026
0x004030ef
0x004030f5
0x0040310e
0x00000000
0x0040310e
0x004030f9
0x00403100
0x00403114
0x00403119
0x00000000
0x0040311f
0x00403105
0x00403107
0x00403107
0x00000000
0x00403105
0x0040302c
0x00403039
0x0040303a
0x00000000
0x00000000
0x00403040
0x00403045
0x00403047
0x00403047
0x00403056
0x00000000
0x0040305c
0x00403071
0x00403076
0x00403078
0x00000000
0x00000000
0x0040307e
0x00403080
0x0040308c
0x004030a0
0x00000000
0x004030b0
0x00000000
0x004030b0
0x004030a0
0x0040308e
0x0040308e
0x00000000
0x00403080
0x00403056

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403010
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403034
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00403050
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00403071
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040309A
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 004030A8
GetStdHandle.KERNEL32(000000F5), ref: 004030E3
GetFileType.KERNEL32(?,000000F5), ref: 004030F9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403114
GetLastError.KERNEL32(000000F5), ref: 0040312C

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: de4dd07c49abdebfe22a8a0e67b3c764d9240c98486af1927cce5375a8feba71
Instruction ID: 4a122ce598452893aa473bf8ff396c453d6b3c2e28dec6ef2139a6550352fab6
Opcode Fuzzy Hash: de4dd07c49abdebfe22a8a0e67b3c764d9240c98486af1927cce5375a8feba71
Instruction Fuzzy Hash: 7F411430100301AAE7309F24C90976379E8EB48745F20CE3FE0D6BA6E5D7BD9A41974E

Uniqueness

Uniqueness Score: -1.00%

Function 0044CBC8, Relevance: 15.1, APIs: 10, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044CBC8(intOrPtr _a4) {
				intOrPtr _t27;
				struct HMENU__* _t48;

				_t27 =  *((intOrPtr*)(_a4 - 4));
				if( *((char*)(_t27 + 0x229)) != 0) {
					_t27 =  *((intOrPtr*)(_a4 - 4));
					if(( *(_t27 + 0x228) & 0x00000001) != 0) {
						_t27 =  *((intOrPtr*)(_a4 - 4));
						if( *((char*)(_t27 + 0x22f)) != 1) {
							_t48 = GetSystemMenu(E00437E18( *((intOrPtr*)(_a4 - 4))), 0);
							if( *((char*)( *((intOrPtr*)(_a4 - 4)) + 0x229)) == 3) {
								DeleteMenu(_t48, 0xf130, 0);
								DeleteMenu(_t48, 7, 0x400);
								DeleteMenu(_t48, 5, 0x400);
								DeleteMenu(_t48, 0xf030, 0);
								DeleteMenu(_t48, 0xf020, 0);
								DeleteMenu(_t48, 0xf000, 0);
								return DeleteMenu(_t48, 0xf120, 0);
							}
							if(( *( *((intOrPtr*)(_a4 - 4)) + 0x228) & 0x00000002) == 0) {
								EnableMenuItem(_t48, 0xf020, 1);
							}
							_t27 =  *((intOrPtr*)(_a4 - 4));
							if(( *(_t27 + 0x228) & 0x00000004) == 0) {
								return EnableMenuItem(_t48, 0xf030, 1);
							}
						}
					}
				}
				return _t27;
			}

0x0044cbcf
0x0044cbd9
0x0044cbe2
0x0044cbec
0x0044cbf5
0x0044cbff
0x0044cc18
0x0044cc27
0x0044cc31
0x0044cc3e
0x0044cc4b
0x0044cc58
0x0044cc65
0x0044cc72
0x00000000
0x0044cc7f
0x0044cc93
0x0044cc9d
0x0044cc9d
0x0044cca5
0x0044ccaf
0x00000000
0x0044ccb9
0x0044ccaf
0x0044cbff
0x0044cbec
0x0044ccc0

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0044CC13
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0044CC31
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0044CC3E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0044CC4B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0044CC58
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0044CC65
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0044CC72
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0044CC7F
EnableMenuItem.USER32 ref: 0044CC9D
EnableMenuItem.USER32 ref: 0044CCB9

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 9c47885e379f329d6bdb7870b01814a8e8b6bd6b9d7e265bfc14bdff18bf141a
Instruction ID: 4a83395db4e9339531f2fc038048f5a18dd332d887ba22da1e90c783a0bc2efe
Opcode Fuzzy Hash: 9c47885e379f329d6bdb7870b01814a8e8b6bd6b9d7e265bfc14bdff18bf141a
Instruction Fuzzy Hash: FB218070341304BAE320AB65CCCEF5A7AE95F04B18F0540AAB6097F2D3C6B9B990921C

Uniqueness

Uniqueness Score: -1.00%

Function 00404754, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 38
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404754(void* __ecx) {
				char _v4;
				int _t3;

				if( *0x46c048 == 0) {
					if( *0x456030 == 0) {
						_t3 = MessageBoxA(0, "Runtime error     at 00000000", "Error", 0);
					}
					return _t3;
				} else {
					if( *0x46c21c == 0xd7b2 &&  *0x46c224 > 0) {
						 *0x46c234();
					}
					_t1 =  &_v4; // 0x455c78
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1e, _t1, 0);
					_t2 =  &_v4; // 0x455c78
					return WriteFile(GetStdHandle(0xfffffff5), E004047DC, 2, _t2, 0);
				}
			}

0x0040475c
0x004047bc
0x004047cc
0x004047cc
0x004047d2
0x0040475e
0x00404767
0x00404777
0x00404777
0x0040477f
0x00404793
0x0040479a
0x004047b4
0x004047b4

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,x\E,00000000,?,0040481E,?,?,?,?,00000001,004048CA,00402B9B,00402BE3), ref: 0040478D
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,x\E,00000000,?,0040481E,?,?,?,?,00000001,004048CA,00402B9B,00402BE3), ref: 00404793
GetStdHandle.KERNEL32(000000F5,004047DC,00000002,x\E,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,x\E,00000000,?,0040481E), ref: 004047A8
WriteFile.KERNEL32(00000000,000000F5,004047DC,00000002,x\E,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,x\E,00000000,?,0040481E), ref: 004047AE
MessageBoxA.USER32 ref: 004047CC

Strings

Runtime error at 00000000, xrefs: 00404786, 004047C5
Error, xrefs: 004047C0
x\E, xrefs: 0040477F, 0040479A, 00404783, 0040479E

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000$x\E
API String ID: 1570097196-3449909432
Opcode ID: 1fc14a015cb1b615c2da3214c62d17742798b0c24fc4705714116731884229f0
Instruction ID: 52c4e75c4ee161d7f89e82f48be3bcbd09bd0c74812f277b807f80ea35230f39
Opcode Fuzzy Hash: 1fc14a015cb1b615c2da3214c62d17742798b0c24fc4705714116731884229f0
Instruction Fuzzy Hash: D6F0F6A0A8134039EA20F3E44C86F6721584781F19F6042BFB754B64E3D3FC548486AE

Uniqueness

Uniqueness Score: -1.00%

Function 00431238, Relevance: 13.6, APIs: 9, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00431238(intOrPtr* __eax, int __ecx, int __edx) {
				char _t62;
				signed int _t64;
				signed int _t65;
				signed char _t107;
				intOrPtr _t113;
				intOrPtr _t114;
				int _t117;
				intOrPtr* _t118;
				int _t119;
				int* _t121;

				 *_t121 = __ecx;
				_t117 = __edx;
				_t118 = __eax;
				if(__edx ==  *_t121) {
					L29:
					_t62 =  *0x4313e4; // 0x0
					 *((char*)(_t118 + 0x98)) = _t62;
					return _t62;
				}
				if(( *(__eax + 0x1c) & 0x00000001) == 0) {
					_t107 =  *0x4313dc; // 0x1f
				} else {
					_t107 =  *((intOrPtr*)(__eax + 0x98));
				}
				if((_t107 & 0x00000001) == 0) {
					_t119 =  *(_t118 + 0x40);
				} else {
					_t119 = MulDiv( *(_t118 + 0x40), _t117,  *_t121);
				}
				if((_t107 & 0x00000002) == 0) {
					_t121[1] =  *(_t118 + 0x44);
				} else {
					_t121[1] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
				}
				if((_t107 & 0x00000004) == 0 || ( *(_t118 + 0x51) & 0x00000001) != 0) {
					_t64 =  *(_t118 + 0x48);
					_t121[2] = _t64;
				} else {
					if((_t107 & 0x00000001) == 0) {
						_t64 = MulDiv( *(_t118 + 0x48), _t117,  *_t121);
						_t121[2] = _t64;
					} else {
						_t64 = MulDiv( *(_t118 + 0x40) +  *(_t118 + 0x48), _t117,  *_t121) - _t119;
						_t121[2] = _t64;
					}
				}
				_t65 = _t64 & 0xffffff00 | (_t107 & 0x00000008) != 0x00000000;
				if(_t65 == 0 || ( *(_t118 + 0x51) & 0x00000002) != 0) {
					_t121[3] =  *(_t118 + 0x4c);
				} else {
					if(_t65 == 0) {
						_t121[3] = MulDiv( *(_t118 + 0x44), _t117,  *_t121);
					} else {
						_t121[3] = MulDiv( *(_t118 + 0x44) +  *(_t118 + 0x4c), _t117,  *_t121) - _t121[1];
					}
				}
				 *((intOrPtr*)( *_t118 + 0x84))(_t121[4], _t121[2]);
				_t113 =  *0x4313e4; // 0x0
				if(_t113 != (_t107 &  *0x4313e0)) {
					 *(_t118 + 0x90) = MulDiv( *(_t118 + 0x90), _t117,  *_t121);
				}
				_t114 =  *0x4313e4; // 0x0
				if(_t114 != (_t107 &  *0x4313e8)) {
					 *(_t118 + 0x94) = MulDiv( *(_t118 + 0x94), _t117,  *_t121);
				}
				if( *((char*)(_t118 + 0x59)) == 0 && (_t107 & 0x00000010) != 0) {
					E0041D27C( *((intOrPtr*)(_t118 + 0x68)), MulDiv(E0041D260( *((intOrPtr*)(_t118 + 0x68))), _t117,  *_t121));
				}
				goto L29;
			}

0x0043123f
0x00431242
0x00431244
0x00431249
0x004313c6
0x004313c6
0x004313cb
0x004313d8
0x004313d8
0x00431253
0x0043125d
0x00431255
0x00431255
0x00431255
0x00431266
0x0043127a
0x00431268
0x00431276
0x00431276
0x00431280
0x00431299
0x00431282
0x00431290
0x00431290
0x004312a0
0x004312da
0x004312dd
0x004312a8
0x004312ab
0x004312cf
0x004312d4
0x004312ad
0x004312be
0x004312c0
0x004312c0
0x004312ab
0x004312e4
0x004312e9
0x0043132d
0x004312f1
0x004312f9
0x00431324
0x004312fb
0x00431310
0x00431310
0x004312f9
0x00431345
0x00431353
0x0043135b
0x0043136e
0x0043136e
0x0043137c
0x00431384
0x00431397
0x00431397
0x004313a1
0x004313c1
0x004313c1
0x00000000

APIs

MulDiv.KERNEL32(?,?,?), ref: 00431271
MulDiv.KERNEL32(?,?,?), ref: 0043128B
MulDiv.KERNEL32(?,?,?), ref: 004312B9
MulDiv.KERNEL32(?,?,?), ref: 004312CF
MulDiv.KERNEL32(?,?,?), ref: 00431307
MulDiv.KERNEL32(?,?,?), ref: 0043131F
MulDiv.KERNEL32(?,?,0000001F), ref: 00431369
MulDiv.KERNEL32(?,?,0000001F), ref: 00431392
MulDiv.KERNEL32(00000000,?,0000001F), ref: 004313B8

Part of subcall function 0041D27C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0041D289

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098b0c4446974c1bb111ecdceccefacd61e5331f54171c4716306457cd7015ea
Instruction ID: c198b9f0cf74150a5434e3188deba4429358b622c54dd92090fd78a39451e7bf
Opcode Fuzzy Hash: 098b0c4446974c1bb111ecdceccefacd61e5331f54171c4716306457cd7015ea
Instruction Fuzzy Hash: 81517270608340AFD720EB69C885B6BB7E8EF4D304F04585EB9D6D7762C679E840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004320D8, Relevance: 13.6, APIs: 9, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004320D8(void* __ebx, char __ecx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				int _v32;
				int _v36;
				struct HDC__* _t33;
				intOrPtr _t72;
				int _t74;
				intOrPtr _t80;
				int _t83;
				void* _t88;
				int _t89;
				void* _t92;
				void* _t93;
				intOrPtr _t94;

				_t92 = _t93;
				_t94 = _t93 + 0xffffffe0;
				_v5 = __ecx;
				_t74 =  *((intOrPtr*)( *__edx + 0x38))();
				if(_v5 == 0) {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				} else {
					_push(__edx);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_pop(_t88);
				}
				_v12 = GetDesktopWindow();
				_push(0x402);
				_push(0);
				_t33 = _v12;
				_push(_t33);
				L00406E8C();
				_v16 = _t33;
				_push(_t92);
				_push(0x4321f3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t94;
				_v20 = SelectObject(_v16, E0041D7DC( *((intOrPtr*)(_t88 + 0x40))));
				_t89 = _v36;
				_t83 = _v32;
				PatBlt(_v16, _t89 + _t74, _t83, _v28 - _t89 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _v28 - _t74, _t83 + _t74, _t74, _v24 - _t83 - _t74, 0x5a0049);
				PatBlt(_v16, _t89, _v24 - _t74, _v28 - _v36 - _t74, _t74, 0x5a0049);
				PatBlt(_v16, _t89, _t83, _t74, _v24 - _v32 - _t74, 0x5a0049);
				SelectObject(_v16, _v20);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(0x4321fa);
				_push(_v16);
				_t72 = _v12;
				_push(_t72);
				L004070C4();
				return _t72;
			}

0x004320d9
0x004320db
0x004320e1
0x004320ed
0x004320f3
0x00432103
0x0043210a
0x0043210b
0x0043210c
0x0043210d
0x0043210e
0x004320f5
0x004320f5
0x004320fc
0x004320fd
0x004320fe
0x004320ff
0x00432100
0x00432100
0x00432114
0x00432117
0x0043211c
0x0043211e
0x00432121
0x00432122
0x00432127
0x0043212c
0x0043212d
0x00432132
0x00432135
0x0043214a
0x00432156
0x0043215e
0x0043216b
0x0043218d
0x004321ac
0x004321c6
0x004321d3
0x004321da
0x004321dd
0x004321e0
0x004321e8
0x004321e9
0x004321ec
0x004321ed
0x004321f2

APIs

GetDesktopWindow.USER32 ref: 0043210F
7378ACE0.USER32(?,00000000,00000402), ref: 00432122
SelectObject.GDI32(?,00000000), ref: 00432145
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 0043216B
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 0043218D
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004321AC
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004321C6
SelectObject.GDI32(?,?), ref: 004321D3
7378B380.USER32(?,?,004321FA,?,?,00000000,?,005A0049,?,?,?,?,00000000,005A0049,?,?), ref: 004321ED

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378ObjectSelect$B380DesktopWindow
String ID:
API String ID: 22433824-0
Opcode ID: 37c4d84593dd3ae42ff30c0c9270f6dfca7b0fae3bf35af7832107756bb13b55
Instruction ID: ae880a1ba14d3d158fb83aa9b903f3fac7ad5fd45487073de2e9ace6734d6ac6
Opcode Fuzzy Hash: 37c4d84593dd3ae42ff30c0c9270f6dfca7b0fae3bf35af7832107756bb13b55
Instruction Fuzzy Hash: 9B310AB6A00219AFDB00DEEDCD85DAFBBBCFF09704B014565B514F7280C679AD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEE8, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040CEE8(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t104;
				void* _t111;
				void* _t133;
				intOrPtr _t183;
				intOrPtr _t193;
				intOrPtr _t194;

				_t191 = __esi;
				_t190 = __edi;
				_t193 = _t194;
				_t133 = 8;
				do {
					_push(0);
					_push(0);
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_push(__ebx);
				_push(_t193);
				_push(0x40d1b3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				E0040CD70();
				E0040B6E8(__ebx, __edi, __esi);
				_t196 =  *0x46c74c;
				if( *0x46c74c != 0) {
					E0040B8C0(__esi, _t196);
				}
				_t132 = GetThreadLocale();
				E0040B638(_t43, 0, 0x14,  &_v20);
				E0040492C(0x46c680, _v20);
				E0040B638(_t43, 0x40d1c8, 0x1b,  &_v24);
				 *0x46c684 = E004088D4(0x40d1c8, 0, _t196);
				E0040B638(_t132, 0x40d1c8, 0x1c,  &_v28);
				 *0x46c685 = E004088D4(0x40d1c8, 0, _t196);
				 *0x46c686 = E0040B684(_t132, 0x2c, 0xf);
				 *0x46c687 = E0040B684(_t132, 0x2e, 0xe);
				E0040B638(_t132, 0x40d1c8, 0x19,  &_v32);
				 *0x46c688 = E004088D4(0x40d1c8, 0, _t196);
				 *0x46c689 = E0040B684(_t132, 0x2f, 0x1d);
				E0040B638(_t132, "m/d/yy", 0x1f,  &_v40);
				E0040B970(_v40, _t132,  &_v36, _t190, _t191, _t196);
				E0040492C(0x46c68c, _v36);
				E0040B638(_t132, "mmmm d, yyyy", 0x20,  &_v48);
				E0040B970(_v48, _t132,  &_v44, _t190, _t191, _t196);
				E0040492C(0x46c690, _v44);
				 *0x46c694 = E0040B684(_t132, 0x3a, 0x1e);
				E0040B638(_t132, 0x40d1fc, 0x28,  &_v52);
				E0040492C(0x46c698, _v52);
				E0040B638(_t132, 0x40d208, 0x29,  &_v56);
				E0040492C(0x46c69c, _v56);
				E004048D8( &_v12);
				E004048D8( &_v16);
				E0040B638(_t132, 0x40d1c8, 0x25,  &_v60);
				_t104 = E004088D4(0x40d1c8, 0, _t196);
				_t197 = _t104;
				if(_t104 != 0) {
					E00404970( &_v8, 0x40d220);
				} else {
					E00404970( &_v8, 0x40d214);
				}
				E0040B638(_t132, 0x40d1c8, 0x23,  &_v64);
				_t111 = E004088D4(0x40d1c8, 0, _t197);
				_t198 = _t111;
				if(_t111 == 0) {
					E0040B638(_t132, 0x40d1c8, 0x1005,  &_v68);
					if(E004088D4(0x40d1c8, 0, _t198) != 0) {
						E00404970( &_v12, 0x40d23c);
					} else {
						E00404970( &_v16, 0x40d22c);
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E00404C58();
				_push(_v12);
				_push(_v8);
				_push(":mm:ss");
				_push(_v16);
				E00404C58();
				 *0x46c74e = E0040B684(_t132, 0x2c, 0xc);
				_pop(_t183);
				 *[fs:eax] = _t183;
				_push(E0040D1BA);
				return E004048FC( &_v68, 0x10);
			}

0x0040cee8
0x0040cee8
0x0040cee9
0x0040ceeb
0x0040cef0
0x0040cef0
0x0040cef2
0x0040cef4
0x0040cef4
0x0040cef7
0x0040cefa
0x0040cefb
0x0040cf00
0x0040cf03
0x0040cf06
0x0040cf0b
0x0040cf10
0x0040cf17
0x0040cf19
0x0040cf19
0x0040cf23
0x0040cf32
0x0040cf3f
0x0040cf54
0x0040cf63
0x0040cf78
0x0040cf87
0x0040cf9a
0x0040cfad
0x0040cfc2
0x0040cfd1
0x0040cfe4
0x0040cff9
0x0040d004
0x0040d011
0x0040d026
0x0040d031
0x0040d03e
0x0040d051
0x0040d066
0x0040d073
0x0040d088
0x0040d095
0x0040d09d
0x0040d0a5
0x0040d0ba
0x0040d0c4
0x0040d0c9
0x0040d0cb
0x0040d0e4
0x0040d0cd
0x0040d0d5
0x0040d0d5
0x0040d0f9
0x0040d103
0x0040d108
0x0040d10a
0x0040d11c
0x0040d12d
0x0040d146
0x0040d12f
0x0040d137
0x0040d137
0x0040d12d
0x0040d14b
0x0040d14e
0x0040d151
0x0040d156
0x0040d163
0x0040d168
0x0040d16b
0x0040d16e
0x0040d173
0x0040d180
0x0040d193
0x0040d19a
0x0040d19d
0x0040d1a0
0x0040d1b2

APIs

GetThreadLocale.KERNEL32(00000000,0040D1B3,?,?,00000000,00000000), ref: 0040CF1E

Part of subcall function 0040B638: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B656

Strings

:mm:ss, xrefs: 0040D16E
m/d/yy, xrefs: 0040CFED
AMPM , xrefs: 0040D141
:mm, xrefs: 0040D151
AMPM, xrefs: 0040D132
mmmm d, yyyy, xrefs: 0040D01A

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 56f923654593bfae368de075c9df8220eb4e5b76a80f637dcfa023cebec2a070
Instruction ID: c2726c3c68ac77323091e169219a832fa7da435cfe39de50c9f9add7e225d03f
Opcode Fuzzy Hash: 56f923654593bfae368de075c9df8220eb4e5b76a80f637dcfa023cebec2a070
Instruction Fuzzy Hash: A0616D70A002489BDB00FBF5D881A9E73A6DB89304F50943BF140BB3C2DA3DD90A975E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F49C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040F49C(short* __eax, intOrPtr __ecx, intOrPtr* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				intOrPtr _v792;
				signed short* _v796;
				char _v800;
				char _v804;
				intOrPtr* _v808;
				void* __ebp;
				signed char _t51;
				signed int _t58;
				void* _t66;
				intOrPtr* _t78;
				intOrPtr* _t96;
				void* _t98;
				void* _t100;
				void* _t103;
				void* _t104;
				intOrPtr* _t114;
				void* _t118;
				char* _t119;
				void* _t120;

				_t105 = __ecx;
				_v780 = __ecx;
				_t96 = __edx;
				_v776 = __eax;
				if(( *(__edx + 1) & 0x00000020) == 0) {
					E0040F0C8(0x80070057);
				}
				_t51 =  *_t96;
				if((_t51 & 0x00000fff) != 0xc) {
					_push(_t96);
					_push(_v776);
					L0040DE70();
					return E0040F0C8(_v776);
				} else {
					if((_t51 & 0x00000040) == 0) {
						_v796 =  *((intOrPtr*)(_t96 + 8));
					} else {
						_v796 =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 8))));
					}
					_v788 =  *_v796 & 0x0000ffff;
					_t98 = _v788 - 1;
					if(_t98 < 0) {
						L9:
						_push( &_v772);
						_t58 = _v788;
						_push(_t58);
						_push(0xc);
						L0040E2C4();
						_v792 = _t58;
						if(_v792 == 0) {
							E0040EE20(_t105);
						}
						E0040F3F4(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _v792;
						_t100 = _v788 - 1;
						if(_t100 < 0) {
							L14:
							_t102 = _v788 - 1;
							if(E0040F410(_v788 - 1, _t120) != 0) {
								L0040E2DC();
								E0040F0C8(_v796);
								L0040E2DC();
								E0040F0C8(_v792);
								_v780(_v792,  &_v260,  &_v804, _v796,  &_v260,  &_v800);
							}
							_t66 = E0040F440(_t102, _t120);
						} else {
							_t103 = _t100 + 1;
							_t78 =  &_v768;
							_t114 =  &_v260;
							do {
								 *_t114 =  *_t78;
								_t114 = _t114 + 4;
								_t78 = _t78 + 8;
								_t103 = _t103 - 1;
							} while (_t103 != 0);
							do {
								goto L14;
							} while (_t66 != 0);
							return _t66;
						}
					} else {
						_t104 = _t98 + 1;
						_t118 = 0;
						_t119 =  &_v772;
						do {
							_v808 = _t119;
							_push(_v808 + 4);
							_t18 = _t118 + 1; // 0x1
							_push(_v796);
							L0040E2CC();
							E0040F0C8(_v796);
							_push( &_v784);
							_t21 = _t118 + 1; // 0x1
							_push(_v796);
							L0040E2D4();
							E0040F0C8(_v796);
							 *_v808 = _v784 -  *((intOrPtr*)(_v808 + 4)) + 1;
							_t118 = _t118 + 1;
							_t119 = _t119 + 8;
							_t104 = _t104 - 1;
						} while (_t104 != 0);
						goto L9;
					}
				}
			}

0x0040f49c
0x0040f4a8
0x0040f4ae
0x0040f4b0
0x0040f4ba
0x0040f4c1
0x0040f4c1
0x0040f4c6
0x0040f4d4
0x0040f662
0x0040f669
0x0040f66a
0x00000000
0x0040f4da
0x0040f4dd
0x0040f4ef
0x0040f4df
0x0040f4e4
0x0040f4e4
0x0040f4fe
0x0040f50a
0x0040f50d
0x0040f57a
0x0040f580
0x0040f581
0x0040f587
0x0040f588
0x0040f58a
0x0040f58f
0x0040f59c
0x0040f59e
0x0040f59e
0x0040f5a9
0x0040f5b4
0x0040f5c5
0x0040f5ce
0x0040f5d1
0x0040f5ed
0x0040f5f4
0x0040f5ff
0x0040f616
0x0040f61b
0x0040f635
0x0040f63a
0x0040f64d
0x0040f64d
0x0040f656
0x0040f5d3
0x0040f5d3
0x0040f5d4
0x0040f5da
0x0040f5e0
0x0040f5e2
0x0040f5e4
0x0040f5e7
0x0040f5ea
0x0040f5ea
0x0040f5ed
0x00000000
0x00000000
0x00000000
0x0040f5ed
0x0040f50f
0x0040f50f
0x0040f510
0x0040f512
0x0040f518
0x0040f51a
0x0040f529
0x0040f52a
0x0040f534
0x0040f535
0x0040f53a
0x0040f545
0x0040f546
0x0040f550
0x0040f551
0x0040f556
0x0040f571
0x0040f573
0x0040f574
0x0040f577
0x0040f577
0x00000000
0x0040f518
0x0040f50d

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040F535
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040F551
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0040F58A
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040F616
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 0040F635
VariantCopy.OLEAUT32(?), ref: 0040F66A

Strings

, xrefs: 0040F4B6

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: baeb25ac06f96c8515e0fed36bf9f82691e4b8c6b6133a71e019f514abc52bdc
Instruction ID: 15d3758d2a5a9403b9a3bbd0e9fbb6db2431489fc7bdac348310d8cb89a44716
Opcode Fuzzy Hash: baeb25ac06f96c8515e0fed36bf9f82691e4b8c6b6133a71e019f514abc52bdc
Instruction Fuzzy Hash: C851FB759006199BCB21DB59CC81BCAB3FCAB58304F0045FAE508F7652D634AF898F69

Uniqueness

Uniqueness Score: -1.00%

Function 00451598, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 004515AB
GetWindowRect.USER32 ref: 00451605
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0045163D
MessageBoxA.USER32 ref: 0045167E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,004516F4,?,00000000,004516ED), ref: 004516CE
SetActiveWindow.USER32(?,004516F4,?,00000000,004516ED), ref: 004516DF

Strings

(, xrefs: 004515E2

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Active$MessageRect
String ID: (
API String ID: 3147912190-3887548279
Opcode ID: 2b6ca47d3059bc5c5a05a6855793ebf69327f869ab6cf8e0711f9d88323ac823
Instruction ID: 66f402cd9f23fe9e2a664917c56bc5a04429c54bc63046723d33c655f483df75
Opcode Fuzzy Hash: 2b6ca47d3059bc5c5a05a6855793ebf69327f869ab6cf8e0711f9d88323ac823
Instruction Fuzzy Hash: AD412E75E00108AFDB00DFA9DD95FAEB7F9EB48704F14456AF900E7392DA74AD048B54

Uniqueness

Uniqueness Score: -1.00%

Function 00419D80, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109
threadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00419D80(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				intOrPtr* _v12;
				long _v16;
				char _v20;
				char _v24;
				long _t22;
				char _t29;
				void* _t53;
				intOrPtr _t55;
				intOrPtr* _t62;
				intOrPtr _t63;
				void* _t72;
				void* _t73;
				intOrPtr _t74;

				_t72 = _t73;
				_t74 = _t73 + 0xffffffec;
				_push(__esi);
				_push(__edi);
				_t53 = __eax;
				_t22 = GetCurrentThreadId();
				_t62 =  *0x46b7e0; // 0x46c030
				if(_t22 !=  *_t62) {
					_v24 = GetCurrentThreadId();
					_v20 = 0;
					_t55 =  *0x46b678; // 0x4110cc
					E0040BEFC(_t53, _t55, 1, __edi, __esi, 0,  &_v24);
					E004042EC();
				}
				if(_t53 <= 0) {
					E00419D58();
				} else {
					E00419D64(_t53);
				}
				_v16 = 0;
				_push(0x46c868);
				L0040698C();
				_push(_t72);
				_push(0x419f0e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = InterlockedExchange( &E0045640C, _v16);
				_push(_t72);
				_push(0x419eef);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				if(_v16 == 0 ||  *((intOrPtr*)(_v16 + 8)) <= 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				_v5 = _t29;
				if(_v5 == 0) {
					L15:
					_pop(_t63);
					 *[fs:eax] = _t63;
					_push(E00419EF6);
					return E00403B64(_v16);
				} else {
					if( *((intOrPtr*)(_v16 + 8)) > 0) {
						_v12 = E0041449C(_v16, _t55, 0);
						E00414378(_v16, _t55, 0);
						L00406AB4();
						 *[fs:eax] = _t74;
						 *[fs:eax] = _t74;
						 *((intOrPtr*)( *_v12 + 8))( *[fs:eax], 0x419e8a, _t72,  *[fs:eax], 0x419eb9, _t72, 0x46c868);
						 *[fs:eax] = 0;
						 *[fs:eax] = 0;
						_push(E00419EC0);
						_push(0x46c868);
						L0040698C();
						return 0;
					} else {
						goto L15;
					}
				}
			}

0x00419d81
0x00419d83
0x00419d87
0x00419d88
0x00419d89
0x00419d8b
0x00419d90
0x00419d98
0x00419d9f
0x00419da2
0x00419dac
0x00419db9
0x00419dbe
0x00419dbe
0x00419dc5
0x00419dd0
0x00419dc7
0x00419dc9
0x00419dc9
0x00419dd7
0x00419dda
0x00419ddf
0x00419de6
0x00419de7
0x00419dec
0x00419def
0x00419e00
0x00419e05
0x00419e06
0x00419e0b
0x00419e0e
0x00419e15
0x00419e20
0x00419e24
0x00419e24
0x00419e24
0x00419e26
0x00419e2d
0x00419ed9
0x00419edb
0x00419ede
0x00419ee1
0x00419eee
0x00419e33
0x00419ed3
0x00419e42
0x00419e4a
0x00419e54
0x00419e64
0x00419e72
0x00419e7d
0x00419e85
0x00419ea6
0x00419ea9
0x00419eae
0x00419eb3
0x00419eb8
0x00000000
0x00000000
0x00000000
0x00419ed3

APIs

GetCurrentThreadId.KERNEL32 ref: 00419D8B
GetCurrentThreadId.KERNEL32 ref: 00419D9A

Part of subcall function 00419D58: ResetEvent.KERNEL32(0000020C,00419DD5,?,?,00000000), ref: 00419D5E

RtlEnterCriticalSection.KERNEL32(0046C868,?,?,00000000), ref: 00419DDF
InterlockedExchange.KERNEL32(0045640C,?), ref: 00419DFB
RtlLeaveCriticalSection.KERNEL32(0046C868,00000000,00419EEF,?,00000000,00419F0E,?,0046C868,?,?,00000000), ref: 00419E54
RtlEnterCriticalSection.KERNEL32(0046C868,00419EC0,00419EEF,?,00000000,00419F0E,?,0046C868,?,?,00000000), ref: 00419EB3

Strings

X,A, xrefs: 00419DB4

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: X,A
API String ID: 2189153385-2768551090
Opcode ID: e851f31c554365943d2ac228477d01e95c3e3d9d91df8e4f3fa742532e1117ae
Instruction ID: a285526081f8a0445214b6b2a325e4f08541f03a7f7ef6d2d1d78b6f03e10ea9
Opcode Fuzzy Hash: e851f31c554365943d2ac228477d01e95c3e3d9d91df8e4f3fa742532e1117ae
Instruction Fuzzy Hash: 1931C230A04304AFD701DFA6D862AAAB7F8EB49704F618477F80493692D77D5D80CA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00422FFC, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00422FFC(struct HMONITOR__* _a4, struct tagMONITORINFO* _a8) {
				void _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				struct HMONITOR__* _t27;
				struct tagMONITORINFO* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x46c924 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 && _t29->cbSize >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						_t29->rcMonitor.left = 0;
						_t29->rcMonitor.top = 0;
						_t29->rcMonitor.right = GetSystemMetrics(0);
						_t29->rcMonitor.bottom = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406B4C();
						}
						_t24 = 1;
					}
				} else {
					 *0x46c908 = E00422CC0(4, _t23, "GetMonitorInfo",  *0x46c908, _t29);
					_t24 = GetMonitorInfoA(_t27, _t29);
				}
				return _t24;
			}

0x00423005
0x00423008
0x00423012
0x00423037
0x0042303f
0x0042305f
0x00423064
0x0042306f
0x0042307a
0x00423084
0x00423085
0x00423086
0x00423087
0x00423088
0x00423089
0x00423093
0x00423095
0x0042309d
0x0042309e
0x0042309e
0x004230a3
0x004230a3
0x00423014
0x00423026
0x00423033
0x00423033
0x004230ad

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042302D
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423054
GetSystemMetrics.USER32 ref: 00423069
GetSystemMetrics.USER32 ref: 00423074
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042309E

Part of subcall function 00422CC0: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00422D44

Strings

GetMonitorInfo, xrefs: 00423014
DISPLAY, xrefs: 00423095

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: 6f3f26f0c919de9f46d0a5fe48af0521eda6471f6e329d2e39841d0d6f5f9833
Instruction ID: a89bf11f80ae6f66d7493d90eb4cec5ec9485e51c08f07ca31a93578d613b3d3
Opcode Fuzzy Hash: 6f3f26f0c919de9f46d0a5fe48af0521eda6471f6e329d2e39841d0d6f5f9833
Instruction Fuzzy Hash: 6911A2717013245EE7209F61AC847ABB7F8EB05711F40453BE99597240E6B8A94487AD

Uniqueness

Uniqueness Score: -1.00%

Function 0043ED94, Relevance: 12.2, APIs: 8, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0043ED94(void* __eax, intOrPtr __ecx, intOrPtr __edx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t46;
				void* _t57;
				intOrPtr _t85;
				intOrPtr _t96;
				void* _t117;
				void* _t118;
				void* _t127;
				struct HDC__* _t136;
				struct HDC__* _t137;
				intOrPtr* _t138;
				void* _t139;

				_t119 = __ecx;
				_t135 = __ecx;
				_v8 = __edx;
				_t118 = __eax;
				_t46 = E0043E558(__eax);
				if(_t46 != 0) {
					_t142 = _a4;
					if(_a4 == 0) {
						__eflags =  *((intOrPtr*)(_t118 + 0x54));
						if( *((intOrPtr*)(_t118 + 0x54)) == 0) {
							_t138 = E0042054C(1);
							 *((intOrPtr*)(_t118 + 0x54)) = _t138;
							E0042188C(_t138, 1);
							 *((intOrPtr*)( *_t138 + 0x40))();
							_t119 =  *_t138;
							 *((intOrPtr*)( *_t138 + 0x34))();
						}
						E0041D7A8( *((intOrPtr*)(E00420B1C( *((intOrPtr*)(_t118 + 0x54))) + 0x14)), _t119, 0xffffff, _t135, _t139, __eflags);
						E00413054(0,  *((intOrPtr*)(_t118 + 0x34)), 0,  &_v44,  *((intOrPtr*)(_t118 + 0x30)));
						_push( &_v44);
						_t57 = E00420B1C( *((intOrPtr*)(_t118 + 0x54)));
						_pop(_t127);
						E0041DB4C(_t57, _t127);
						_push(0);
						_push(0);
						_push(0xffffffff);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(E0041DE34(E00420B1C( *((intOrPtr*)(_t118 + 0x54)))));
						_push(_v8);
						_push(E0043E72C(_t118));
						L00422C18();
						E00413054(_a16, _a16 +  *((intOrPtr*)(_t118 + 0x34)), _a12,  &_v28, _a12 +  *((intOrPtr*)(_t118 + 0x30)));
						_v12 = E0041DE34(E00420B1C( *((intOrPtr*)(_t118 + 0x54))));
						E0041D7A8( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000014, _t135, _t139, __eflags);
						_t136 = E0041DE34(_t135);
						SetTextColor(_t136, 0xffffff);
						SetBkColor(_t136, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12 + 1);
						_t85 = _a16 + 1;
						__eflags = _t85;
						_push(_t85);
						_push(_t136);
						L00406B6C();
						E0041D7A8( *((intOrPtr*)(_t135 + 0x14)), _a16 +  *((intOrPtr*)(_t118 + 0x34)), 0xff000010, _t135, _t139, _t85);
						_t137 = E0041DE34(_t135);
						SetTextColor(_t137, 0xffffff);
						SetBkColor(_t137, 0);
						_push(0xe20746);
						_push(0);
						_push(0);
						_push(_v12);
						_push( *((intOrPtr*)(_t118 + 0x30)));
						_push( *((intOrPtr*)(_t118 + 0x34)));
						_push(_a12);
						_t96 = _a16;
						_push(_t96);
						_push(_t137);
						L00406B6C();
						return _t96;
					}
					_push(_a8);
					_push(E0043E354(_t142));
					E0043ED6C(_t118, _t142);
					_push(E0043E354(_t142));
					_push(0);
					_push(0);
					_push(_a12);
					_push(_a16);
					_push(E0041DE34(__ecx));
					_push(_v8);
					_t117 = E0043E72C(_t118);
					_push(_t117);
					L00422C18();
					return _t117;
				}
				return _t46;
			}

0x0043ed94
0x0043ed9d
0x0043ed9f
0x0043eda2
0x0043eda6
0x0043edad
0x0043edb3
0x0043edb7
0x0043edfd
0x0043ee01
0x0043ee0f
0x0043ee11
0x0043ee18
0x0043ee24
0x0043ee2c
0x0043ee2e
0x0043ee2e
0x0043ee41
0x0043ee55
0x0043ee5d
0x0043ee61
0x0043ee66
0x0043ee67
0x0043ee6c
0x0043ee6e
0x0043ee70
0x0043ee72
0x0043ee74
0x0043ee76
0x0043ee78
0x0043ee87
0x0043ee8b
0x0043ee93
0x0043ee94
0x0043eeb0
0x0043eec2
0x0043eecd
0x0043eed9
0x0043eee1
0x0043eee9
0x0043eeee
0x0043eef3
0x0043eef5
0x0043eefa
0x0043eefe
0x0043ef02
0x0043ef07
0x0043ef0b
0x0043ef0b
0x0043ef0c
0x0043ef0d
0x0043ef0e
0x0043ef1b
0x0043ef27
0x0043ef2f
0x0043ef37
0x0043ef3c
0x0043ef41
0x0043ef43
0x0043ef48
0x0043ef4c
0x0043ef50
0x0043ef54
0x0043ef55
0x0043ef58
0x0043ef59
0x0043ef5a
0x00000000
0x0043ef5a
0x0043edbc
0x0043edc5
0x0043edc8
0x0043edd2
0x0043edd3
0x0043edd5
0x0043edda
0x0043edde
0x0043ede6
0x0043edea
0x0043eded
0x0043edf2
0x0043edf3
0x00000000
0x0043edf3
0x0043ef65

APIs

73D62430.COMCTL32(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,?), ref: 0043EDF3
73D62430.COMCTL32(00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,00000000), ref: 0043EE94
SetTextColor.GDI32(00000000,00FFFFFF), ref: 0043EEE1
SetBkColor.GDI32(00000000,00000000), ref: 0043EEE9
737997E0.GDI32(00000000,?,?,?,?,00000000,00000000,00000000,00E20746,00000000,00000000,00000000,00FFFFFF,00000000,?,00000000), ref: 0043EF0E

Part of subcall function 0043ED6C: 73D62240.COMCTL32(00000000,?,0043EDCD,00000000,?), ref: 0043ED82

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorD62430$737997D62240Text
String ID:
API String ID: 2178344089-0
Opcode ID: 707f29c04f5bfe275a08a91d6d5e01a6ee8f0b39a4aeb7a77dae45df836df917
Instruction ID: 9a228d83069efd19e909f83f9a07dc298576aa025255ab145eab9811997b93c2
Opcode Fuzzy Hash: 707f29c04f5bfe275a08a91d6d5e01a6ee8f0b39a4aeb7a77dae45df836df917
Instruction Fuzzy Hash: AE511D71701114ABDB50EF69CD82F9E37ECAF08308F54116AB905EB2C6CA78EC458B69

Uniqueness

Uniqueness Score: -1.00%

Function 0044DEEC, Relevance: 12.1, APIs: 8, Instructions: 144
windowCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0044DEEC(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v22;
				intOrPtr _v28;
				struct HWND__* _v32;
				char _v36;
				intOrPtr _t50;
				intOrPtr _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t70;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t85;
				void* _t90;
				void* _t107;
				intOrPtr _t122;
				void* _t124;
				void* _t127;
				void* _t128;
				intOrPtr _t129;

				_t125 = __esi;
				_t124 = __edi;
				_t107 = __ecx;
				_t105 = __ebx;
				_t127 = _t128;
				_t129 = _t128 + 0xffffffe0;
				_push(__ebx);
				_push(__esi);
				_v36 = 0;
				_v8 = __eax;
				_push(_t127);
				_push(0x44e1b4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t129;
				E0042FE7C();
				if( *((char*)(_v8 + 0x57)) != 0 ||  *((intOrPtr*)( *_v8 + 0x50))() == 0 || ( *(_v8 + 0x2f4) & 0x00000008) != 0 ||  *((char*)(_v8 + 0x22f)) == 1) {
					_t50 =  *0x46b5c0; // 0x41b370
					E004064A4(_t50, _t107,  &_v36);
					E0040BE04(_v36, 1);
					E004042EC();
				}
				if(GetCapture() != 0) {
					SendMessageA(GetCapture(), 0x1f, 0, 0);
				}
				ReleaseCapture();
				_t56 =  *0x46cb44; // 0x2131268
				E004503CC(_t56);
				_push(_t127);
				_push(0x44e197);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				 *(_v8 + 0x2f4) =  *(_v8 + 0x2f4) | 0x00000008;
				_v32 = GetActiveWindow();
				_t60 =  *0x456c98; // 0x1
				_v20 = _t60;
				_t61 =  *0x46cb48; // 0x2130e74
				_t20 = _t61 + 0x78; // 0x2131e80
				_t62 =  *0x46cb48; // 0x2130e74
				_t21 = _t62 + 0x7c; // 0x21310b8
				E00414520( *_t21,  *_t20, 0);
				_t65 =  *0x46cb48; // 0x2130e74
				 *((intOrPtr*)(_t65 + 0x78)) = _v8;
				_t66 =  *0x46cb48; // 0x2130e74
				_t24 = _t66 + 0x44; // 0x0
				_v22 =  *_t24;
				_t68 =  *0x46cb48; // 0x2130e74
				E0044F3E8(_t68,  *_t20, 0);
				_t70 =  *0x46cb48; // 0x2130e74
				_t26 = _t70 + 0x48; // 0x0
				_v28 =  *_t26;
				_v16 = E0044828C(0, _t105, _t124, _t125);
				_push(_t127);
				_push(0x44e175);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				E0044DE3C(_v8);
				_push(_t127);
				_push(0x44e0d4);
				_push( *[fs:edx]);
				 *[fs:edx] = _t129;
				SendMessageA(E00437E18(_v8), 0xb000, 0, 0);
				 *((intOrPtr*)(_v8 + 0x24c)) = 0;
				do {
					_t80 =  *0x46cb44; // 0x2131268
					E00451264(_t80, _t124, _t125);
					_t82 =  *0x46cb44; // 0x2131268
					if( *((char*)(_t82 + 0x9c)) == 0) {
						if( *((intOrPtr*)(_v8 + 0x24c)) != 0) {
							E0044DD9C(_v8);
						}
					} else {
						 *((intOrPtr*)(_v8 + 0x24c)) = 2;
					}
					_t85 =  *((intOrPtr*)(_v8 + 0x24c));
				} while (_t85 == 0);
				_v12 = _t85;
				SendMessageA(E00437E18(_v8), 0xb001, 0, 0);
				_t90 = E00437E18(_v8);
				if(_t90 != GetActiveWindow()) {
					_v32 = 0;
				}
				_pop(_t122);
				 *[fs:eax] = _t122;
				_push(0x44e0db);
				return E0044DE34();
			}

0x0044deec
0x0044deec
0x0044deec
0x0044deec
0x0044deed
0x0044deef
0x0044def2
0x0044def3
0x0044def6
0x0044def9
0x0044defe
0x0044deff
0x0044df04
0x0044df07
0x0044df0a
0x0044df16
0x0044df3f
0x0044df44
0x0044df53
0x0044df58
0x0044df58
0x0044df64
0x0044df72
0x0044df72
0x0044df77
0x0044df7c
0x0044df81
0x0044df88
0x0044df89
0x0044df8e
0x0044df91
0x0044df97
0x0044dfa3
0x0044dfa6
0x0044dfab
0x0044dfae
0x0044dfb3
0x0044dfb6
0x0044dfbb
0x0044dfc0
0x0044dfc5
0x0044dfcd
0x0044dfd0
0x0044dfd5
0x0044dfd9
0x0044dfdf
0x0044dfe4
0x0044dfe9
0x0044dfee
0x0044dff1
0x0044dffb
0x0044e000
0x0044e001
0x0044e006
0x0044e009
0x0044e00f
0x0044e016
0x0044e017
0x0044e01c
0x0044e01f
0x0044e034
0x0044e03e
0x0044e044
0x0044e044
0x0044e049
0x0044e04e
0x0044e05a
0x0044e075
0x0044e07a
0x0044e07a
0x0044e05c
0x0044e05f
0x0044e05f
0x0044e082
0x0044e088
0x0044e08c
0x0044e0a1
0x0044e0a9
0x0044e0b7
0x0044e0bb
0x0044e0bb
0x0044e0c0
0x0044e0c3
0x0044e0c6
0x0044e0d3

APIs

GetCapture.USER32 ref: 0044DF5D
GetCapture.USER32 ref: 0044DF6C
SendMessageA.USER32 ref: 0044DF72
ReleaseCapture.USER32(00000000,0044E1B4), ref: 0044DF77
GetActiveWindow.USER32 ref: 0044DF9E
SendMessageA.USER32 ref: 0044E034
SendMessageA.USER32 ref: 0044E0A1
GetActiveWindow.USER32 ref: 0044E0B0

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 58a25ff4fad44ffa98fa071c469def08ac5b944469847cd3c4c467831081d3fa
Instruction ID: eb4f281bd60a3402f6c66af9be58fcf7d5c47a4495fac0670c78fe3c6ba7442f
Opcode Fuzzy Hash: 58a25ff4fad44ffa98fa071c469def08ac5b944469847cd3c4c467831081d3fa
Instruction Fuzzy Hash: 46514E70A00204DFE710EF6AC986B6A77F1EB48704F1580BAF900A73A2D779AD40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00435E54, Relevance: 12.1, APIs: 8, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435E54(void* __eax, void* __ecx, struct HDC__* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				int _v16;
				char _v20;
				struct tagRECT _v36;
				signed int _t54;
				intOrPtr _t59;
				int _t61;
				void* _t63;
				void* _t66;
				void* _t82;
				int _t97;
				struct HDC__* _t98;

				_t98 = __edx;
				_t82 = __eax;
				 *(__eax + 0x54) =  *(__eax + 0x54) | 0x00000080;
				_v16 = SaveDC(__edx);
				E0042FF58(__edx, _a4, __ecx);
				IntersectClipRect(__edx, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
				_t97 = 0;
				_v12 = 0;
				if((GetWindowLongA(E00437E18(_t82), 0xffffffec) & 0x00000002) == 0) {
					_t54 = GetWindowLongA(E00437E18(_t82), 0xfffffff0);
					__eflags = _t54 & 0x00800000;
					if((_t54 & 0x00800000) != 0) {
						_v12 = 3;
						_t97 = 0xa00f;
					}
				} else {
					_v12 = 0xa;
					_t97 = 0x200f;
				}
				if(_t97 != 0) {
					SetRect( &_v36, 0, 0,  *(_t82 + 0x48),  *(_t82 + 0x4c));
					DrawEdge(_t98,  &_v36, _v12, _t97);
					E0042FF58(_t98, _v36.top, _v36.left);
					IntersectClipRect(_t98, 0, 0, _v36.right - _v36.left, _v36.bottom - _v36.top);
				}
				E004327D0(_t82, _t98, 0x14, 0);
				_t86 = _t98;
				E004327D0(_t82, _t98, 0xf, 0);
				_t59 =  *((intOrPtr*)(_t82 + 0x19c));
				if(_t59 == 0) {
					L12:
					_t61 = RestoreDC(_t98, _v16);
					 *(_t82 + 0x54) =  *(_t82 + 0x54) & 0x0000ff7f;
					return _t61;
				} else {
					_t63 =  *((intOrPtr*)(_t59 + 8)) - 1;
					if(_t63 < 0) {
						goto L12;
					}
					_v20 = _t63 + 1;
					_v8 = 0;
					do {
						_t66 = E0041449C( *((intOrPtr*)(_t82 + 0x19c)), _t86, _v8);
						_t106 =  *((char*)(_t66 + 0x57));
						if( *((char*)(_t66 + 0x57)) != 0) {
							_t86 =  *(_t66 + 0x40);
							E00435E54(_t66,  *(_t66 + 0x40), _t98, _t106,  *((intOrPtr*)(_t66 + 0x44)));
						}
						_v8 = _v8 + 1;
						_t36 =  &_v20;
						 *_t36 = _v20 - 1;
					} while ( *_t36 != 0);
					goto L12;
				}
			}

0x00435e5f
0x00435e61
0x00435e63
0x00435e6f
0x00435e79
0x00435e8b
0x00435e90
0x00435e94
0x00435ea9
0x00435ec3
0x00435ec8
0x00435ecd
0x00435ecf
0x00435ed6
0x00435ed6
0x00435eab
0x00435eab
0x00435eb2
0x00435eb2
0x00435edd
0x00435eef
0x00435efe
0x00435f0b
0x00435f23
0x00435f23
0x00435f33
0x00435f3a
0x00435f43
0x00435f48
0x00435f50
0x00435f8f
0x00435f94
0x00435f99
0x00435fa5
0x00435f52
0x00435f55
0x00435f58
0x00000000
0x00000000
0x00435f5b
0x00435f5e
0x00435f65
0x00435f6e
0x00435f73
0x00435f77
0x00435f7d
0x00435f82
0x00435f82
0x00435f87
0x00435f8a
0x00435f8a
0x00435f8a
0x00000000
0x00435f65

APIs

SaveDC.GDI32 ref: 00435E6A

Part of subcall function 0042FF58: GetWindowOrgEx.GDI32(?), ref: 0042FF66
Part of subcall function 0042FF58: SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 0042FF7C

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00435E8B
GetWindowLongA.USER32 ref: 00435EA1
GetWindowLongA.USER32 ref: 00435EC3
SetRect.USER32 ref: 00435EEF
DrawEdge.USER32(?,?,?,00000000), ref: 00435EFE
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00435F23
RestoreDC.GDI32(?,?), ref: 00435F94

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: f9e26ffe4571dd729e1cf50b159abf15a6283f5f3e3b2bae9b7f5ebf713b45b0
Instruction ID: 1d0fc055e3057bc6be84515fafcb08faf8c850cfdb8b8653d77c6ea408536d6f
Opcode Fuzzy Hash: f9e26ffe4571dd729e1cf50b159abf15a6283f5f3e3b2bae9b7f5ebf713b45b0
Instruction Fuzzy Hash: F14151717006146BDB10DBA9CC81FAF73B8AF49304F10506AF905EB3C2DA79DD0187A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041E76C, Relevance: 12.1, APIs: 8, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E0041E76C(void* __ebx) {
				intOrPtr _v8;
				char _v1000;
				char _v1004;
				char _v1032;
				signed int _v1034;
				short _v1036;
				void* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t45;
				intOrPtr _t52;
				void* _t54;
				void* _t55;

				_t54 = _t55;
				_v1036 = 0x300;
				_v1034 = 0x10;
				_t25 = E00402C94(_t24, 0x40,  &_v1032);
				_push(0);
				L00406E84();
				_v8 = _t25;
				_push(_t54);
				_push(0x41e869);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffbf8;
				_push(0x68);
				_t27 = _v8;
				_push(_t27);
				L00406C1C();
				_t45 = _t27;
				if(_t45 >= 0x10) {
					_push( &_v1032);
					_push(8);
					_push(0);
					_push(_v8);
					L00406C44();
					if(_v1004 != 0xc0c0c0) {
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x424);
						_push(8);
						_push(_t45 - 8);
						_push(_v8);
						L00406C44();
					} else {
						_push( &_v1004);
						_push(1);
						_push(_t45 - 8);
						_push(_v8);
						L00406C44();
						_push(_t54 + (_v1034 & 0x0000ffff) * 4 - 0x420);
						_push(7);
						_push(_t45 - 7);
						_push(_v8);
						L00406C44();
						_push( &_v1000);
						_push(1);
						_push(7);
						_push(_v8);
						L00406C44();
					}
				}
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(0x41e870);
				_t29 = _v8;
				_push(_t29);
				_push(0);
				L004070C4();
				return _t29;
			}

0x0041e76d
0x0041e776
0x0041e77f
0x0041e793
0x0041e798
0x0041e79a
0x0041e79f
0x0041e7a4
0x0041e7a5
0x0041e7aa
0x0041e7ad
0x0041e7b0
0x0041e7b2
0x0041e7b5
0x0041e7b6
0x0041e7bb
0x0041e7c0
0x0041e7cc
0x0041e7cd
0x0041e7cf
0x0041e7d4
0x0041e7d5
0x0041e7e4
0x0041e840
0x0041e841
0x0041e846
0x0041e84a
0x0041e84b
0x0041e7e6
0x0041e7ec
0x0041e7ed
0x0041e7f4
0x0041e7f8
0x0041e7f9
0x0041e80c
0x0041e80d
0x0041e812
0x0041e816
0x0041e817
0x0041e822
0x0041e823
0x0041e825
0x0041e82a
0x0041e82b
0x0041e82b
0x0041e7e4
0x0041e852
0x0041e855
0x0041e858
0x0041e85d
0x0041e860
0x0041e861
0x0041e863
0x0041e868

APIs

7378AC50.USER32(00000000), ref: 0041E79A
7378AD70.GDI32(?,00000068,00000000,0041E869,?,00000000), ref: 0041E7B6
7378AEF0.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041E869,?,00000000), ref: 0041E7D5
7378AEF0.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0041E869,?,00000000), ref: 0041E7F9
7378AEF0.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0041E869), ref: 0041E817
7378AEF0.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 0041E82B
7378AEF0.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041E869,?,00000000), ref: 0041E84B
7378B380.USER32(00000000,?,0041E870,0041E869,?,00000000), ref: 0041E863

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B380
String ID:
API String ID: 817970651-0
Opcode ID: fd0a5334b902864453333915ee58f3efc6d325d3a237711051c36d0237587c53
Instruction ID: 39bd1d0bad21efe5f8305bbd28f511103f406e3f222305ad1130873fe7bf5d97
Opcode Fuzzy Hash: fd0a5334b902864453333915ee58f3efc6d325d3a237711051c36d0237587c53
Instruction Fuzzy Hash: DC2188B5944208AAEB14DB95CD85F9E73ACEB08704F5104A6FB05F71C1D6799E508B28

Uniqueness

Uniqueness Score: -1.00%

Function 004416EC, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004416EC(void* __eax, void* __ebx, char __ecx, struct HMENU__* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v13;
				struct tagMENUITEMINFOA _v61;
				char _v68;
				intOrPtr _t103;
				CHAR* _t109;
				char _t115;
				short _t149;
				void* _t154;
				intOrPtr _t161;
				intOrPtr _t184;
				struct HMENU__* _t186;
				int _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t196;
				void* _t205;

				_t155 = __ecx;
				_v68 = 0;
				_v12 = 0;
				_v5 = __ecx;
				_t186 = __edx;
				_t154 = __eax;
				_push(_t196);
				_push(0x441947);
				_push( *[fs:eax]);
				 *[fs:eax] = _t196 + 0xffffffc0;
				if( *((char*)(__eax + 0x3e)) == 0) {
					L22:
					_pop(_t161);
					 *[fs:eax] = _t161;
					_push(0x44194e);
					E004048D8( &_v68);
					return E004048D8( &_v12);
				}
				E00404970( &_v12,  *((intOrPtr*)(__eax + 0x30)));
				if(E004436A8(_t154) <= 0) {
					__eflags =  *((short*)(_t154 + 0x60));
					if( *((short*)(_t154 + 0x60)) == 0) {
						L8:
						if((GetVersion() & 0x000000ff) < 4) {
							_t190 =  *(0x456c18 + ((E00404CE4( *((intOrPtr*)(_t154 + 0x30)), 0x44196c) & 0xffffff00 | __eflags == 0x00000000) & 0x0000007f) * 4) |  *0x00456C0C |  *0x00456BFC |  *0x00456C04 | 0x00000400;
							_t103 = E004436A8(_t154);
							__eflags = _t103;
							if(_t103 <= 0) {
								InsertMenuA(_t186, 0xffffffff, _t190,  *(_t154 + 0x50) & 0x0000ffff, E00404D98(_v12));
							} else {
								_t109 = E00404D98( *((intOrPtr*)(_t154 + 0x30)));
								InsertMenuA(_t186, 0xffffffff, _t190 | 0x00000010, E00441BFC(_t154), _t109);
							}
							goto L22;
						}
						_v61.cbSize = 0x2c;
						_v61.fMask = 0x3f;
						_t192 = E00443C64(_t154);
						if(_t192 == 0 ||  *((char*)(_t192 + 0x40)) == 0 && E00443280(_t154) == 0) {
							if( *((intOrPtr*)(_t154 + 0x4c)) == 0) {
								L14:
								_t115 = 0;
								goto L16;
							}
							_t205 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x4c)))) + 0x1c))();
							if(_t205 == 0) {
								goto L15;
							}
							goto L14;
						} else {
							L15:
							_t115 = 1;
							L16:
							_v13 = _t115;
							_v61.fType =  *(0x456c4c + ((E00404CE4( *((intOrPtr*)(_t154 + 0x30)), 0x44196c) & 0xffffff00 | _t205 == 0x00000000) & 0x0000007f) * 4) |  *0x00456C44 |  *0x00456C20 |  *0x00456C54 |  *0x00456C5C;
							_v61.fState =  *0x00456C2C |  *0x00456C3C |  *0x00456C34;
							_v61.wID =  *(_t154 + 0x50) & 0x0000ffff;
							_v61.hSubMenu = 0;
							_v61.hbmpChecked = 0;
							_v61.hbmpUnchecked = 0;
							_v61.dwTypeData = E00404D98(_v12);
							if(E004436A8(_t154) > 0) {
								_v61.hSubMenu = E00441BFC(_t154);
							}
							InsertMenuItemA(_t186, 0xffffffff, 0xffffffff,  &_v61);
							goto L22;
						}
					}
					_t193 =  *((intOrPtr*)(_t154 + 0x64));
					__eflags = _t193;
					if(_t193 == 0) {
						L7:
						_push(_v12);
						_push(0x441960);
						E00440D50( *((intOrPtr*)(_t154 + 0x60)), _t154, _t155,  &_v68, _t193);
						_push(_v68);
						E00404C58();
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t193 + 0x64));
					if( *((intOrPtr*)(_t193 + 0x64)) != 0) {
						goto L7;
					}
					_t184 =  *0x4405e0; // 0x44062c
					_t149 = E00403CFC( *((intOrPtr*)(_t193 + 4)), _t184);
					__eflags = _t149;
					if(_t149 != 0) {
						goto L8;
					}
					goto L7;
				}
				_v61.hSubMenu = E00441BFC(_t154);
				goto L8;
			}

0x004416ec
0x004416f7
0x004416fa
0x004416fd
0x00441700
0x00441702
0x00441706
0x00441707
0x0044170c
0x0044170f
0x00441716
0x00441929
0x0044192b
0x0044192e
0x00441931
0x00441939
0x00441946
0x00441946
0x00441722
0x00441730
0x0044173e
0x00441743
0x00441788
0x00441796
0x004418e2
0x004418ea
0x004418ef
0x004418f1
0x00441924
0x004418f3
0x004418f6
0x0044190b
0x0044190b
0x00000000
0x004418f1
0x0044179c
0x004417a3
0x004417b1
0x004417b5
0x004417cc
0x004417da
0x004417da
0x00000000
0x004417da
0x004417d6
0x004417d8
0x00000000
0x00000000
0x00000000
0x004417de
0x004417de
0x004417de
0x004417e0
0x004417e0
0x0044182f
0x00441856
0x0044185d
0x00441862
0x00441867
0x0044186c
0x00441877
0x00441883
0x0044188c
0x0044188c
0x00441898
0x00000000
0x00441898
0x004417b5
0x00441745
0x00441748
0x0044174a
0x00441764
0x00441764
0x00441767
0x00441773
0x00441778
0x00441783
0x00000000
0x00441783
0x0044174c
0x00441750
0x00000000
0x00000000
0x00441755
0x0044175b
0x00441760
0x00441762
0x00000000
0x00000000
0x00000000
0x00441762
0x00441739
0x00000000

APIs

InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 00441898
GetVersion.KERNEL32(00000000,00441947), ref: 00441788

Part of subcall function 00441BFC: CreatePopupMenu.USER32(?,00441903,00000000,00000000,00441947), ref: 00441C17

Strings

?, xrefs: 004417A3
,, xrefs: 0044179C

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CreateInsertItemPopupVersion
String ID: ,$?
API String ID: 133695497-2308483597
Opcode ID: d1f5b3cf978b9f5722e8298c37ee5795b50dff1361a45379b4a582d3befc9905
Instruction ID: e4d0fab2e31781f77f441a05a6ba8dd24b2d582e3e60d977e0d702b3de60ac92
Opcode Fuzzy Hash: d1f5b3cf978b9f5722e8298c37ee5795b50dff1361a45379b4a582d3befc9905
Instruction Fuzzy Hash: 0561F370A002459BEB11EF7ADC8169E7BF6BF09310F45847AE980E73A6D738D885C758

Uniqueness

Uniqueness Score: -1.00%

Function 0043942C, Relevance: 10.7, APIs: 7, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0043942C(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				void _v12;
				intOrPtr _v16;
				int _v24;
				int _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t80;
				intOrPtr _t91;
				void* _t119;
				intOrPtr _t136;
				intOrPtr _t145;
				void* _t148;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t119 = __ecx;
				_v8 = __eax;
				_t145 =  *0x46b7bc; // 0x46cb48
				 *((char*)(_v8 + 0x210)) = 1;
				_push(_t148);
				_push(0x439605);
				_push( *[fs:eax]);
				 *[fs:eax] = _t148 + 0xffffffe0;
				E0043164C(_v8, __ecx, __ecx, _t145);
				_v16 = _v16 + 4;
				E00432874(_v8,  &_v28);
				if(E0044EEBC() <  *(_v8 + 0x4c) + _v24) {
					_v24 = E0044EEBC() -  *(_v8 + 0x4c);
				}
				if(E0044EEC8() <  *(_v8 + 0x48) + _v28) {
					_v28 = E0044EEC8() -  *(_v8 + 0x48);
				}
				if(E0044EEB0() > _v28) {
					_v28 = E0044EEB0();
				}
				if(E0044EEA4() > _v16) {
					_v16 = E0044EEA4();
				}
				SetWindowPos(E00437E18(_v8), 0xffffffff, _v28, _v24,  *(_v8 + 0x48),  *(_v8 + 0x4c), 0x10);
				if(GetTickCount() -  *((intOrPtr*)(_v8 + 0x214)) > 0xfa && E00404B98(_t119) < 0x64 &&  *0x456a44 != 0) {
					SystemParametersInfoA(0x1016, 0,  &_v12, 0);
					if(_v12 != 0) {
						SystemParametersInfoA(0x1018, 0,  &_v12, 0);
						if(_v12 == 0) {
							E0043C714( &_v36);
							if(_v32 <= _v24) {
							}
						}
						 *0x456a44(E00437E18(_v8), 0x64,  *0x00456B4C | 0x00040000);
					}
				}
				_t80 =  *0x46b67c; // 0x46cb44
				_t45 =  *_t80 + 0x30; // 0x4027c
				E0043554C(_v8,  *_t45);
				ShowWindow(E00437E18(_v8), 4);
				 *((intOrPtr*)( *_v8 + 0x7c))();
				_pop(_t136);
				 *[fs:eax] = _t136;
				_push(0x43960c);
				 *((intOrPtr*)(_v8 + 0x214)) = GetTickCount();
				_t91 = _v8;
				 *((char*)(_t91 + 0x210)) = 0;
				return _t91;
			}

0x0043943a
0x0043943b
0x0043943c
0x0043943d
0x0043943e
0x00439440
0x00439443
0x0043944c
0x00439455
0x00439456
0x0043945b
0x0043945e
0x00439466
0x0043946b
0x00439475
0x0043948c
0x0043949b
0x0043949b
0x004394b0
0x004394bf
0x004394bf
0x004394cc
0x004394d5
0x004394d5
0x004394e2
0x004394eb
0x004394eb
0x00439511
0x00439529
0x00439551
0x0043955a
0x00439569
0x00439572
0x00439580
0x0043958b
0x0043958b
0x0043958b
0x004395af
0x004395af
0x0043955a
0x004395b5
0x004395bc
0x004395c2
0x004395d2
0x004395dc
0x004395e1
0x004395e4
0x004395e7
0x004395f4
0x004395fa
0x004395fd
0x00439604

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,00439605), ref: 00439511
GetTickCount.KERNEL32 ref: 00439516
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 00439551
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 00439569
AnimateWindow.USER32(00000000,00000064,00000001), ref: 004395AF
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,00439605), ref: 004395D2

Part of subcall function 0043C714: GetCursorPos.USER32(?), ref: 0043C718

GetTickCount.KERNEL32 ref: 004395EC

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: df6c58887c6be061eae9981cbc8ba43000c01f594903f80d6240c5a5477a673b
Instruction ID: 67e04669aa9ea3489385b358af07f7ecd2cc72626154f995072ba44e89128775
Opcode Fuzzy Hash: df6c58887c6be061eae9981cbc8ba43000c01f594903f80d6240c5a5477a673b
Instruction Fuzzy Hash: 4C514074A00105EFDB10DF99C982A9EB3F5EF49304F2045AAF540EB391D7B9AE40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044F124, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0044F124(intOrPtr __eax, void* __ebx, void* __fp0) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				char _v20;
				intOrPtr* _v24;
				struct HKL__* _v280;
				char _v536;
				char _v600;
				char _v604;
				intOrPtr _v608;
				char _v612;
				void* _t60;
				intOrPtr _t106;
				intOrPtr _t111;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t129;

				_t129 = __fp0;
				_t117 = _t118;
				_t119 = _t118 + 0xfffffda0;
				_v612 = 0;
				_v8 = __eax;
				_push(_t117);
				_push(0x44f2cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119;
				if( *((intOrPtr*)(_v8 + 0x34)) != 0) {
					L11:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(0x44f2d6);
					return E004048D8( &_v612);
				} else {
					 *((intOrPtr*)(_v8 + 0x34)) = E00403B34(1);
					E004048D8(_v8 + 0x38);
					_t60 = GetKeyboardLayoutList(0x40,  &_v280) - 1;
					if(_t60 < 0) {
						L10:
						 *((char*)( *((intOrPtr*)(_v8 + 0x34)) + 0x1d)) = 0;
						E004160B8( *((intOrPtr*)(_v8 + 0x34)), 1);
						goto L11;
					} else {
						_v20 = _t60 + 1;
						_v24 =  &_v280;
						do {
							if(E0043CB84( *_v24) == 0) {
								goto L9;
							} else {
								_v608 =  *_v24;
								_v604 = 0;
								if(RegOpenKeyExA(0x80000002, E0040949C( &_v600, "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x", _t129, 0), 0, 0x20019,  &_v16) != 0) {
									goto L9;
								} else {
									_push(_t117);
									_push(0x44f28b);
									_push( *[fs:eax]);
									 *[fs:eax] = _t119;
									_v12 = 0x100;
									if(RegQueryValueExA(_v16, "layout text", 0, 0,  &_v536,  &_v12) == 0) {
										E00404B48( &_v612, 0x100,  &_v536);
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x34)))) + 0x3c))();
										if( *_v24 ==  *((intOrPtr*)(_v8 + 0x3c))) {
											E00404B48(_v8 + 0x38, 0x100,  &_v536);
										}
									}
									_pop(_t111);
									 *[fs:eax] = _t111;
									_push(0x44f292);
									return RegCloseKey(_v16);
								}
							}
							goto L12;
							L9:
							_v24 = _v24 + 4;
							_t38 =  &_v20;
							 *_t38 = _v20 - 1;
						} while ( *_t38 != 0);
						goto L10;
					}
				}
				L12:
			}

0x0044f124
0x0044f125
0x0044f127
0x0044f130
0x0044f136
0x0044f13b
0x0044f13c
0x0044f141
0x0044f144
0x0044f14e
0x0044f2b0
0x0044f2b8
0x0044f2bb
0x0044f2be
0x0044f2ce
0x0044f154
0x0044f163
0x0044f16c
0x0044f17f
0x0044f182
0x0044f29f
0x0044f2a5
0x0044f2ab
0x00000000
0x0044f188
0x0044f189
0x0044f192
0x0044f195
0x0044f1a1
0x00000000
0x0044f1a7
0x0044f1b9
0x0044f1bf
0x0044f1e9
0x00000000
0x0044f1ef
0x0044f1f1
0x0044f1f2
0x0044f1f7
0x0044f1fa
0x0044f1fd
0x0044f223
0x0044f236
0x0044f24e
0x0044f25c
0x0044f26f
0x0044f26f
0x0044f25c
0x0044f276
0x0044f279
0x0044f27c
0x0044f28a
0x0044f28a
0x0044f1e9
0x00000000
0x0044f292
0x0044f292
0x0044f296
0x0044f296
0x0044f296
0x00000000
0x0044f195
0x0044f182
0x00000000

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,0044F2CF,?,02130E74,?,0044F331,00000000,?,00433BDB), ref: 0044F17A
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 0044F1E2
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,0044F28B,?,80000002,00000000), ref: 0044F21C
RegCloseKey.ADVAPI32(?,0044F292,00000000,?,00000100,00000000,0044F28B,?,80000002,00000000), ref: 0044F285

Strings

System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 0044F1CC
layout text, xrefs: 0044F213

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: eec2337d4c8d7f66bcb07747ab87540415c365c81a97c9a4b0ed036f84a3f6eb
Instruction ID: fd7d794bf0c162bd441325baaff7307b401368f5ecd94fb19ba0f25925eb07ad
Opcode Fuzzy Hash: eec2337d4c8d7f66bcb07747ab87540415c365c81a97c9a4b0ed036f84a3f6eb
Instruction Fuzzy Hash: E9415878A002089FEB10DF55C981B9EB7F8FB48304FA140E6E904A7391D779AE04CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBA4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BBA4(intOrPtr* __eax, void* __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v277;
				char _v538;
				char _v794;
				struct _MEMORY_BASIC_INFORMATION _v824;
				char _v828;
				intOrPtr _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				intOrPtr _v848;
				char _v852;
				char* _v856;
				char _v860;
				char _v864;
				char _v1120;
				void* __edi;
				struct HINSTANCE__* _t45;
				intOrPtr _t58;
				struct HINSTANCE__* _t60;
				void* _t78;
				intOrPtr* _t83;
				void* _t94;
				void* _t95;
				void* _t102;

				_t102 = __fp0;
				_t84 = __ecx;
				_t94 = __ecx;
				_t95 = __edx;
				_t83 = __eax;
				VirtualQuery(__edx,  &_v824, 0x1c);
				if(_v824.State != 0x1000 || GetModuleFileNameA(_v824.AllocationBase,  &_v538, 0x105) == 0) {
					_t45 =  *0x46c664; // 0x400000
					GetModuleFileNameA(_t45,  &_v538, 0x105);
					_v16 = E0040BB98(_t95);
				} else {
					_v16 = _t95 - _v824.AllocationBase;
				}
				E00408E78( &_v277, 0x104, E0040CBF4( &_v538, _t84, 0x5c) + 1);
				_v8 = 0x40bd34;
				_v12 = 0x40bd34;
				_t91 =  *0x4077dc; // 0x407828
				if(E00403CFC(_t83, _t91) != 0) {
					_v8 = E00404D98( *((intOrPtr*)(_t83 + 4)));
					_t78 = E00408E14(_v8, _t94);
					if(_t78 != 0) {
						_t91 = _v8;
						if( *((char*)(_v8 + _t78 - 1)) != 0x2e) {
							_v12 = 0x40bd38;
						}
					}
				}
				_t58 =  *0x46b7ac; // 0x40757c
				_t21 = _t58 + 4; // 0xffe8
				_t60 =  *0x46c664; // 0x400000
				LoadStringA(E00405968(_t60, 0x104, _t91),  *_t21,  &_v794, 0x100);
				E00403AB4( *_t83,  &_v1120);
				_v864 =  &_v1120;
				_v860 = 4;
				_v856 =  &_v277;
				_v852 = 6;
				_v848 = _v16;
				_v844 = 5;
				_v840 = _v8;
				_v836 = 6;
				_v832 = _v12;
				_v828 = 6;
				E004094E8(_t94, _a4, _t102, 4,  &_v864);
				return E00408E14(_t94, _t94);
			}

0x0040bba4
0x0040bba4
0x0040bbb0
0x0040bbb2
0x0040bbb4
0x0040bbc0
0x0040bbcf
0x0040bbf9
0x0040bbff
0x0040bc0b
0x0040bc10
0x0040bc16
0x0040bc16
0x0040bc34
0x0040bc3e
0x0040bc46
0x0040bc4b
0x0040bc58
0x0040bc62
0x0040bc68
0x0040bc6f
0x0040bc71
0x0040bc79
0x0040bc80
0x0040bc80
0x0040bc79
0x0040bc6f
0x0040bc8f
0x0040bc94
0x0040bc98
0x0040bca3
0x0040bcb0
0x0040bcbb
0x0040bcc1
0x0040bcce
0x0040bcd4
0x0040bcde
0x0040bce4
0x0040bcee
0x0040bcf4
0x0040bcfe
0x0040bd04
0x0040bd1f
0x0040bd31

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040BBC0
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040BBE4
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040BBFF
LoadStringA.USER32 ref: 0040BCA3

Strings

|u@, xrefs: 0040BC8F
(x@, xrefs: 0040BC4B

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: (x@$|u@
API String ID: 3990497365-2291341854
Opcode ID: 1731b340877cca40a34b0de9256f9de50e0fd6ff9aeb664e2b29b402426ee421
Instruction ID: 144af244921c4d452298036bcd81ec518ef00dcd9967971ed7532ac73858d96f
Opcode Fuzzy Hash: 1731b340877cca40a34b0de9256f9de50e0fd6ff9aeb664e2b29b402426ee421
Instruction Fuzzy Hash: AB412A70A042589FDB11DB59CD81B9EB7F8AB48304F0440FAA548F7281D778AF848F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBA2, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BBA2(intOrPtr* __eax, void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v277;
				char _v538;
				char _v794;
				struct _MEMORY_BASIC_INFORMATION _v824;
				char _v828;
				intOrPtr _v832;
				char _v836;
				intOrPtr _v840;
				char _v844;
				intOrPtr _v848;
				char _v852;
				char* _v856;
				char _v860;
				char _v864;
				char _v1120;
				void* __edi;
				struct HINSTANCE__* _t45;
				intOrPtr _t58;
				struct HINSTANCE__* _t60;
				void* _t78;
				intOrPtr* _t84;
				void* _t97;
				void* _t100;
				void* _t114;

				_t86 = __ecx;
				_t97 = __ecx;
				_t100 = __edx;
				_t84 = __eax;
				VirtualQuery(__edx,  &_v824, 0x1c);
				if(_v824.State != 0x1000 || GetModuleFileNameA(_v824.AllocationBase,  &_v538, 0x105) == 0) {
					_t45 =  *0x46c664; // 0x400000
					GetModuleFileNameA(_t45,  &_v538, 0x105);
					_v16 = E0040BB98(_t100);
				} else {
					_v16 = _t100 - _v824.AllocationBase;
				}
				E00408E78( &_v277, 0x104, E0040CBF4( &_v538, _t86, 0x5c) + 1);
				_v8 = 0x40bd34;
				_v12 = 0x40bd34;
				_t93 =  *0x4077dc; // 0x407828
				if(E00403CFC(_t84, _t93) != 0) {
					_v8 = E00404D98( *((intOrPtr*)(_t84 + 4)));
					_t78 = E00408E14(_v8, _t97);
					if(_t78 != 0) {
						_t93 = _v8;
						if( *((char*)(_v8 + _t78 - 1)) != 0x2e) {
							_v12 = 0x40bd38;
						}
					}
				}
				_t58 =  *0x46b7ac; // 0x40757c
				_t21 = _t58 + 4; // 0xffe8
				_t60 =  *0x46c664; // 0x400000
				LoadStringA(E00405968(_t60, 0x104, _t93),  *_t21,  &_v794, 0x100);
				E00403AB4( *_t84,  &_v1120);
				_v864 =  &_v1120;
				_v860 = 4;
				_v856 =  &_v277;
				_v852 = 6;
				_v848 = _v16;
				_v844 = 5;
				_v840 = _v8;
				_v836 = 6;
				_v832 = _v12;
				_v828 = 6;
				E004094E8(_t97, _a4, _t114, 4,  &_v864);
				return E00408E14(_t97, _t97);
			}

0x0040bba2
0x0040bbb0
0x0040bbb2
0x0040bbb4
0x0040bbc0
0x0040bbcf
0x0040bbf9
0x0040bbff
0x0040bc0b
0x0040bc10
0x0040bc16
0x0040bc16
0x0040bc34
0x0040bc3e
0x0040bc46
0x0040bc4b
0x0040bc58
0x0040bc62
0x0040bc68
0x0040bc6f
0x0040bc71
0x0040bc79
0x0040bc80
0x0040bc80
0x0040bc79
0x0040bc6f
0x0040bc8f
0x0040bc94
0x0040bc98
0x0040bca3
0x0040bcb0
0x0040bcbb
0x0040bcc1
0x0040bcce
0x0040bcd4
0x0040bcde
0x0040bce4
0x0040bcee
0x0040bcf4
0x0040bcfe
0x0040bd04
0x0040bd1f
0x0040bd31

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040BBC0
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040BBE4
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040BBFF
LoadStringA.USER32 ref: 0040BCA3

Strings

|u@, xrefs: 0040BC8F
(x@, xrefs: 0040BC4B

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID: (x@$|u@
API String ID: 3990497365-2291341854
Opcode ID: 35d60d3dbf83b984d0b046bbec8ad2c5a8bd50e4be904628b84fd9c23bf5923d
Instruction ID: e08c57e5f6a9bf275a395eb3491679692d8408584d6fd5129d587d676a0911c9
Opcode Fuzzy Hash: 35d60d3dbf83b984d0b046bbec8ad2c5a8bd50e4be904628b84fd9c23bf5923d
Instruction Fuzzy Hash: D6412A70A042589FDB11DB59CD81B9EB7F8AB48304F4440FAA548F7291D778AF848F99

Uniqueness

Uniqueness Score: -1.00%

Function 0043FB50, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0043FB50(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t9;
				void* _t11;
				intOrPtr _t17;
				void* _t28;
				void* _t29;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				struct HINSTANCE__* _t41;
				void* _t43;
				intOrPtr _t45;
				intOrPtr _t46;

				_t45 = _t46;
				_push(_t29);
				_push(__ebx);
				_t43 = __edx;
				_t28 = __eax;
				if( *0x46cb2c == 0) {
					 *0x46cb2c = E0040C65C("comctl32.dll", __eax, _t29);
					if( *0x46cb2c >= 0x60000) {
						_t41 = GetModuleHandleA("comctl32.dll");
						if(_t41 != 0) {
							 *0x46cb30 = GetProcAddress(_t41, "ImageList_WriteEx");
						}
					}
				}
				_v8 = E0041AA28(_t43, 1, 0);
				_push(_t45);
				_push(0x43fc4a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46;
				if( *0x46cb30 == 0) {
					_t9 = _v8;
					if(_t9 != 0) {
						_t9 = _t9 - 0xffffffec;
					}
					_push(_t9);
					_t11 = E0043E72C(_t28);
					_push(_t11);
					L00422C70();
					if(_t11 == 0) {
						_t33 =  *0x46b564; // 0x41b338
						E0040BEC0(_t33, 1);
						E004042EC();
					}
				} else {
					_t17 = _v8;
					if(_t17 != 0) {
						_t17 = _t17 - 0xffffffec;
					}
					_push(_t17);
					_push(1);
					_push(E0043E72C(_t28));
					if( *0x46cb30() != 0) {
						_t34 =  *0x46b564; // 0x41b338
						E0040BEC0(_t34, 1);
						E004042EC();
					}
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x43fc51);
				return E00403B64(_v8);
			}

0x0043fb51
0x0043fb53
0x0043fb54
0x0043fb57
0x0043fb59
0x0043fb62
0x0043fb6e
0x0043fb7d
0x0043fb89
0x0043fb8d
0x0043fb9a
0x0043fb9a
0x0043fb8d
0x0043fb7d
0x0043fbaf
0x0043fbb4
0x0043fbb5
0x0043fbba
0x0043fbbd
0x0043fbc7
0x0043fc01
0x0043fc06
0x0043fc08
0x0043fc08
0x0043fc0b
0x0043fc0e
0x0043fc13
0x0043fc14
0x0043fc1b
0x0043fc1d
0x0043fc2a
0x0043fc2f
0x0043fc2f
0x0043fbc9
0x0043fbc9
0x0043fbce
0x0043fbd0
0x0043fbd0
0x0043fbd3
0x0043fbd4
0x0043fbdd
0x0043fbe6
0x0043fbe8
0x0043fbf5
0x0043fbfa
0x0043fbfa
0x0043fbe6
0x0043fc36
0x0043fc39
0x0043fc3c
0x0043fc49

APIs

Part of subcall function 0040C65C: 742514E0.VERSION(00000000,?,00000000,0040C732), ref: 0040C69E
Part of subcall function 0040C65C: 742514C0.VERSION(00000000,?,00000000,?,00000000,0040C715,?,00000000,?,00000000,0040C732), ref: 0040C6D3
Part of subcall function 0040C65C: 74251500.VERSION(?,0040C744,?,?,00000000,?,00000000,?,00000000,0040C715,?,00000000,?,00000000,0040C732), ref: 0040C6ED

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 0043FB84
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 0043FB95
73D61DE0.COMCTL32(00000000,?,00000000,0043FC4A), ref: 0043FC14

Strings

comctl32.dll, xrefs: 0043FB7F
comctl32.dll, xrefs: 0043FB64
ImageList_WriteEx, xrefs: 0043FB8F

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 742514$74251500AddressHandleModuleProc
String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll
API String ID: 3069411263-3125200627
Opcode ID: 30cf3bd0f5ded0b80061ddcad914296c81d52aaee9392bb9df43af14e36d402e
Instruction ID: 14d13adbdd305d33ec53a1630c0ac2ed87c3c5209a849f5dc31fa6189d313e8a
Opcode Fuzzy Hash: 30cf3bd0f5ded0b80061ddcad914296c81d52aaee9392bb9df43af14e36d402e
Instruction Fuzzy Hash: 1921A3707403049BD710BB76ED96A6A7698EB49758F00203AF805D72A2E77DEC05CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00451074, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00451074(void* __eax, void* __ecx, struct HWND__** __edx) {
				intOrPtr _t11;
				intOrPtr _t20;
				void* _t30;
				void* _t31;
				void* _t33;
				struct HWND__** _t34;
				struct HWND__* _t35;
				struct HWND__* _t36;

				_t31 = __ecx;
				_t34 = __edx;
				_t33 = __eax;
				_t30 = 0;
				_t11 =  *((intOrPtr*)(__edx + 4));
				if(_t11 < 0x100 || _t11 > 0x108) {
					L16:
					return _t30;
				} else {
					_t35 = GetCapture();
					if(_t35 != 0) {
						if(GetWindowLongA(_t35, 0xfffffffa) ==  *0x46c664 && SendMessageA(_t35, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
					_t36 =  *_t34;
					_t20 =  *((intOrPtr*)(_t33 + 0x44));
					if(_t20 == 0 || _t36 !=  *((intOrPtr*)(_t20 + 0x254))) {
						L7:
						if(E0042E48C(_t36, _t31) == 0 && _t36 != 0) {
							_t36 = GetParent(_t36);
							goto L7;
						}
						if(_t36 == 0) {
							_t36 =  *_t34;
						}
						goto L11;
					} else {
						_t36 = E00437E18(_t20);
						L11:
						if(SendMessageA(_t36, _t34[1] + 0xbc00, _t34[2], _t34[3]) != 0) {
							_t30 = 1;
						}
						goto L16;
					}
				}
			}

0x00451074
0x00451078
0x0045107a
0x0045107c
0x0045107e
0x00451086
0x00451125
0x0045112b
0x00451097
0x0045109c
0x004510a0
0x00451106
0x00451123
0x00451123
0x00000000
0x00451106
0x004510a2
0x004510a4
0x004510a9
0x004510c4
0x004510cd
0x004510c2
0x00000000
0x004510c2
0x004510d5
0x004510d7
0x004510d7
0x00000000
0x004510b3
0x004510b8
0x004510d9
0x004510f2
0x004510f4
0x004510f4
0x00000000
0x004510f2
0x004510a9

APIs

GetCapture.USER32 ref: 00451097
SendMessageA.USER32 ref: 004510EB
GetWindowLongA.USER32 ref: 004510FB
SendMessageA.USER32 ref: 0045111A

Strings

x\E, xrefs: 00451075

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CaptureLongWindow
String ID: x\E
API String ID: 1158686931-3038463933
Opcode ID: a18b0ea16195927ea1560251186d4dd49965f2c8c69477c0f719873489aab6ea
Instruction ID: f7dd9d94a87ca7010372aa881151c0513691ce30f0bb8cd4458cd60783eadbb9
Opcode Fuzzy Hash: a18b0ea16195927ea1560251186d4dd49965f2c8c69477c0f719873489aab6ea
Instruction Fuzzy Hash: 1111B1712046095FDA60FA5ACD80F6B73DC9B18715B10443AFE6AC3693DB68EC444768

Uniqueness

Uniqueness Score: -1.00%

Function 004230D0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004230D0(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x46c925 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406B4C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x46c90c; // 0x4230d0
					 *0x46c90c = E00422CC0(5, _t23, "GetMonitorInfoA", _t26, _t29);
					_t24 =  *0x46c90c(_t27, _t29);
				}
				return _t24;
			}

0x004230d9
0x004230dc
0x004230e6
0x0042310b
0x00423113
0x00423133
0x00423138
0x00423143
0x0042314e
0x00423158
0x00423159
0x0042315a
0x0042315b
0x0042315c
0x0042315d
0x00423167
0x00423169
0x00423171
0x00423172
0x00423172
0x00423177
0x00423177
0x004230e8
0x004230ed
0x004230fa
0x00423107
0x00423107
0x00423181

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00423128
GetSystemMetrics.USER32 ref: 0042313D
GetSystemMetrics.USER32 ref: 00423148
lstrcpy.KERNEL32(?,DISPLAY), ref: 00423172

Part of subcall function 00422CC0: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00422D44

Strings

DISPLAY, xrefs: 00423169
GetMonitorInfoA, xrefs: 004230E8

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: ac6097c454ad719da8dda2d58e91bb30cd93f99beeb9cccfc549ae54fd839e60
Instruction ID: 9e445740adbdd2ef6ecc90156b346c857865989c9a15297efec6ff02d3bb2a3e
Opcode Fuzzy Hash: ac6097c454ad719da8dda2d58e91bb30cd93f99beeb9cccfc549ae54fd839e60
Instruction Fuzzy Hash: 7011E4717013249FD3209F21AC847B7B7F8EB09711F40452FED9597240E3B8A9548BAA

Uniqueness

Uniqueness Score: -1.00%

Function 004231A4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E004231A4(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				int _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t29;
				intOrPtr* _t31;

				_t29 = _a8;
				_t27 = _a4;
				if( *0x46c926 != 0) {
					_t24 = 0;
					if(_t27 == 0x12340042 && _t29 != 0 &&  *_t29 >= 0x28 && SystemParametersInfoA(0x30, 0,  &_v20, 0) != 0) {
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *((intOrPtr*)(_t29 + 8)) = 0;
						 *((intOrPtr*)(_t29 + 0xc)) = GetSystemMetrics(0);
						 *((intOrPtr*)(_t29 + 0x10)) = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t31 = _t29;
						 *(_t31 + 0x24) = 1;
						if( *_t31 >= 0x4c) {
							_push("DISPLAY");
							_push(_t31 + 0x28);
							L00406B4C();
						}
						_t24 = 1;
					}
				} else {
					_t26 =  *0x46c910; // 0x4231a4
					 *0x46c910 = E00422CC0(6, _t23, "GetMonitorInfoW", _t26, _t29);
					_t24 =  *0x46c910(_t27, _t29);
				}
				return _t24;
			}

0x004231ad
0x004231b0
0x004231ba
0x004231df
0x004231e7
0x00423207
0x0042320c
0x00423217
0x00423222
0x0042322c
0x0042322d
0x0042322e
0x0042322f
0x00423230
0x00423231
0x0042323b
0x0042323d
0x00423245
0x00423246
0x00423246
0x0042324b
0x0042324b
0x004231bc
0x004231c1
0x004231ce
0x004231db
0x004231db
0x00423255

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004231FC
GetSystemMetrics.USER32 ref: 00423211
GetSystemMetrics.USER32 ref: 0042321C
lstrcpy.KERNEL32(?,DISPLAY), ref: 00423246

Part of subcall function 00422CC0: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00422D44

Strings

GetMonitorInfoW, xrefs: 004231BC
DISPLAY, xrefs: 0042323D

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: f0f23353ce12fc446d6f611a1500329c3e08f0e505b81f7d477e2e349e608d31
Instruction ID: 92a95930b7dbb2e43cf7da8069054c988143aefd076227040f3662121e2edddd
Opcode Fuzzy Hash: f0f23353ce12fc446d6f611a1500329c3e08f0e505b81f7d477e2e349e608d31
Instruction Fuzzy Hash: B011E471701324DFD7209F61AC807A7B7B8EB05B11F40456BED95D7641D3B8AA048BB9

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB70, Relevance: 10.6, APIs: 7, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041FB70(int __eax, void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				int _v12;
				struct HDC__* _v16;
				void* _v20;
				struct tagRGBQUAD _v1044;
				int _t16;
				struct HDC__* _t18;
				int _t31;
				int _t34;
				intOrPtr _t41;
				void* _t43;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t16 = __eax;
				_t46 = _t48;
				_t49 = _t48 + 0xfffffbf0;
				_v8 = __edx;
				_t43 = __eax;
				if(__eax == 0 ||  *((short*)(__ecx + 0x26)) > 8) {
					L4:
					return _t16;
				} else {
					_t16 = E0041E9C0(_v8, 0xff,  &_v1044);
					_t34 = _t16;
					if(_t34 == 0) {
						goto L4;
					} else {
						_push(0);
						L00406E84();
						_v12 = _t16;
						_t18 = _v12;
						_push(_t18);
						L00406B8C();
						_v16 = _t18;
						_v20 = SelectObject(_v16, _t43);
						_push(_t46);
						_push(0x41fc1f);
						_push( *[fs:eax]);
						 *[fs:eax] = _t49;
						SetDIBColorTable(_v16, 0, _t34,  &_v1044);
						_pop(_t41);
						 *[fs:eax] = _t41;
						_push(0x41fc26);
						SelectObject(_v16, _v20);
						DeleteDC(_v16);
						_t31 = _v12;
						_push(_t31);
						_push(0);
						L004070C4();
						return _t31;
					}
				}
			}

0x0041fb70
0x0041fb71
0x0041fb73
0x0041fb7b
0x0041fb7e
0x0041fb82
0x0041fc26
0x0041fc2b
0x0041fb93
0x0041fba1
0x0041fba6
0x0041fbaa
0x00000000
0x0041fbac
0x0041fbac
0x0041fbae
0x0041fbb3
0x0041fbb6
0x0041fbb9
0x0041fbba
0x0041fbbf
0x0041fbcc
0x0041fbd1
0x0041fbd2
0x0041fbd7
0x0041fbda
0x0041fbeb
0x0041fbf2
0x0041fbf5
0x0041fbf8
0x0041fc05
0x0041fc0e
0x0041fc13
0x0041fc16
0x0041fc17
0x0041fc19
0x0041fc1e
0x0041fc1e
0x0041fbaa

APIs

Part of subcall function 0041E9C0: GetObjectA.GDI32(?,00000004), ref: 0041E9D7
Part of subcall function 0041E9C0: 7378AEA0.GDI32(?,00000000,?,?,?,00000004,?,000000FF,?,?,?,0041FBA6), ref: 0041E9FA

7378AC50.USER32(00000000), ref: 0041FBAE
7378A590.GDI32(?,00000000), ref: 0041FBBA
SelectObject.GDI32(?), ref: 0041FBC7
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0041FC1F,?,?,?,?,00000000), ref: 0041FBEB
SelectObject.GDI32(?,?), ref: 0041FC05
DeleteDC.GDI32(?), ref: 0041FC0E
7378B380.USER32(00000000,?,?,?,?,0041FC26,?,00000000,0041FC1F,?,?,?,?,00000000), ref: 0041FC19

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$Object$Select$A590B380ColorDeleteTable
String ID:
API String ID: 1557749399-0
Opcode ID: f039ca94c31dc70641ab872bb25fbac84322317f477d7ae709d5f1ca63ff91d3
Instruction ID: 16edb089605f09cf502277b2f8ef674b599ca8fa43b2d4d88cff0fadc2279c33
Opcode Fuzzy Hash: f039ca94c31dc70641ab872bb25fbac84322317f477d7ae709d5f1ca63ff91d3
Instruction Fuzzy Hash: EE1154F1D042196FDB10EBE5CC51AAEB7BCEB08704F0144B6BA04E7281D6799D5097A8

Uniqueness

Uniqueness Score: -1.00%

Function 0044F3E8, Relevance: 10.6, APIs: 7, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0044F3E8(long __eax, void* __ecx, short __edx) {
				struct tagPOINT _v24;
				long _t7;
				long _t12;
				long _t19;
				void* _t21;
				struct HWND__* _t27;
				short _t28;
				void* _t30;
				struct tagPOINT* _t31;

				_t21 = __ecx;
				_t7 = __eax;
				_t31 = _t30 + 0xfffffff8;
				_t28 = __edx;
				_t19 = __eax;
				_t1 = _t19 + 0x44; // 0x0
				if(__edx ==  *_t1) {
					L6:
					 *((intOrPtr*)(_t19 + 0x48)) =  *((intOrPtr*)(_t19 + 0x48)) + 1;
				} else {
					 *((short*)(__eax + 0x44)) = __edx;
					if(__edx != 0) {
						L5:
						_t7 = SetCursor(E0044F3AC(_t19, _t21, _t28));
						goto L6;
					} else {
						GetCursorPos(_t31);
						_push(_v24.y);
						_t27 = WindowFromPoint(_v24);
						if(_t27 == 0) {
							goto L5;
						} else {
							_t12 = GetWindowThreadProcessId(_t27, 0);
							if(_t12 != GetCurrentThreadId()) {
								goto L5;
							} else {
								_t7 = SendMessageA(_t27, 0x20, _t27, E00407204(SendMessageA(_t27, 0x84, 0, E0040727C(_t31, _t21)), 0x200));
							}
						}
					}
				}
				return _t7;
			}

0x0044f3e8
0x0044f3e8
0x0044f3ec
0x0044f3ef
0x0044f3f1
0x0044f3f3
0x0044f3f7
0x0044f46c
0x0044f46c
0x0044f3f9
0x0044f3f9
0x0044f400
0x0044f45c
0x0044f467
0x00000000
0x0044f402
0x0044f403
0x0044f408
0x0044f415
0x0044f419
0x00000000
0x0044f41b
0x0044f41e
0x0044f42c
0x00000000
0x0044f42e
0x0044f455
0x0044f455
0x0044f42c
0x0044f419
0x0044f400
0x0044f475

APIs

GetCursorPos.USER32 ref: 0044F403
WindowFromPoint.USER32(?,?), ref: 0044F410
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0044F41E
GetCurrentThreadId.KERNEL32 ref: 0044F425
SendMessageA.USER32 ref: 0044F43E
SendMessageA.USER32 ref: 0044F455
SetCursor.USER32(00000000), ref: 0044F467

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 4a96caaf133c6071876aceb281014162cba453f9f233f6f5e137725b810cdae5
Instruction ID: cc77077bdb259fbec7a0cde1ad90a441b9ae268890334a2a6c8aa680c5cdf5b7
Opcode Fuzzy Hash: 4a96caaf133c6071876aceb281014162cba453f9f233f6f5e137725b810cdae5
Instruction Fuzzy Hash: 7201442260421069E6213A764C86F7B3A589B95B64F10417FB714BA2C3ED7EAC0552BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD3C, Relevance: 10.6, APIs: 7, Instructions: 56
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BD3C(void* __edx, void* __edi, void* __fp0) {
				void _v1024;
				char _v1088;
				long _v1092;
				intOrPtr* _t12;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t24;
				long _t32;

				_t40 = __edx;
				E0040BBA4(_t12,  &_v1024, __edx, __fp0, 0x400);
				_t14 =  *0x46b6d8; // 0x46c048
				if( *_t14 == 0) {
					_t16 =  *0x46b4ac; // 0x407584
					_t9 = _t16 + 4; // 0xffe9
					_t18 =  *0x46c664; // 0x400000
					LoadStringA(E00405968(_t18,  &_v1024, _t40),  *_t9,  &_v1088, 0x40);
					return MessageBoxA(0,  &_v1024,  &_v1088, 0x2010);
				}
				_t24 =  *0x46b4fc; // 0x46c218
				E00402BF4(E004031E4(_t24));
				CharToOemA( &_v1024,  &_v1024);
				_t32 = E00408E14( &_v1024, __edi);
				WriteFile(GetStdHandle(0xfffffff4),  &_v1024, _t32,  &_v1092, 0);
				return WriteFile(GetStdHandle(0xfffffff4), 0x40be00, 2,  &_v1092, 0);
			}

0x0040bd3c
0x0040bd4b
0x0040bd50
0x0040bd58
0x0040bdbf
0x0040bdc4
0x0040bdc8
0x0040bdd3
0x00000000
0x0040bde9
0x0040bd5a
0x0040bd64
0x0040bd73
0x0040bd83
0x0040bd96
0x00000000

APIs

Part of subcall function 0040BBA4: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040BBC0
Part of subcall function 0040BBA4: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040BBE4
Part of subcall function 0040BBA4: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040BBFF
Part of subcall function 0040BBA4: LoadStringA.USER32 ref: 0040BCA3

CharToOemA.USER32 ref: 0040BD73
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040BD90
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040BD96
GetStdHandle.KERNEL32(000000F4,0040BE00,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040BDAB
WriteFile.KERNEL32(00000000,000000F4,0040BE00,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040BDB1
LoadStringA.USER32 ref: 0040BDD3
MessageBoxA.USER32 ref: 0040BDE9

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 85c01b9bc837a90e5e35f2425109dd276ded37db1ab98f5371a2f7dc0241eb6e
Instruction ID: 88993f75e609e6c05d43a856da72bf8b5f3b866b38ce26c44f95a691e609e5c1
Opcode Fuzzy Hash: 85c01b9bc837a90e5e35f2425109dd276ded37db1ab98f5371a2f7dc0241eb6e
Instruction Fuzzy Hash: 01118CB1204204AAD200F7A5CC82F9BB7ECAF44704F40453BB341F61E2DB79E94487AB

Uniqueness

Uniqueness Score: -1.00%

Function 0044AF08, Relevance: 9.2, APIs: 6, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0044AF08(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				struct HDC__* _v16;
				struct tagPAINTSTRUCT _v80;
				struct tagRECT _v96;
				struct tagRECT _v112;
				signed int _v116;
				long _v120;
				void* __ebp;
				void* _t68;
				void* _t94;
				struct HBRUSH__* _t97;
				intOrPtr _t105;
				void* _t118;
				void* _t127;
				intOrPtr _t140;
				intOrPtr _t146;
				void* _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				intOrPtr _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t138 = __edx;
				_t127 = __ebx;
				_t150 = _t152;
				_t153 = _t152 + 0xffffff8c;
				_v12 = __edx;
				_v8 = __eax;
				_t68 =  *_v12 - 0xf;
				if(_t68 == 0) {
					_v16 =  *(_v12 + 4);
					if(_v16 == 0) {
						 *(_v12 + 4) = BeginPaint( *(_v8 + 0x254),  &_v80);
					}
					_push(_t150);
					_push(0x44b0d6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t153;
					if(_v16 == 0) {
						GetWindowRect( *(_v8 + 0x254),  &_v96);
						E00431160(_v8,  &_v120,  &_v96);
						_v96.left = _v120;
						_v96.top = _v116;
						E0042FF58( *(_v12 + 4),  ~(_v96.top),  ~(_v96.left));
					}
					E00435ACC(_v8, _t127, _v12, _t147, _t148);
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(0x44b0e4);
					if(_v16 == 0) {
						return EndPaint( *(_v8 + 0x254),  &_v80);
					}
					return 0;
				} else {
					_t94 = _t68 - 5;
					if(_t94 == 0) {
						_t97 = E0041D7DC( *((intOrPtr*)(_v8 + 0x170)));
						 *((intOrPtr*)( *_v8 + 0x44))();
						FillRect( *(_v12 + 4),  &_v112, _t97);
						if( *((char*)(_v8 + 0x22f)) == 2 &&  *(_v8 + 0x254) != 0) {
							GetClientRect( *(_v8 + 0x254),  &_v96);
							FillRect( *(_v12 + 4),  &_v96, E0041D7DC( *((intOrPtr*)(_v8 + 0x170))));
						}
						_t105 = _v12;
						 *((intOrPtr*)(_t105 + 0xc)) = 1;
					} else {
						_t118 = _t94 - 0x2b;
						if(_t118 == 0) {
							E0044AE7C(_t150);
							_t105 = _v8;
							if( *((char*)(_t105 + 0x22f)) == 2) {
								if(E0044B3A4(_v8) == 0 || E0044AEC8(_t138, _t150) == 0) {
									_t146 = 1;
								} else {
									_t146 = 0;
								}
								_t105 = E004481B8( *(_v8 + 0x254), _t146);
							}
						} else {
							if(_t118 != 0x45) {
								_t105 = E0044AE7C(_t150);
							} else {
								E0044AE7C(_t150);
								_t105 = _v12;
								if( *((intOrPtr*)(_t105 + 0xc)) == 1) {
									_t105 = _v12;
									 *((intOrPtr*)(_t105 + 0xc)) = 0xffffffff;
								}
							}
						}
					}
					return _t105;
				}
			}

0x0044af08
0x0044af08
0x0044af08
0x0044af08
0x0044af09
0x0044af0b
0x0044af0e
0x0044af11
0x0044af19
0x0044af1c
0x0044b02c
0x0044b033
0x0044b04b
0x0044b04b
0x0044b050
0x0044b051
0x0044b056
0x0044b059
0x0044b060
0x0044b070
0x0044b07e
0x0044b086
0x0044b08c
0x0044b09f
0x0044b09f
0x0044b0aa
0x0044b0b1
0x0044b0b4
0x0044b0b7
0x0044b0c0
0x00000000
0x0044b0d0
0x0044b0d5
0x0044af22
0x0044af22
0x0044af25
0x0044af65
0x0044af73
0x0044af81
0x0044af90
0x0044afac
0x0044afcb
0x0044afcb
0x0044afd0
0x0044afd3
0x0044af27
0x0044af27
0x0044af2a
0x0044afe0
0x0044afe6
0x0044aff0
0x0044b000
0x0044b011
0x0044b00d
0x0044b00d
0x0044b00d
0x0044b01c
0x0044b01c
0x0044af30
0x0044af33
0x0044b0de
0x0044af39
0x0044af3a
0x0044af40
0x0044af47
0x0044af4d
0x0044af50
0x0044af50
0x0044af47
0x0044af33
0x0044af2a
0x0044b0e7
0x0044b0e7

APIs

FillRect.USER32 ref: 0044AF81
GetClientRect.USER32 ref: 0044AFAC
FillRect.USER32 ref: 0044AFCB

Part of subcall function 0044AE7C: CallWindowProcA.USER32 ref: 0044AEB6

BeginPaint.USER32(?,?), ref: 0044B043
GetWindowRect.USER32 ref: 0044B070
EndPaint.USER32(?,?,0044B0E4), ref: 0044B0D0

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: 9a869c079b82b655027981926d51e2dad307dc93e3c9e592dc3aeaecda94e874
Instruction ID: 5546fe21ebe14d4d0627032da03186972556e00204f8531e38897413b996db55
Opcode Fuzzy Hash: 9a869c079b82b655027981926d51e2dad307dc93e3c9e592dc3aeaecda94e874
Instruction Fuzzy Hash: A3510D74900108EFDB10DF99C989E9EB7F8EF48315F1581A6E415A7352C738EE45DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC74, Relevance: 9.1, APIs: 6, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0041EC74(intOrPtr* __eax, void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, int _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v32;
				signed short _v44;
				int _t36;
				signed int _t37;
				signed short _t38;
				signed int _t39;
				signed short _t43;
				signed int* _t47;
				signed int _t51;
				intOrPtr _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t68 = _t69;
				_t70 = _t69 + 0xffffff8c;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t47 = _a8;
				_v24 = _v16 << 4;
				_v20 = E004083B8(_v24, __ecx, __edx, __eflags);
				 *[fs:edx] = _t70;
				_t51 = _v24;
				 *((intOrPtr*)( *_v8 + 0xc))( *[fs:edx], 0x41ef76, _t68, __edi, __esi, __ebx, _t67);
				if(( *_t47 | _t47[1]) != 0) {
					_t36 = _a4;
					 *_t36 =  *_t47;
					 *(_t36 + 4) = _t47[1];
				} else {
					 *_a4 = GetSystemMetrics(0xb);
					_t36 = GetSystemMetrics(0xc);
					 *(_a4 + 4) = _t36;
				}
				_push(0);
				L00406E84();
				_v44 = _t36;
				if(_v44 == 0) {
					E0041E124(_t51);
				}
				_push(_t68);
				_push(0x41ed5d);
				_push( *[fs:edx]);
				 *[fs:edx] = _t70;
				_push(0xe);
				_t37 = _v44;
				_push(_t37);
				L00406C1C();
				_push(0xc);
				_t38 = _v44;
				_push(_t38);
				L00406C1C();
				_t39 = _t37 * _t38;
				if(_t39 <= 8) {
					__eflags = 1;
					_v32 = 1 << _t39;
				} else {
					_v32 = 0x7fffffff;
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(0x41ed64);
				_t43 = _v44;
				_push(_t43);
				_push(0);
				L004070C4();
				return _t43;
			}

0x0041ec75
0x0041ec77
0x0041ec7d
0x0041ec80
0x0041ec83
0x0041ec86
0x0041ec8f
0x0041ec9a
0x0041eca8
0x0041ecae
0x0041ecb6
0x0041ecbe
0x0041ecdb
0x0041ece0
0x0041ece5
0x0041ecc0
0x0041ecca
0x0041ecce
0x0041ecd6
0x0041ecd6
0x0041ece8
0x0041ecea
0x0041ecef
0x0041ecf6
0x0041ecf8
0x0041ecf8
0x0041ecff
0x0041ed00
0x0041ed05
0x0041ed08
0x0041ed0b
0x0041ed0d
0x0041ed10
0x0041ed11
0x0041ed18
0x0041ed1a
0x0041ed1d
0x0041ed1e
0x0041ed27
0x0041ed2d
0x0041ed3f
0x0041ed41
0x0041ed2f
0x0041ed2f
0x0041ed2f
0x0041ed46
0x0041ed49
0x0041ed4c
0x0041ed51
0x0041ed54
0x0041ed55
0x0041ed57
0x0041ed5c

APIs

GetSystemMetrics.USER32 ref: 0041ECC2
GetSystemMetrics.USER32 ref: 0041ECCE
7378AC50.USER32(00000000), ref: 0041ECEA
7378AD70.GDI32(00000000,0000000E,00000000,0041ED5D,?,00000000), ref: 0041ED11
7378AD70.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041ED5D,?,00000000), ref: 0041ED1E
7378B380.USER32(00000000,00000000,0041ED64,0000000E,00000000,0041ED5D,?,00000000), ref: 0041ED57

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$MetricsSystem$B380
String ID:
API String ID: 3728303498-0
Opcode ID: 5e7ef3d29f16827efa9a4db80d3d3277a6475068c5da9ebbd0333d9d559328be
Instruction ID: fdda624744f5bb78ea7adb3808b1c0f702476f14a268f150b3c0888b326fc39f
Opcode Fuzzy Hash: 5e7ef3d29f16827efa9a4db80d3d3277a6475068c5da9ebbd0333d9d559328be
Instruction Fuzzy Hash: 9C318474A00205EFEB00DF66C841AEEBBB5FF49710F10816AF914AB380D6789D81CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0D8, Relevance: 9.1, APIs: 6, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0041F0D8(struct HBITMAP__* __eax, void* __ebx, struct tagBITMAPINFO* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v5;
				struct HDC__* _v12;
				struct HDC__* _v16;
				struct HDC__* _t29;
				struct tagBITMAPINFO* _t32;
				intOrPtr _t39;
				struct HBITMAP__* _t43;
				void* _t46;

				_t32 = __ecx;
				_t43 = __eax;
				E0041EF88(__eax, _a4, __ecx);
				_v12 = 0;
				_push(0);
				L00406B8C();
				_v16 = 0;
				_push(_t46);
				_push(0x41f175);
				_push( *[fs:eax]);
				 *[fs:eax] = _t46 + 0xfffffff4;
				if(__edx != 0) {
					_push(0);
					_push(__edx);
					_t29 = _v16;
					_push(_t29);
					L00406CB4();
					_v12 = _t29;
					_push(_v16);
					L00406C8C();
				}
				_v5 = GetDIBits(_v16, _t43, 0, _t32->bmiHeader.biHeight, _a8, _t32, 0) != 0;
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(0x41f17c);
				if(_v12 != 0) {
					_push(0);
					_push(_v12);
					_push(_v16);
					L00406CB4();
				}
				return DeleteDC(_v16);
			}

0x0041f0e1
0x0041f0e5
0x0041f0ee
0x0041f0f5
0x0041f0f8
0x0041f0fa
0x0041f0ff
0x0041f104
0x0041f105
0x0041f10a
0x0041f10d
0x0041f112
0x0041f114
0x0041f116
0x0041f117
0x0041f11a
0x0041f11b
0x0041f120
0x0041f126
0x0041f127
0x0041f127
0x0041f145
0x0041f14b
0x0041f14e
0x0041f151
0x0041f15a
0x0041f15c
0x0041f161
0x0041f165
0x0041f166
0x0041f166
0x0041f174

APIs

Part of subcall function 0041EF88: GetObjectA.GDI32(?,00000054), ref: 0041EF9C

7378A590.GDI32(00000000), ref: 0041F0FA
7378B410.GDI32(?,?,00000000,00000000,0041F175,?,00000000), ref: 0041F11B
7378B150.GDI32(?,?,?,00000000,00000000,0041F175,?,00000000), ref: 0041F127
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041F13E
7378B410.GDI32(?,00000000,00000000,0041F17C,?,00000000), ref: 0041F166
DeleteDC.GDI32(?), ref: 0041F16F

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B410$A590B150BitsDeleteObject
String ID:
API String ID: 3290156324-0
Opcode ID: cacf3b7ea4fc6c9fd8e11e6e88f0d04e8b1028fb37d3c85a977f1c28d3f165c8
Instruction ID: 2d14cdb6178fa079fb5054ddc1dbbf18630837d25fcc18300a2ac5fdc07e22ad
Opcode Fuzzy Hash: cacf3b7ea4fc6c9fd8e11e6e88f0d04e8b1028fb37d3c85a977f1c28d3f165c8
Instruction Fuzzy Hash: 3C118F75A04604BFEB10DBEACC41F9EBBFCEB4D710F518066B918E7281D6789D418768

Uniqueness

Uniqueness Score: -1.00%

Function 0041E000, Relevance: 9.0, APIs: 6, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E000(void* __eax) {
				void* _t36;

				_t36 = __eax;
				UnrealizeObject(E0041D7DC( *((intOrPtr*)(__eax + 0x14))));
				SelectObject( *(_t36 + 4), E0041D7DC( *((intOrPtr*)(_t36 + 0x14))));
				if(E0041D8BC( *((intOrPtr*)(_t36 + 0x14))) != 0) {
					SetBkColor( *(_t36 + 4),  !(E0041CB1C(E0041D7A0( *((intOrPtr*)(_t36 + 0x14))))));
					return SetBkMode( *(_t36 + 4), 1);
				} else {
					SetBkColor( *(_t36 + 4), E0041CB1C(E0041D7A0( *((intOrPtr*)(_t36 + 0x14)))));
					return SetBkMode( *(_t36 + 4), 2);
				}
			}

0x0041e001
0x0041e00c
0x0041e01e
0x0041e02d
0x0041e067
0x0041e078
0x0041e02f
0x0041e041
0x0041e052
0x0041e052

APIs

Part of subcall function 0041D7DC: CreateBrushIndirect.GDI32(?), ref: 0041D886

UnrealizeObject.GDI32(00000000), ref: 0041E00C
SelectObject.GDI32(?,00000000), ref: 0041E01E
SetBkColor.GDI32(?,00000000), ref: 0041E041
SetBkMode.GDI32(?,00000002), ref: 0041E04C
SetBkColor.GDI32(?,00000000), ref: 0041E067
SetBkMode.GDI32(?,00000001), ref: 0041E072

Part of subcall function 0041CB1C: GetSysColor.USER32(?), ref: 0041CB26

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 0eba57f95b1eb7a7e52097514cce5490da245bebc3ea9af793f404af9ad3f1ec
Instruction ID: eaacf97adf682c96b171ad9012bd7526cb0d31b8ce4f07dd8d63fa60998ffb7b
Opcode Fuzzy Hash: 0eba57f95b1eb7a7e52097514cce5490da245bebc3ea9af793f404af9ad3f1ec
Instruction Fuzzy Hash: 42F07DB5604100ABDF04FFBADAC7D4B6B9C9F08309B05845AB959DF28BCA7DE8504739

Uniqueness

Uniqueness Score: -1.00%

Function 004065CC, Relevance: 9.0, APIs: 6, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065CC(intOrPtr* __eax, void* __ebx) {
				long _t10;
				void* _t15;

				_t15 = __ebx;
				 *__eax =  *__eax + __eax;
				 *0x456008 = 2;
				 *0x46c014 = 0x40121c;
				 *0x46c018 = 0x40122c;
				 *0x46c04a = 2;
				 *0x46c000 = E00405678;
				if(E004039A8() != 0) {
					_t2 = E004039D8();
				}
				E00403A9C(_t2);
				 *0x46c050 = 0xd7b0;
				 *0x46c21c = 0xd7b0;
				 *0x46c3e8 = 0xd7b0;
				 *0x46c03c = GetCommandLineA();
				 *0x46c038 = E0040134C();
				if((GetVersion() & 0x80000000) == 0x80000000) {
					 *0x46c5bc = E004064FC(GetThreadLocale(), _t15, __eflags);
				} else {
					if((GetVersion() & 0x000000ff) <= 4) {
						 *0x46c5bc = E004064FC(GetThreadLocale(), _t15, __eflags);
					} else {
						 *0x46c5bc = 3;
					}
				}
				_t10 = GetCurrentThreadId();
				 *0x46c030 = _t10;
				return _t10;
			}

0x004065cc
0x004065cf
0x004065d1
0x004065d8
0x004065e2
0x004065ec
0x004065f3
0x00406604
0x00406606
0x00406606
0x0040660b
0x00406610
0x00406619
0x00406622
0x00406630
0x0040663a
0x0040664e
0x00406687
0x00406650
0x0040665e
0x00406676
0x00406660
0x00406660
0x00406660
0x0040665e
0x0040668c
0x00406691
0x00406696

APIs

Part of subcall function 004039A8: GetKeyboardType.USER32(00000000), ref: 004039AD
Part of subcall function 004039A8: GetKeyboardType.USER32(00000001), ref: 004039B9

GetCommandLineA.KERNEL32 ref: 0040662B
GetVersion.KERNEL32 ref: 0040663F
GetVersion.KERNEL32 ref: 00406650
GetCurrentThreadId.KERNEL32 ref: 0040668C

Part of subcall function 004039D8: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004039FA
Part of subcall function 004039D8: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403A49,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403A2D
Part of subcall function 004039D8: RegCloseKey.ADVAPI32(?,00403A50,00000000,?,00000004,00000000,00403A49,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403A43

GetThreadLocale.KERNEL32 ref: 0040666C

Part of subcall function 004064FC: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00406562), ref: 00406522

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: 349c6c40f86b1f50a5df27570e4dc0772abcf4eebb2f929385560f4e1eb47204
Instruction ID: 0690ce3d7932e954e6c95205f17d2848fd7043c5711db571c590fee9eabbc34c
Opcode Fuzzy Hash: 349c6c40f86b1f50a5df27570e4dc0772abcf4eebb2f929385560f4e1eb47204
Instruction Fuzzy Hash: B6012DA4404241D9E710BFF6A8863693A606B0130CF11497FD485B62F2E7BE11549F6F

Uniqueness

Uniqueness Score: -1.00%

Function 00455470, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00455470(void* __eax, void* __ebx, short __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct _STARTUPINFOA _v72;
				struct _PROCESS_INFORMATION _v88;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				CHAR* _t49;
				int _t54;
				void* _t67;
				intOrPtr _t83;
				short _t86;
				void* _t88;
				void* _t91;

				_v360 = 0;
				_v368 = 0;
				_v364 = 0;
				_v348 = 0;
				_v352 = 0;
				_v356 = 0;
				_t86 = __ecx;
				_t88 = __edx;
				_t67 = __eax;
				_push(_t91);
				_push(0x4555d4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t91 + 0xfffffe94;
				_push(0x4555ec);
				E00404B3C( &_v352, __eax);
				_push(_v352);
				_push(0x4555f8);
				E00404B3C( &_v356, _t88);
				_push(_v356);
				E00404C58();
				E00404B74( &_v344, 0xff, _v348);
				E00403458( &_v72, 0x44);
				_v72.cb = 0x44;
				_v72.dwFlags = 1;
				_v72.wShowWindow = _t86;
				E00404B3C( &_v364, _t67);
				E00408CA4(_v364, 0,  &_v360);
				_t49 = E00404D98(_v360);
				E00404B3C( &_v368,  &_v344);
				_t54 = CreateProcessA(0, E00404D98(_v368), 0, 0, 0, 0x30, 0, _t49,  &_v72,  &_v88);
				asm("sbb eax, eax");
				if(_t54 + 1 != 0) {
					WaitForSingleObject(_v88.hProcess, 0xffffffff);
					CloseHandle(_v88);
					CloseHandle(_v88.hThread);
				}
				_pop(_t83);
				 *[fs:eax] = _t83;
				_push(0x4555db);
				return E004048FC( &_v368, 6);
			}

0x0045547e
0x00455484
0x0045548a
0x00455490
0x00455496
0x0045549c
0x004554a2
0x004554a4
0x004554a6
0x004554aa
0x004554ab
0x004554b0
0x004554b3
0x004554b6
0x004554c3
0x004554c8
0x004554ce
0x004554db
0x004554e0
0x004554f1
0x00455507
0x00455516
0x0045551b
0x00455522
0x00455529
0x0045553d
0x0045554e
0x00455559
0x00455575
0x00455588
0x00455590
0x00455597
0x0045559f
0x004555a8
0x004555b1
0x004555b1
0x004555b8
0x004555bb
0x004555be
0x004555d3

APIs

CreateProcessA.KERNEL32 ref: 00455588
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?), ref: 0045559F
CloseHandle.KERNEL32(?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?), ref: 004555A8
CloseHandle.KERNEL32(?,?,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?), ref: 004555B1

Strings

D, xrefs: 0045551B

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateObjectProcessSingleWait
String ID: D
API String ID: 2059082233-2746444292
Opcode ID: 5d95f40b83a261ecd77c23f6c59ef93272b92dcc49dce907f9bfaab8f0b37d06
Instruction ID: 8b0f59c51457bdf10bff6703a4946882895c5522a0481e7e88c85b554529697c
Opcode Fuzzy Hash: 5d95f40b83a261ecd77c23f6c59ef93272b92dcc49dce907f9bfaab8f0b37d06
Instruction Fuzzy Hash: 74318471A0031C9BDB20EF95CC81BDEB7B9AF45305F5041BAB508B7281DA799E498F58

Uniqueness

Uniqueness Score: -1.00%

Function 004039D8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004039D8() {
				void* _v8;
				char _v12;
				int _v16;
				signed short _t12;
				signed short _t14;
				intOrPtr _t27;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t29 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_v12 =  *0x456020 & 0x0000ffff;
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Borland\\Delphi\\RTL", 0, 1,  &_v8) != 0) {
					_t12 =  *0x456020; // 0x1372
					_t14 = _t12 & 0x0000ffc0 | _v12 & 0x0000003f;
					 *0x456020 = _t14;
					return _t14;
				} else {
					_push(_t29);
					_push(E00403A49);
					_push( *[fs:eax]);
					 *[fs:eax] = _t32;
					_v16 = 4;
					RegQueryValueExA(_v8, "FPUMaskValue", 0, 0,  &_v12,  &_v16);
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(0x403a50);
					return RegCloseKey(_v8);
				}
			}

0x004039d9
0x004039db
0x004039e5
0x00403a01
0x00403a50
0x00403a62
0x00403a65
0x00403a6e
0x00403a03
0x00403a05
0x00403a06
0x00403a0b
0x00403a0e
0x00403a11
0x00403a2d
0x00403a34
0x00403a37
0x00403a3a
0x00403a48
0x00403a48

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004039FA
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00403A49,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403A2D
RegCloseKey.ADVAPI32(?,00403A50,00000000,?,00000004,00000000,00403A49,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403A43

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 004039F0
FPUMaskValue, xrefs: 00403A24

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 27316b8f8cd5900274e4f1b4895b89dd493679d017b8fa7aa149ccf249d7e967
Instruction ID: 5c20104701a549195b5fdb06fcc3733637a1384f1186bf63a8a7d0bdce2fcdec
Opcode Fuzzy Hash: 27316b8f8cd5900274e4f1b4895b89dd493679d017b8fa7aa149ccf249d7e967
Instruction Fuzzy Hash: A3015279A40308B9D711EF90CC42BAE7BACEB08B01F5000BAB905F75D1E6789A109A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00441C8C, Relevance: 7.7, APIs: 5, Instructions: 162
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00441C8C(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, int _a4, char _a8, struct tagRECT* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				struct tagRECT _v32;
				void* _t53;
				int _t63;
				CHAR* _t65;
				void* _t76;
				void* _t78;
				int _t89;
				CHAR* _t91;
				int _t117;
				intOrPtr _t127;
				void* _t139;
				void* _t144;
				char _t153;

				_t120 = __ecx;
				_t143 = _t144;
				_v16 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t139 = __eax;
				_t117 = _a4;
				_push(_t144);
				_push(0x441e70);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144 + 0xffffffe4;
				_t53 = E00443C64(__eax);
				_t135 = _t53;
				if(_t53 != 0 && E004452D0(_t135) != 0) {
					if((_t117 & 0x00000000) != 0) {
						__eflags = (_t117 & 0x00000002) - 2;
						if((_t117 & 0x00000002) == 2) {
							_t117 = _t117 & 0xfffffffd;
							__eflags = _t117;
						}
					} else {
						_t117 = _t117 & 0xffffffff | 0x00000002;
					}
					_t117 = _t117 | 0x00020000;
				}
				E00404970( &_v16, _v12);
				if((_t117 & 0x00000004) == 0) {
					L12:
					E00404CE4(_v16, 0x441e94);
					if(_t153 != 0) {
						E0041D8C4( *((intOrPtr*)(_v8 + 0x14)), _t120, 1, _t135, _t143, __eflags);
						__eflags =  *((char*)(_t139 + 0x3a));
						if( *((char*)(_t139 + 0x3a)) != 0) {
							_t136 =  *((intOrPtr*)(_v8 + 0xc));
							__eflags = E0041D29C( *((intOrPtr*)(_v8 + 0xc))) |  *0x441e98;
							E0041D2A8( *((intOrPtr*)(_v8 + 0xc)), E0041D29C( *((intOrPtr*)(_v8 + 0xc))) |  *0x441e98, _t136, _t139, _t143);
						}
						__eflags =  *((char*)(_t139 + 0x39));
						if( *((char*)(_t139 + 0x39)) != 0) {
							L24:
							_t63 = E00404B98(_v16);
							_t65 = E00404D98(_v16);
							DrawTextA(E0041DE34(_v8), _t65, _t63, _a12, _t117);
							L25:
							_pop(_t127);
							 *[fs:eax] = _t127;
							_push(0x441e77);
							return E004048D8( &_v16);
						} else {
							__eflags = _a8;
							if(_a8 == 0) {
								OffsetRect(_a12, 1, 1);
								E0041CFDC( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
								_t89 = E00404B98(_v16);
								_t91 = E00404D98(_v16);
								DrawTextA(E0041DE34(_v8), _t91, _t89, _a12, _t117);
								OffsetRect(_a12, 0xffffffff, 0xffffffff);
							}
							__eflags = _a8;
							if(_a8 == 0) {
								L23:
								E0041CFDC( *((intOrPtr*)(_v8 + 0xc)), 0xff000010);
							} else {
								_t76 = E0041CB1C(0xff00000d);
								_t78 = E0041CB1C(0xff000010);
								__eflags = _t76 - _t78;
								if(_t76 != _t78) {
									goto L23;
								}
								E0041CFDC( *((intOrPtr*)(_v8 + 0xc)), 0xff000014);
							}
							goto L24;
						}
					}
					if((_t117 & 0x00000004) == 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v32.top = _v32.top + 4;
						DrawEdge(E0041DE34(_v8),  &_v32, 6, 2);
					}
					goto L25;
				} else {
					if(_v16 == 0) {
						L11:
						E00404BA0( &_v16, 0x441e88);
						goto L12;
					}
					if( *_v16 != 0x26) {
						goto L12;
					}
					_t153 =  *((char*)(_v16 + 1));
					if(_t153 != 0) {
						goto L12;
					}
					goto L11;
				}
			}

0x00441c8c
0x00441c8d
0x00441c97
0x00441c9a
0x00441c9d
0x00441ca0
0x00441ca2
0x00441ca7
0x00441ca8
0x00441cad
0x00441cb0
0x00441cb5
0x00441cba
0x00441cbe
0x00441cce
0x00441cdd
0x00441ce0
0x00441ce5
0x00441ce5
0x00441ce5
0x00441cd0
0x00441cd3
0x00441cd3
0x00441ce8
0x00441ce8
0x00441cf4
0x00441cfc
0x00441d22
0x00441d2a
0x00441d2f
0x00441d6d
0x00441d72
0x00441d76
0x00441d7b
0x00441d87
0x00441d8f
0x00441d8f
0x00441d94
0x00441d98
0x00441e35
0x00441e3d
0x00441e46
0x00441e55
0x00441e5a
0x00441e5c
0x00441e5f
0x00441e62
0x00441e6f
0x00441d9e
0x00441d9e
0x00441da2
0x00441dac
0x00441dbc
0x00441dc9
0x00441dd2
0x00441de1
0x00441dee
0x00441dee
0x00441df3
0x00441df7
0x00441e25
0x00441e30
0x00441df9
0x00441dfe
0x00441e0a
0x00441e0f
0x00441e11
0x00000000
0x00000000
0x00441e1e
0x00441e1e
0x00000000
0x00441df7
0x00441d98
0x00441d34
0x00441d42
0x00441d43
0x00441d44
0x00441d45
0x00441d46
0x00441d5b
0x00441d5b
0x00000000
0x00441cfe
0x00441d02
0x00441d15
0x00441d1d
0x00000000
0x00441d1d
0x00441d0a
0x00000000
0x00000000
0x00441d0f
0x00441d13
0x00000000
0x00000000
0x00000000
0x00441d13

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00441D5B
OffsetRect.USER32(?,00000001,00000001), ref: 00441DAC
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00441DE1
OffsetRect.USER32(?,000000FF,000000FF), ref: 00441DEE
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00441E55

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: 012e0c6567d8a4f38d13f1d28985654d9df42bfff6c03447f621c5b71b720bcc
Instruction ID: 182a431e689499876166f5ddaf3d275f09ec157112f7090a91fab08569bc6be2
Opcode Fuzzy Hash: 012e0c6567d8a4f38d13f1d28985654d9df42bfff6c03447f621c5b71b720bcc
Instruction Fuzzy Hash: 595175B4E40208AFEB10EBA9C881B9EB7E5AF45314F244167F914E73A1C73CED818719

Uniqueness

Uniqueness Score: -1.00%

Function 0042EF7C, Relevance: 7.6, APIs: 5, Instructions: 139
threadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0042EF7C(intOrPtr __eax, void* __ecx, intOrPtr _a4) {
				char _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HWND__* _v24;
				intOrPtr _v28;
				char _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HWND__* _t53;
				intOrPtr _t55;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t78;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t98;
				intOrPtr _t101;
				void* _t102;
				intOrPtr* _t104;
				intOrPtr _t106;
				intOrPtr _t110;
				intOrPtr _t112;
				struct HWND__* _t113;
				intOrPtr _t114;
				intOrPtr _t116;
				intOrPtr _t117;

				_t102 = __ecx;
				_t101 = __eax;
				_v5 = 1;
				_t113 = E0042F3CC(_a4 + 0xfffffff7);
				_v24 = _t113;
				_t53 = GetWindow(_t113, 4);
				_t104 =  *0x46b67c; // 0x46cb44
				_t4 =  *_t104 + 0x30; // 0x4027c
				if(_t53 ==  *_t4) {
					L6:
					if(_v24 == 0) {
						L25:
						return _v5;
					}
					_t114 = _t101;
					while(1) {
						_t55 =  *((intOrPtr*)(_t114 + 0x30));
						if(_t55 == 0) {
							break;
						}
						_t114 = _t55;
					}
					_t112 = E00437E18(_t114);
					_v28 = _t112;
					if(_t112 == _v24) {
						goto L25;
					}
					_t13 = _a4 - 0x10; // 0xe87d83e8
					_t60 =  *((intOrPtr*)( *_t13 + 0x30));
					if(_t60 == 0) {
						_t19 = _a4 - 0x10; // 0xe87d83e8
						_t106 =  *0x42d6a8; // 0x42d6f4
						__eflags = E00403CFC( *_t19, _t106);
						if(__eflags == 0) {
							__eflags = 0;
							_v32 = 0;
						} else {
							_t21 = _a4 - 0x10; // 0xe87d83e8
							_v32 = E00437E18( *_t21);
						}
						L19:
						_v12 = 0;
						_t65 = _a4;
						_v20 =  *((intOrPtr*)(_t65 - 9));
						_v16 =  *((intOrPtr*)(_t65 - 5));
						_push( &_v32);
						_push(E0042EF10);
						_push(GetCurrentThreadId());
						L00406E1C();
						_t126 = _v12;
						if(_v12 == 0) {
							goto L25;
						}
						GetWindowRect(_v24,  &_v48);
						_push(_a4 + 0xfffffff7);
						_push(_a4 - 1);
						E00403D6C(_t101, _t126);
						_t78 =  *0x46cac4; // 0x0
						_t110 =  *0x42c2b0; // 0x42c2fc
						if(E00403CFC(_t78, _t110) == 0) {
							L23:
							if(IntersectRect( &_v48,  &_v48,  &_v64) != 0) {
								_v5 = 0;
							}
							goto L25;
						}
						_t84 =  *0x46cac4; // 0x0
						if( *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x38)) + 0xa0)) == 0) {
							goto L23;
						}
						_t86 =  *0x46cac4; // 0x0
						if(E00437E18( *((intOrPtr*)( *((intOrPtr*)(_t86 + 0x38)) + 0xa0))) == _v24) {
							goto L25;
						}
						goto L23;
					}
					_t116 = _t60;
					while(1) {
						_t93 =  *((intOrPtr*)(_t116 + 0x30));
						if(_t93 == 0) {
							break;
						}
						_t116 = _t93;
					}
					_v32 = E00437E18(_t116);
					goto L19;
				}
				_t117 = E0042E48C(_v24, _t102);
				if(_t117 == 0) {
					goto L25;
				} else {
					while(1) {
						_t98 =  *((intOrPtr*)(_t117 + 0x30));
						if(_t98 == 0) {
							break;
						}
						_t117 = _t98;
					}
					_v24 = E00437E18(_t117);
					goto L6;
				}
			}

0x0042ef7c
0x0042ef85
0x0042ef87
0x0042ef96
0x0042ef98
0x0042ef9e
0x0042efa3
0x0042efab
0x0042efae
0x0042efd7
0x0042efdb
0x0042f10a
0x0042f113
0x0042f113
0x0042efe1
0x0042efe7
0x0042efe7
0x0042efec
0x00000000
0x00000000
0x0042efe5
0x0042efe5
0x0042eff5
0x0042eff7
0x0042effd
0x00000000
0x00000000
0x0042f006
0x0042f009
0x0042f00e
0x0042f02f
0x0042f032
0x0042f03d
0x0042f03f
0x0042f051
0x0042f053
0x0042f041
0x0042f044
0x0042f04c
0x0042f04c
0x0042f056
0x0042f056
0x0042f05a
0x0042f060
0x0042f066
0x0042f06c
0x0042f06d
0x0042f077
0x0042f078
0x0042f07d
0x0042f081
0x00000000
0x00000000
0x0042f08f
0x0042f09a
0x0042f09f
0x0042f0af
0x0042f0b4
0x0042f0b9
0x0042f0c6
0x0042f0f1
0x0042f104
0x0042f106
0x0042f106
0x00000000
0x0042f104
0x0042f0c8
0x0042f0d7
0x00000000
0x00000000
0x0042f0d9
0x0042f0ef
0x00000000
0x00000000
0x00000000
0x0042f0ef
0x0042f013
0x0042f019
0x0042f019
0x0042f01e
0x00000000
0x00000000
0x0042f017
0x0042f017
0x0042f027
0x00000000
0x0042f027
0x0042efb8
0x0042efbc
0x00000000
0x0042efc2
0x0042efc6
0x0042efc6
0x0042efcb
0x00000000
0x00000000
0x0042efc4
0x0042efc4
0x0042efd4
0x00000000
0x0042efd4

APIs

Part of subcall function 0042F3CC: WindowFromPoint.USER32(0042F1A6,0046CAE8,00000000,0042EF96,?,-0000000C,?), ref: 0042F3D2
Part of subcall function 0042F3CC: GetParent.USER32(00000000), ref: 0042F3E9

GetWindow.USER32(00000000,00000004), ref: 0042EF9E
GetCurrentThreadId.KERNEL32 ref: 0042F072
7378AC10.USER32(00000000,0042EF10,?,00000000,00000004,?,-0000000C,?), ref: 0042F078
GetWindowRect.USER32 ref: 0042F08F
IntersectRect.USER32 ref: 0042F0FD

Part of subcall function 0042E48C: GetWindowThreadProcessId.USER32(00000000), ref: 0042E499
Part of subcall function 0042E48C: GetCurrentProcessId.KERNEL32(?,?,00000000,004510CB,?,?,x\E,00000001,00451237,?,?,?,x\E), ref: 0042E4A2
Part of subcall function 0042E48C: GlobalFindAtomA.KERNEL32 ref: 0042E4B7
Part of subcall function 0042E48C: GetPropA.USER32 ref: 0042E4CE

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CurrentProcessRectThread$7378AtomFindFromGlobalIntersectParentPointProp
String ID:
API String ID: 1836822760-0
Opcode ID: 32e7a0ce21fc6468efdd5a8af69dfba9ca98ba5ebb3b0b98afab73e4d89fd09e
Instruction ID: 137467cd1df52c1816048cff667f5ca801d568be4f67f4d55c2ae5c61255c327
Opcode Fuzzy Hash: 32e7a0ce21fc6468efdd5a8af69dfba9ca98ba5ebb3b0b98afab73e4d89fd09e
Instruction Fuzzy Hash: F8516A71B001199FCB10DF69D881AAEB7F4AB08354F944176F854EB391D738ED05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00435ACC, Relevance: 7.6, APIs: 5, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00435ACC(intOrPtr* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagPAINTSTRUCT _v84;
				intOrPtr _t55;
				void* _t64;
				struct HDC__* _t75;
				void* _t76;
				intOrPtr _t85;
				void* _t96;
				void* _t97;
				void* _t99;
				void* _t101;
				void* _t102;
				intOrPtr _t103;

				_t101 = _t102;
				_t103 = _t102 + 0xffffffb0;
				_v12 = __edx;
				_v8 = __eax;
				_t75 =  *(_v12 + 4);
				if(_t75 == 0) {
					_t75 = BeginPaint(E00437E18(_v8),  &_v84);
				}
				_push(_t101);
				_push(0x435bec);
				_push( *[fs:edx]);
				 *[fs:edx] = _t103;
				if( *((intOrPtr*)(_v8 + 0x198)) != 0) {
					_v20 = SaveDC(_t75);
					_v16 = 2;
					_t96 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x198)) + 8)) - 1;
					if(_t96 >= 0) {
						_t97 = _t96 + 1;
						_t99 = 0;
						do {
							_t64 = E0041449C( *((intOrPtr*)(_v8 + 0x198)), _t76, _t99);
							if( *((char*)(_t64 + 0x57)) != 0 || ( *(_t64 + 0x1c) & 0x00000010) != 0 && ( *(_t64 + 0x51) & 0x00000004) == 0) {
								if(( *(_t64 + 0x50) & 0x00000040) == 0) {
									goto L11;
								} else {
									_v16 = ExcludeClipRect(_t75,  *(_t64 + 0x40),  *(_t64 + 0x44),  *(_t64 + 0x40) +  *((intOrPtr*)(_t64 + 0x48)),  *(_t64 + 0x44) +  *((intOrPtr*)(_t64 + 0x4c)));
									if(_v16 != 1) {
										goto L11;
									}
								}
							} else {
								goto L11;
							}
							goto L12;
							L11:
							_t99 = _t99 + 1;
							_t97 = _t97 - 1;
						} while (_t97 != 0);
					}
					L12:
					if(_v16 != 1) {
						 *((intOrPtr*)( *_v8 + 0xb8))();
					}
					RestoreDC(_t75, _v20);
				} else {
					 *((intOrPtr*)( *_v8 + 0xb8))();
				}
				E00435C24(_v8, 0, _t75);
				_pop(_t85);
				 *[fs:eax] = _t85;
				_push(0x435bf3);
				_t55 = _v12;
				if( *((intOrPtr*)(_t55 + 4)) == 0) {
					return EndPaint(E00437E18(_v8),  &_v84);
				}
				return _t55;
			}

0x00435acd
0x00435acf
0x00435ad5
0x00435ad8
0x00435ade
0x00435ae3
0x00435af7
0x00435af7
0x00435afb
0x00435afc
0x00435b01
0x00435b04
0x00435b11
0x00435b2b
0x00435b2e
0x00435b41
0x00435b44
0x00435b46
0x00435b47
0x00435b49
0x00435b54
0x00435b5d
0x00435b6f
0x00000000
0x00435b71
0x00435b8d
0x00435b94
0x00000000
0x00000000
0x00435b94
0x00000000
0x00000000
0x00000000
0x00000000
0x00435b96
0x00435b96
0x00435b97
0x00435b97
0x00435b49
0x00435b9a
0x00435b9e
0x00435ba7
0x00435ba7
0x00435bb2
0x00435b13
0x00435b1a
0x00435b1a
0x00435bbe
0x00435bc5
0x00435bc8
0x00435bcb
0x00435bd0
0x00435bd7
0x00000000
0x00435be6
0x00435beb

APIs

BeginPaint.USER32(00000000,?), ref: 00435AF2
SaveDC.GDI32(?), ref: 00435B26
ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 00435B88
RestoreDC.GDI32(?,?), ref: 00435BB2
EndPaint.USER32(00000000,?,00435BF3), ref: 00435BE6

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 6687f6df867e5d982a91e4d5fb5af0d6d4973da738b76434e25af3f562d35d4d
Instruction ID: 263cb4eb3a935795c8884dd760a37c0eafa3ef7a04034b47aef3d91352590c15
Opcode Fuzzy Hash: 6687f6df867e5d982a91e4d5fb5af0d6d4973da738b76434e25af3f562d35d4d
Instruction Fuzzy Hash: 2A416D70A046049FCB10DF99C885FAEB7F9FF88304F1590AAE5049B362D739AD40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00453D80, Relevance: 7.6, APIs: 5, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00453D80(void* __ecx, void* __edx, void* __eflags, signed int _a4, char _a8, void* _a12) {
				struct tagRECT _v20;
				void* __edi;
				void* __ebp;
				int _t17;
				CHAR* _t19;
				int _t31;
				CHAR* _t33;
				int _t43;
				CHAR* _t45;
				void* _t49;
				signed int _t56;
				int _t57;
				void* _t61;

				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 = __ecx;
				_t49 = __edx;
				_t56 = _a4;
				E0041D8C4( *((intOrPtr*)(__edx + 0x14)), __ecx, 1, _t56, _t61, __eflags);
				if(_a8 != 1) {
					_t57 = _t56 | 0x00000005;
					__eflags = _t57;
					_t17 = E00404B98(__ecx);
					_t19 = E00404D98(__ecx);
					return DrawTextA(E0041DE34(_t49), _t19, _t17,  &_v20, _t57);
				}
				OffsetRect( &_v20, 1, 1);
				E0041CFDC( *((intOrPtr*)(_t49 + 0xc)), 0xff000014);
				_t31 = E00404B98(_t60);
				_t33 = E00404D98(_t60);
				DrawTextA(E0041DE34(_t49), _t33, _t31,  &_v20, _t56 | 0x00000005);
				OffsetRect( &_v20, 0xffffffff, 0xffffffff);
				E0041CFDC( *((intOrPtr*)(_t49 + 0xc)), 0xff000010);
				_t43 = E00404B98(_t60);
				_t45 = E00404D98(_t60);
				return DrawTextA(E0041DE34(_t49), _t45, _t43,  &_v20, _t56 | 0x00000005);
			}

0x00453d8f
0x00453d90
0x00453d91
0x00453d92
0x00453d93
0x00453d95
0x00453d97
0x00453d9f
0x00453da8
0x00453e30
0x00453e30
0x00453e3a
0x00453e42
0x00000000
0x00453e50
0x00453db6
0x00453dc3
0x00453dd4
0x00453ddc
0x00453dea
0x00453df7
0x00453e04
0x00453e13
0x00453e1b
0x00000000

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 00453DB6
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00453DEA
OffsetRect.USER32(?,000000FF,000000FF), ref: 00453DF7
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00453E29
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00453E50

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: cf199f867055563e85d2a3860d5de8e01fb4cc991ad6b9c16f8c64af64970a9d
Instruction ID: e880a4239c6483592f02f798b1213a2790e069911bc531c280bbf5d7bfd26491
Opcode Fuzzy Hash: cf199f867055563e85d2a3860d5de8e01fb4cc991ad6b9c16f8c64af64970a9d
Instruction Fuzzy Hash: C021A4B1B006146BCB00FBAE8C42E9F73AD5F55719B01062AB518F72C2DA79ED01436D

Uniqueness

Uniqueness Score: -1.00%

Function 00441ACC, Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00441ACC(int __eax, void* __edx) {
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t46;
				int _t47;
				intOrPtr* _t48;

				_t18 = __eax;
				_t48 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x74)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x6c));
					if( *((intOrPtr*)(__eax + 0x6c)) != 0) {
						return E00441ACC(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E00441BFC(__eax));
					_t47 = _t18;
					_t40 = _t39 & 0xffffff00 | _t47 == 0x00000000;
					while(_t47 > 0) {
						_t46 = _t47 - 1;
						_t18 = GetMenuState(E00441BFC(_t48), _t46, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E00441BFC(_t48), _t46, 0x400);
							_t40 = 1;
						}
						_t47 = _t47 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t48 + 0x64)) != 0) {
							L14:
							E0044198C(_t48);
							L15:
							return  *((intOrPtr*)( *_t48 + 0x3c))();
						}
						_t44 =  *0x4405e0; // 0x44062c
						if(E00403CFC( *((intOrPtr*)(_t48 + 0x70)), _t44) == 0 || GetMenuItemCount(E00441BFC(_t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t48 + 0x34));
							 *(_t48 + 0x34) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}

0x00441acc
0x00441ad0
0x00441ad6
0x00441ae0
0x00441ae2
0x00000000
0x00441ae2
0x00441aeb
0x00441af0
0x00000000
0x00441af2
0x00441b04
0x00441b09
0x00441b0d
0x00441b12
0x00441b1b
0x00441b25
0x00441b2c
0x00441b3c
0x00441b41
0x00441b41
0x00441b43
0x00441b44
0x00441b4a
0x00441b50
0x00441b85
0x00441b87
0x00441b8c
0x00000000
0x00441b92
0x00441b55
0x00441b62
0x00000000
0x00441b75
0x00441b79
0x00441b80
0x00000000
0x00441b80
0x00441b62
0x00441b4a
0x00441b99

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e451218ffa52d327a7f700ccd46ed81c765ce5655709e3f633029332cba1ade
Instruction ID: b56c1191e2c34000f66cdb8ae3bed80cf97491a35c303701f8139e3b8a10b13c
Opcode Fuzzy Hash: 5e451218ffa52d327a7f700ccd46ed81c765ce5655709e3f633029332cba1ade
Instruction Fuzzy Hash: 4E11932174178556FA60AB3A8845B5B3A88DF40748F04402BBD01EB3A7EA3CECC6829C

Uniqueness

Uniqueness Score: -1.00%

Function 00439780, Relevance: 7.6, APIs: 5, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00439780(void* __eax, void* __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr* _t14;
				intOrPtr* _t17;
				intOrPtr _t19;
				intOrPtr* _t21;
				intOrPtr* _t26;
				intOrPtr _t37;
				void* _t39;
				intOrPtr _t48;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t50 = _t52;
				_t53 = _t52 + 0xfffffff4;
				_t39 = __eax;
				if( *((short*)(__eax + 0x68)) == 0xffff) {
					return __eax;
				} else {
					_t14 =  *0x46b530; // 0x46c8f8
					_t17 =  *0x46b530; // 0x46c8f8
					_t19 =  *((intOrPtr*)( *_t17))(0xd,  *((intOrPtr*)( *_t14))(0xe, 1, 1, 1));
					_push(_t19);
					L00422BBC();
					_v8 = _t19;
					_push(_t50);
					_push(0x439840);
					_push( *[fs:eax]);
					 *[fs:eax] = _t53;
					_t21 =  *0x46b7bc; // 0x46cb48
					E00422BFC(_v8, E0044F3AC( *_t21, __ecx,  *((short*)(__eax + 0x68))));
					_t26 =  *0x46b7bc; // 0x46cb48
					E00422BFC(_v8, E0044F3AC( *_t26, __ecx,  *((short*)(_t39 + 0x68))));
					_push(0);
					_push(0);
					_push(0);
					_push(_v8);
					L00422C50();
					_push( &_v16);
					_push(0);
					L00422C60();
					_push(_v12);
					_push(_v16);
					_push(1);
					_push(_v8);
					L00422C50();
					_pop(_t48);
					 *[fs:eax] = _t48;
					_push(0x439847);
					_t37 = _v8;
					_push(_t37);
					L00422BC4();
					return _t37;
				}
			}

0x00439781
0x00439783
0x00439787
0x0043978e
0x0043984b
0x00439794
0x0043979c
0x004397a8
0x004397af
0x004397b1
0x004397b2
0x004397b7
0x004397bc
0x004397bd
0x004397c2
0x004397c5
0x004397cc
0x004397dd
0x004397e6
0x004397f7
0x004397fc
0x004397fe
0x00439800
0x00439805
0x00439806
0x0043980e
0x0043980f
0x00439811
0x00439819
0x0043981d
0x0043981e
0x00439823
0x00439824
0x0043982b
0x0043982e
0x00439831
0x00439836
0x00439839
0x0043983a
0x0043983f
0x0043983f

APIs

73D61AB0.COMCTL32(00000000), ref: 004397B2

Part of subcall function 00422BFC: 73D62140.COMCTL32(0042F6B6,000000FF,00000000,004397E2,00000000,00439840,?,00000000), ref: 00422C00

73D61680.COMCTL32(0042F6B6,00000000,00000000,00000000,00000000,00439840,?,00000000), ref: 00439806
73D61710.COMCTL32(00000000,?,0042F6B6,00000000,00000000,00000000,00000000,00439840,?,00000000), ref: 00439811
73D61680.COMCTL32(0042F6B6,00000001,?,004398A9,00000000,?,0042F6B6,00000000,00000000,00000000,00000000,00439840,?,00000000), ref: 00439824
73D61F60.COMCTL32(0042F6B6,00439847,004398A9,00000000,?,0042F6B6,00000000,00000000,00000000,00000000,00439840,?,00000000), ref: 0043983A

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: D61680$D61710D62140
String ID:
API String ID: 1125970620-0
Opcode ID: a31715465a3db88105490d21400fb65b20826e0832f7d801cc18f99c3501c7d4
Instruction ID: 04dcfd23610484ade03f5659bcb94ac882a0431cc456af61f99373ed16655a24
Opcode Fuzzy Hash: a31715465a3db88105490d21400fb65b20826e0832f7d801cc18f99c3501c7d4
Instruction Fuzzy Hash: B2210E34B50304BFDB10EFA9DD82F6973E8EB49714F5040A6F904DB291EAF5AD408759

Uniqueness

Uniqueness Score: -1.00%

Function 00420DDC, Relevance: 7.6, APIs: 5, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00420DDC(struct HPALETTE__* __eax) {
				struct HPALETTE__* _t21;
				char _t28;
				signed int _t30;
				struct HPALETTE__* _t36;
				struct HPALETTE__* _t37;
				struct HDC__* _t38;
				intOrPtr _t39;

				_t21 = __eax;
				_t36 = __eax;
				_t39 =  *((intOrPtr*)(__eax + 0x28));
				if( *((char*)(__eax + 0x30)) == 0 &&  *(_t39 + 0x10) == 0 &&  *((intOrPtr*)(_t39 + 0x14)) != 0) {
					_t22 =  *((intOrPtr*)(_t39 + 0x14));
					if( *((intOrPtr*)(_t39 + 0x14)) ==  *((intOrPtr*)(_t39 + 8))) {
						E0041F834(_t22);
					}
					_t21 = E0041E91C( *((intOrPtr*)(_t39 + 0x14)), 1 <<  *(_t39 + 0x3e));
					_t37 = _t21;
					 *(_t39 + 0x10) = _t37;
					if(_t37 == 0) {
						_push(0);
						L00406E84();
						_t21 = E0041E220(_t21);
						_t38 = _t21;
						if( *((char*)(_t39 + 0x71)) != 0) {
							L9:
							_t28 = 1;
						} else {
							_push(0xc);
							_push(_t38);
							L00406C1C();
							_push(0xe);
							_push(_t38);
							L00406C1C();
							_t30 = _t21 * _t21;
							_t21 = ( *(_t39 + 0x2a) & 0x0000ffff) * ( *(_t39 + 0x28) & 0x0000ffff);
							if(_t30 < _t21) {
								goto L9;
							} else {
								_t28 = 0;
							}
						}
						 *((char*)(_t39 + 0x71)) = _t28;
						if(_t28 != 0) {
							_t21 = CreateHalftonePalette(_t38);
							 *(_t39 + 0x10) = _t21;
						}
						_push(_t38);
						_push(0);
						L004070C4();
						if( *(_t39 + 0x10) == 0) {
							 *((char*)(_t36 + 0x30)) = 1;
							return _t21;
						}
					}
				}
				return _t21;
			}

0x00420ddc
0x00420de0
0x00420de2
0x00420de9
0x00420e03
0x00420e09
0x00420e0b
0x00420e0b
0x00420e22
0x00420e27
0x00420e29
0x00420e2e
0x00420e30
0x00420e32
0x00420e37
0x00420e3c
0x00420e42
0x00420e6b
0x00420e6b
0x00420e44
0x00420e44
0x00420e46
0x00420e47
0x00420e4e
0x00420e50
0x00420e51
0x00420e56
0x00420e61
0x00420e65
0x00000000
0x00420e67
0x00420e67
0x00420e67
0x00420e65
0x00420e6d
0x00420e72
0x00420e75
0x00420e7a
0x00420e7a
0x00420e7d
0x00420e7e
0x00420e80
0x00420e89
0x00420e8b
0x00000000
0x00420e8b
0x00420e89
0x00420e2e
0x00420e93

APIs

7378AC50.USER32(00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E32
7378AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E47
7378AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E51
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E75
7378B380.USER32(00000000,00000000,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E80

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B380CreateHalftonePalette
String ID:
API String ID: 2666310534-0
Opcode ID: 6d84424d2fca575c002a9887f34ce28436efd986a7945f88fae4c2f9ee98433d
Instruction ID: 6b3e1e7543ba2f7766df80ac1a1542bb2fa9d1bf98feacea57c1c3ef672b39da
Opcode Fuzzy Hash: 6d84424d2fca575c002a9887f34ce28436efd986a7945f88fae4c2f9ee98433d
Instruction Fuzzy Hash: 1911B4217052A95EEB20AF65A4417EF3AD1AB51315F460926FC009A2D2D7BD9CD0C3A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044E630, Relevance: 7.6, APIs: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0044E630(void* __eax) {
				void* _t16;
				void* _t37;
				void* _t38;
				signed int _t41;

				_t16 = __eax;
				_t38 = __eax;
				if(( *(__eax + 0x1c) & 0x00000010) == 0 &&  *0x456c90 != 0) {
					_t16 = E0043811C(__eax);
					if(_t16 != 0) {
						_t41 = GetWindowLongA(E00437E18(_t38), 0xffffffec);
						if( *((char*)(_t38 + 0x2e0)) != 0 ||  *((char*)(_t38 + 0x2e8)) != 0) {
							if((_t41 & 0x00080000) == 0) {
								SetWindowLongA(E00437E18(_t38), 0xffffffec, _t41 | 0x00080000);
							}
							return  *0x456c90(E00437E18(_t38),  *((intOrPtr*)(_t38 + 0x2ec)),  *((intOrPtr*)(_t38 + 0x2e1)),  *0x00456D14 |  *0x00456D1C);
						} else {
							SetWindowLongA(E00437E18(_t38), 0xffffffec, _t41 & 0xfff7ffff);
							_push(0x485);
							_push(0);
							_push(0);
							_t37 = E00437E18(_t38);
							_push(_t37);
							L0040709C();
							return _t37;
						}
					}
				}
				return _t16;
			}

0x0044e630
0x0044e632
0x0044e638
0x0044e64d
0x0044e654
0x0044e669
0x0044e672
0x0044e683
0x0044e696
0x0044e696
0x00000000
0x0044e6d8
0x0044e6e9
0x0044e6ee
0x0044e6f3
0x0044e6f5
0x0044e6f9
0x0044e6fe
0x0044e6ff
0x00000000
0x0044e6ff
0x0044e672
0x0044e654
0x0044e706

APIs

GetWindowLongA.USER32 ref: 0044E664
SetWindowLongA.USER32 ref: 0044E696
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,0044C21C), ref: 0044E6D0
SetWindowLongA.USER32 ref: 0044E6E9
7378B330.USER32(00000000,00000000,00000000,00000485,00000000,000000EC,00000000,00000000,000000EC,?,?,0044C21C), ref: 0044E6FF

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$7378AttributesB330Layered
String ID:
API String ID: 3858242083-0
Opcode ID: d3494097b477fe158a95c0f9ec23be7c4cb547fc35d052ccdc2004122f5e81d4
Instruction ID: 563bcc0b09ab3207aded2b51a3433c1e89b572e650543b26cfae182ebdc7ccff
Opcode Fuzzy Hash: d3494097b477fe158a95c0f9ec23be7c4cb547fc35d052ccdc2004122f5e81d4
Instruction Fuzzy Hash: 8711AB51B4438025DB206F7A8C8AB4B16581B05365F1519BEB995EB2D3CA7CDC44C77C

Uniqueness

Uniqueness Score: -1.00%

Function 0041E884, Relevance: 7.6, APIs: 5, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E0041E884(intOrPtr __eax) {
				char _v5;
				intOrPtr _v12;
				intOrPtr _t14;
				intOrPtr _t16;
				intOrPtr _t18;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff8;
				_v5 = 0;
				if( *0x46c88c == 0) {
					return _v5;
				} else {
					_push(0);
					L00406E84();
					_v12 = __eax;
					_push(_t32);
					_push(0x41e90a);
					_push( *[fs:edx]);
					 *[fs:edx] = _t35;
					_push(0x68);
					_t14 = _v12;
					_push(_t14);
					L00406C1C();
					if(_t14 >= 0x10) {
						_push(__eax + 4);
						_push(8);
						_push(0);
						_t18 =  *0x46c88c; // 0x4f080689
						_push(_t18);
						L00406C2C();
						_push(__eax + ( *(__eax + 2) & 0x0000ffff) * 4 - 0x1c);
						_push(8);
						_push(8);
						_t21 =  *0x46c88c; // 0x4f080689
						_push(_t21);
						L00406C2C();
						_v5 = 1;
					}
					_pop(_t30);
					 *[fs:eax] = _t30;
					_push(0x41e911);
					_t16 = _v12;
					_push(_t16);
					_push(0);
					L004070C4();
					return _t16;
				}
			}

0x0041e885
0x0041e887
0x0041e88d
0x0041e898
0x0041e918
0x0041e89a
0x0041e89a
0x0041e89c
0x0041e8a1
0x0041e8a6
0x0041e8a7
0x0041e8ac
0x0041e8af
0x0041e8b2
0x0041e8b4
0x0041e8b7
0x0041e8b8
0x0041e8c0
0x0041e8c5
0x0041e8c6
0x0041e8c8
0x0041e8ca
0x0041e8cf
0x0041e8d0
0x0041e8dd
0x0041e8de
0x0041e8e0
0x0041e8e2
0x0041e8e7
0x0041e8e8
0x0041e8ed
0x0041e8ed
0x0041e8f3
0x0041e8f6
0x0041e8f9
0x0041e8fe
0x0041e901
0x0041e902
0x0041e904
0x0041e909
0x0041e909

APIs

7378AC50.USER32(00000000), ref: 0041E89C
7378AD70.GDI32(?,00000068,00000000,0041E90A,?,00000000), ref: 0041E8B8
7378AEA0.GDI32(4F080689,00000000,00000008,?,?,00000068,00000000,0041E90A,?,00000000), ref: 0041E8D0
7378AEA0.GDI32(4F080689,00000008,00000008,?,4F080689,00000000,00000008,?,?,00000068,00000000,0041E90A,?,00000000), ref: 0041E8E8
7378B380.USER32(00000000,?,0041E911,0041E90A,?,00000000), ref: 0041E904

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$B380
String ID:
API String ID: 817970651-0
Opcode ID: 07e05edbc71ea3919cc4ddd2a3027f05efd59999ce68c659112d9836937d38ef
Instruction ID: 2c53bb4e8326c47be258d72f8799f03dbc74afe23d2bd8c65870ca42250e15ba
Opcode Fuzzy Hash: 07e05edbc71ea3919cc4ddd2a3027f05efd59999ce68c659112d9836937d38ef
Instruction Fuzzy Hash: 28116B7154C3047EFB40EBA6DC82FAD7BE8E705704F0080A6F944EB1C2DABA5440C728

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8C0, Relevance: 7.6, APIs: 5, Instructions: 50
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040B8C0(void* __esi, void* __eflags) {
				char _v8;
				intOrPtr* _t18;
				intOrPtr _t26;
				void* _t27;
				long _t29;
				intOrPtr _t32;
				void* _t33;

				_t33 = __eflags;
				_push(0);
				_push(_t32);
				_push(0x40b957);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				E0040B638(GetThreadLocale(), 0x40b96c, 0x100b,  &_v8);
				_t29 = E004088D4(0x40b96c, 1, _t33);
				if(_t29 + 0xfffffffd - 3 < 0) {
					EnumCalendarInfoA(E0040B80C, GetThreadLocale(), _t29, 4);
					_t27 = 7;
					_t18 = 0x46c76c;
					do {
						 *_t18 = 0xffffffff;
						_t18 = _t18 + 4;
						_t27 = _t27 - 1;
					} while (_t27 != 0);
					EnumCalendarInfoA(E0040B848, GetThreadLocale(), _t29, 3);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E0040B95E);
				return E004048D8( &_v8);
			}

0x0040b8c0
0x0040b8c3
0x0040b8c8
0x0040b8c9
0x0040b8ce
0x0040b8d1
0x0040b8e7
0x0040b8f9
0x0040b903
0x0040b913
0x0040b918
0x0040b91d
0x0040b922
0x0040b922
0x0040b928
0x0040b92b
0x0040b92b
0x0040b93c
0x0040b93c
0x0040b943
0x0040b946
0x0040b949
0x0040b956

APIs

GetThreadLocale.KERNEL32(?,00000000,0040B957,?,?,00000000), ref: 0040B8D8

Part of subcall function 0040B638: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B656

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040B957,?,?,00000000), ref: 0040B908
EnumCalendarInfoA.KERNEL32(Function_0000B80C,00000000,00000000,00000004), ref: 0040B913
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040B957,?,?,00000000), ref: 0040B931
EnumCalendarInfoA.KERNEL32(Function_0000B848,00000000,00000000,00000003), ref: 0040B93C

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 47001a0d44e16aeb2ae83214d02662b1b3f7780b342ebe72faa6fc9f05c92d02
Instruction ID: da875daf6c57d0241dc06f60840f3a445bc79252c6b18011dec02737c8933a12
Opcode Fuzzy Hash: 47001a0d44e16aeb2ae83214d02662b1b3f7780b342ebe72faa6fc9f05c92d02
Instruction Fuzzy Hash: 7301F7B13006046BD701BB758C03B6A369CDB86B18F618576F601B6AC1D73C9E1187AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040167C, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040167C(void* __eax, void** __ecx, void* __edx) {
				void* _t4;
				void** _t9;
				void* _t13;
				void* _t14;
				long _t16;
				void* _t17;

				_t9 = __ecx;
				_t14 = __edx;
				_t17 = __eax;
				 *(__ecx + 4) = 0x100000;
				_t4 = VirtualAlloc(__eax, 0x100000, 0x2000, 4);
				_t13 = _t4;
				 *_t9 = _t13;
				if(_t13 == 0) {
					_t16 = _t14 + 0x0000ffff & 0xffff0000;
					_t9[1] = _t16;
					_t4 = VirtualAlloc(_t17, _t16, 0x2000, 4);
					 *_t9 = _t4;
				}
				if( *_t9 != 0) {
					_t4 = E0040143C(0x46c5e8, _t9);
					if(_t4 == 0) {
						VirtualFree( *_t9, 0, 0x8000);
						 *_t9 = 0;
						return 0;
					}
				}
				return _t4;
			}

0x00401680
0x00401682
0x00401684
0x00401686
0x0040169a
0x0040169f
0x004016a1
0x004016a5
0x004016ad
0x004016b3
0x004016bf
0x004016c4
0x004016c4
0x004016c9
0x004016d2
0x004016d9
0x004016e5
0x004016ec
0x00000000
0x004016ec
0x004016d9
0x004016f2

APIs

VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,4+k,?,?,?,00401A8E), ref: 0040169A
VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,4+k,?,?,?,00401A8E), ref: 004016BF
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,4+k,?,?,?,00401A8E), ref: 004016E5

Strings

4+k, xrefs: 0040167F
D+k, xrefs: 004016CD

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$Alloc$Free
String ID: 4+k$D+k
API String ID: 3668210933-3055203674
Opcode ID: 1a467117e04d331077f3a319b543d79fca0314ce5350a81d2ff5b970f4a3d6f5
Instruction ID: 66b382dc89c8fe2413b180616749aab3fc1525029160c70bf64d8acfd6fcb947
Opcode Fuzzy Hash: 1a467117e04d331077f3a319b543d79fca0314ce5350a81d2ff5b970f4a3d6f5
Instruction Fuzzy Hash: 54F0C2B27413206BEB315B6A4C85F173AD89B45794F144076BE08FF3DAD6BA580082AD

Uniqueness

Uniqueness Score: -1.00%

Function 0044FC8C, Relevance: 7.5, APIs: 5, Instructions: 25
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044FC8C() {
				void* _t2;
				void* _t5;
				void* _t8;
				struct HHOOK__* _t10;

				if( *0x46cb5c != 0) {
					_t10 =  *0x46cb5c; // 0x0
					UnhookWindowsHookEx(_t10);
				}
				 *0x46cb5c = 0;
				if( *0x46cb60 != 0) {
					_t2 =  *0x46cb58; // 0x0
					SetEvent(_t2);
					if(GetCurrentThreadId() !=  *0x46cb54) {
						_t8 =  *0x46cb60; // 0x0
						WaitForSingleObject(_t8, 0xffffffff);
					}
					_t5 =  *0x46cb60; // 0x0
					CloseHandle(_t5);
					 *0x46cb60 = 0;
					return 0;
				}
				return 0;
			}

0x0044fc93
0x0044fc95
0x0044fc9b
0x0044fc9b
0x0044fca2
0x0044fcae
0x0044fcb0
0x0044fcb6
0x0044fcc6
0x0044fcca
0x0044fcd0
0x0044fcd0
0x0044fcd5
0x0044fcdb
0x0044fce2
0x00000000
0x0044fce2
0x0044fce7

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 0044FC9B
SetEvent.KERNEL32(00000000,0045217A,00000000,00451157,?,?,x\E,00000001,00451217,?,?,?,x\E), ref: 0044FCB6
GetCurrentThreadId.KERNEL32 ref: 0044FCBB
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0045217A,00000000,00451157,?,?,x\E,00000001,00451217,?,?,?,x\E), ref: 0044FCD0
CloseHandle.KERNEL32(00000000,00000000,0045217A,00000000,00451157,?,?,x\E,00000001,00451217,?,?,?,x\E), ref: 0044FCDB

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 9b828b75fb56e1d85cd3b35d90c95c425d2b2f79c1874176df66b4d3dd47c936
Instruction ID: 943f33a562870a97c55ef491cde0b663b250392ba93f591600998c69764b040a
Opcode Fuzzy Hash: 9b828b75fb56e1d85cd3b35d90c95c425d2b2f79c1874176df66b4d3dd47c936
Instruction Fuzzy Hash: CFF0F8B1A001849AD710AFBAFCCAA2633A47708B14B40093AE441D32E0E7B8B844CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0043C264, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0043C264(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr* _v8;
				struct tagPOINT _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				struct tagMSG _v64;
				intOrPtr _v68;
				long _v72;
				char _v76;
				intOrPtr _t125;
				int _t126;
				int _t140;
				int _t147;
				intOrPtr* _t175;
				int _t186;
				void* _t191;
				intOrPtr* _t209;
				void* _t213;
				intOrPtr _t214;
				intOrPtr _t219;
				int _t232;
				intOrPtr _t233;
				int _t236;
				intOrPtr* _t242;
				intOrPtr _t262;
				intOrPtr _t278;
				intOrPtr _t289;
				int _t297;
				int _t300;
				int _t302;
				int _t303;
				int _t304;
				void* _t307;
				void* _t309;
				void* _t315;

				_t315 = __fp0;
				_t306 = _t307;
				_v76 = 0;
				_t242 = __edx;
				_v8 = __eax;
				_push(_t307);
				_push(0x43c63c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t307 + 0xffffffb8;
				_t125 =  *__edx;
				_t309 = _t125 - 0x202;
				if(_t309 > 0) {
					_t126 = _t125 - 0x203;
					__eflags = _t126;
					if(__eflags == 0) {
						E00407268( *((intOrPtr*)(__edx + 8)), 0,  &_v72);
						_t297 = E0043ACD0(_v8,  &_v20,  &_v72, __eflags);
						__eflags = _t297;
						if(_t297 != 0) {
							__eflags =  *(_t297 + 4);
							if( *(_t297 + 4) != 0) {
								__eflags = _v20 - 2;
								if(_v20 == 2) {
									E0042FE7C();
									E0043231C( *(_t297 + 4), 0, 0, 1);
								}
							}
						}
						L47:
						if( *((short*)(_v8 + 0x32)) != 0) {
							 *((intOrPtr*)(_v8 + 0x30))();
						}
						L49:
						_pop(_t262);
						 *[fs:eax] = _t262;
						_push(0x43c643);
						return E004048D8( &_v76);
					}
					_t140 = _t126 - 0xae2d;
					__eflags = _t140;
					if(_t140 == 0) {
						 *((intOrPtr*)(_v8 + 0x30))();
						__eflags =  *(__edx + 0xc);
						if( *(__edx + 0xc) != 0) {
							goto L49;
						}
						_t300 =  *((intOrPtr*)( *_v8 + 4))();
						__eflags = _v20 - 0x12;
						if(_v20 != 0x12) {
							__eflags = _t300;
							if(_t300 == 0) {
								goto L49;
							}
							_t147 = _v20 - 2;
							__eflags = _t147;
							if(_t147 == 0) {
								L46:
								E00430FBC(_t300,  &_v36);
								 *((intOrPtr*)( *_v8))();
								_v36 = _v36 - _v36 -  *((intOrPtr*)(_t300 + 0x40)) + _v36 -  *((intOrPtr*)(_t300 + 0x40));
								_v32 = _v32 - _v32 -  *((intOrPtr*)(_t300 + 0x44)) + _v32 -  *((intOrPtr*)(_t300 + 0x44));
								_v28 = _v28 -  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36 +  *((intOrPtr*)(_t300 + 0x48)) - _v28 - _v36;
								_v24 = _v24 -  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32 +  *((intOrPtr*)(_t300 + 0x4c)) - _v24 - _v32;
								E0043161C(_t300,  &_v76);
								E0040492C( *((intOrPtr*)(_t242 + 8)) + 0x38, _v76);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								goto L49;
							}
							__eflags = _t147 != 0x12;
							if(_t147 != 0x12) {
								goto L49;
							}
							goto L46;
						}
						E004048D8( *((intOrPtr*)(__edx + 8)) + 0x38);
						goto L49;
					} else {
						__eflags = _t140 == 0x12;
						if(_t140 == 0x12) {
							_t175 =  *((intOrPtr*)(__edx + 8));
							__eflags =  *_t175 - 0xb00b;
							if( *_t175 == 0xb00b) {
								E0043C14C(_v8,  *((intOrPtr*)(_t175 + 4)),  *((intOrPtr*)(__edx + 4)));
							}
						}
						goto L47;
					}
				}
				if(_t309 == 0) {
					__eflags =  *(_v8 + 0x60);
					if(__eflags != 0) {
						E0043BC98(_v8, __eflags);
					} else {
						E00407268( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
						_t302 = E0043ACD0(_v8,  &_v20,  &_v16, __eflags);
						__eflags = _t302;
						if(_t302 != 0) {
							__eflags = _v20 - 0x14;
							if(_v20 == 0x14) {
								_t295 =  *((intOrPtr*)(_t302 + 4));
								_t278 =  *0x446d0c; // 0x446d58
								_t186 = E00403CFC( *((intOrPtr*)(_t302 + 4)), _t278);
								__eflags = _t186;
								if(_t186 == 0) {
									E0043153C(_t295, 0);
								} else {
									E0044DC94(_t295,  &_v20);
								}
							}
						}
					}
					goto L47;
				}
				_t191 = _t125 - 0x20;
				if(_t191 == 0) {
					GetCursorPos( &_v16);
					E00431160( *((intOrPtr*)(_v8 + 0x14)),  &_v72,  &_v16);
					_v16.x = _v72;
					_v16.y = _v68;
					__eflags =  *((short*)(_t242 + 8)) - 1;
					if( *((short*)(_t242 + 8)) != 1) {
						goto L47;
					}
					__eflags = E00437E18( *((intOrPtr*)(_v8 + 0x14))) -  *((intOrPtr*)(_t242 + 4));
					if(__eflags != 0) {
						goto L47;
					}
					__eflags = E00436948( *((intOrPtr*)(_v8 + 0x14)),  &_v72, __eflags);
					if(__eflags <= 0) {
						goto L47;
					}
					_t303 = E0043ACD0(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t303;
					if(_t303 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(_v20 != 0x12) {
						goto L47;
					}
					_t209 =  *0x46b7bc; // 0x46cb48
					SetCursor(E0044F3AC( *_t209,  &_v20,  *((short*)(0x456b6c + ( *( *((intOrPtr*)(_t303 + 0x14)) + 0x10) & 0x000000ff) * 2))));
					 *((intOrPtr*)(_t242 + 0xc)) = 1;
					goto L49;
				}
				_t213 = _t191 - 0x1e0;
				if(_t213 == 0) {
					_t214 = _v8;
					__eflags =  *(_t214 + 0x60);
					if( *(_t214 + 0x60) != 0) {
						E0043BD4C(_v8);
						E00407268( *((intOrPtr*)(_t242 + 8)), 0,  &_v72);
						_t219 = _v8;
						 *(_t219 + 0x50) = _v72;
						 *((intOrPtr*)(_t219 + 0x54)) = _v68;
						E0043C1D4(_t306);
						E0043BD4C(_v8);
					}
					goto L47;
				}
				if(_t213 == 1) {
					E00407268( *((intOrPtr*)(__edx + 8)), 0,  &_v16);
					_t256 =  &_v20;
					_t304 = E0043ACD0(_v8,  &_v20,  &_v16, __eflags);
					__eflags = _t304;
					if(_t304 == 0) {
						goto L47;
					}
					__eflags = _v20 - 0x12;
					if(__eflags != 0) {
						__eflags = _v20 - 2;
						if(_v20 != 2) {
							goto L47;
						}
						_t232 = PeekMessageA( &_v64, E00437E18( *((intOrPtr*)(_v8 + 0x14))), 0x203, 0x203, 0);
						__eflags = _t232;
						if(_t232 == 0) {
							_t289 =  *0x42d6a8; // 0x42d6f4
							_t236 = E00403CFC( *((intOrPtr*)(_t304 + 4)), _t289);
							__eflags = _t236;
							if(_t236 != 0) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t304 + 4)))) + 0xc4))();
							}
						}
						_t233 =  *((intOrPtr*)(_t304 + 4));
						__eflags =  *((char*)(_t233 + 0x9b)) - 1;
						if( *((char*)(_t233 + 0x9b)) == 1) {
							__eflags =  *((char*)(_t233 + 0x5d)) - 1;
							if( *((char*)(_t233 + 0x5d)) == 1) {
								E00431CB8(_t233, _t256 | 0xffffffff, 0, _t306, _t315);
							}
						}
						goto L49;
					}
					E0043BC38(_v8,  &_v16, _t304, __eflags);
				} else {
				}
			}

0x0043c264
0x0043c265
0x0043c26f
0x0043c272
0x0043c274
0x0043c279
0x0043c27a
0x0043c27f
0x0043c282
0x0043c285
0x0043c287
0x0043c28c
0x0043c2b0
0x0043c2b0
0x0043c2b5
0x0043c336
0x0043c349
0x0043c34b
0x0043c34d
0x0043c353
0x0043c357
0x0043c35d
0x0043c361
0x0043c367
0x0043c375
0x0043c375
0x0043c361
0x0043c357
0x0043c611
0x0043c619
0x0043c623
0x0043c623
0x0043c626
0x0043c628
0x0043c62b
0x0043c62e
0x0043c63b
0x0043c63b
0x0043c2b7
0x0043c2b7
0x0043c2bc
0x0043c54f
0x0043c552
0x0043c556
0x00000000
0x00000000
0x0043c56d
0x0043c56f
0x0043c573
0x0043c585
0x0043c587
0x00000000
0x00000000
0x0043c590
0x0043c590
0x0043c593
0x0043c59e
0x0043c5a3
0x0043c5b2
0x0043c5bc
0x0043c5c7
0x0043c5d7
0x0043c5e7
0x0043c5ef
0x0043c5fd
0x0043c60b
0x0043c60c
0x0043c60d
0x0043c60e
0x00000000
0x0043c60e
0x0043c595
0x0043c598
0x00000000
0x00000000
0x00000000
0x0043c598
0x0043c57b
0x00000000
0x0043c2c2
0x0043c2c2
0x0043c2c5
0x0043c2cb
0x0043c2ce
0x0043c2d4
0x0043c2e3
0x0043c2e3
0x0043c2d4
0x00000000
0x0043c2c5
0x0043c2bc
0x0043c28e
0x0043c432
0x0043c436
0x0043c496
0x0043c438
0x0043c43e
0x0043c451
0x0043c453
0x0043c455
0x0043c45b
0x0043c45f
0x0043c465
0x0043c46a
0x0043c470
0x0043c475
0x0043c477
0x0043c489
0x0043c479
0x0043c47b
0x0043c47b
0x0043c477
0x0043c45f
0x0043c455
0x00000000
0x0043c436
0x0043c294
0x0043c297
0x0043c4a4
0x0043c4b5
0x0043c4bd
0x0043c4c3
0x0043c4c6
0x0043c4cb
0x00000000
0x00000000
0x0043c4dc
0x0043c4df
0x00000000
0x00000000
0x0043c4f0
0x0043c4f2
0x00000000
0x00000000
0x0043c506
0x0043c508
0x0043c50a
0x00000000
0x00000000
0x0043c510
0x0043c514
0x00000000
0x00000000
0x0043c529
0x0043c536
0x0043c53b
0x00000000
0x0043c53b
0x0043c29d
0x0043c2a2
0x0043c2ed
0x0043c2f0
0x0043c2f4
0x0043c2fd
0x0043c308
0x0043c30d
0x0043c313
0x0043c319
0x0043c31d
0x0043c326
0x0043c326
0x00000000
0x0043c2f4
0x0043c2a5
0x0043c385
0x0043c38a
0x0043c398
0x0043c39a
0x0043c39c
0x00000000
0x00000000
0x0043c3a2
0x0043c3a6
0x0043c3ba
0x0043c3be
0x00000000
0x00000000
0x0043c3e0
0x0043c3e5
0x0043c3e7
0x0043c3ec
0x0043c3f2
0x0043c3f7
0x0043c3f9
0x0043c400
0x0043c400
0x0043c3f9
0x0043c406
0x0043c409
0x0043c410
0x0043c416
0x0043c41a
0x0043c425
0x0043c425
0x0043c41a
0x00000000
0x0043c410
0x0043c3b0
0x00000000
0x0043c2ab

APIs

GetCursorPos.USER32(?), ref: 0043C4A4
SetCursor.USER32(00000000,?,00000000,0043C63C), ref: 0043C536

Strings

XmD, xrefs: 0043C46A

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor
String ID: XmD
API String ID: 3268636600-1007433337
Opcode ID: 9af5a26ba3dbe913d84be0d5cf0a1ccfd257704c8c2aad1c93335bf14ecf5b6a
Instruction ID: 8a113e2c82f54524c2e6d807d971db57cdbfadb963318e8838b1f66f4ff5bdb9
Opcode Fuzzy Hash: 9af5a26ba3dbe913d84be0d5cf0a1ccfd257704c8c2aad1c93335bf14ecf5b6a
Instruction Fuzzy Hash: C2C14F30A00219CFCB10DF69C9C699EB7B1BF48304F14A5AAE811BB355D778EE41DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B970, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B970(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				void* _t41;
				signed int _t45;
				signed int _t47;
				signed int _t49;
				signed int _t51;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				signed int _t83;
				signed int _t92;
				intOrPtr _t111;
				void* _t122;
				void* _t124;
				intOrPtr _t127;
				void* _t128;

				_t128 = __eflags;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t122 = __edx;
				_t124 = __eax;
				_push(_t127);
				_push(0x40bb3a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t127;
				_t92 = 1;
				E004048D8(__edx);
				E0040B638(GetThreadLocale(), 0x40bb50, 0x1009,  &_v12);
				if(E004088D4(0x40bb50, 1, _t128) + 0xfffffffd - 3 < 0) {
					while(1) {
						_t41 = E00404B98(_t124);
						__eflags = _t92 - _t41;
						if(_t92 > _t41) {
							goto L28;
						}
						__eflags =  *(_t124 + _t92 - 1) & 0x000000ff;
						asm("bt [0x456130], eax");
						if(( *(_t124 + _t92 - 1) & 0x000000ff) >= 0) {
							_t45 = E00408F64(_t124 + _t92 - 1, 2, 0x40bb54);
							__eflags = _t45;
							if(_t45 != 0) {
								_t47 = E00408F64(_t124 + _t92 - 1, 4, 0x40bb64);
								__eflags = _t47;
								if(_t47 != 0) {
									_t49 = E00408F64(_t124 + _t92 - 1, 2, 0x40bb7c);
									__eflags = _t49;
									if(_t49 != 0) {
										_t51 =  *(_t124 + _t92 - 1) - 0x59;
										__eflags = _t51;
										if(_t51 == 0) {
											L24:
											E00404BA0(_t122, 0x40bb94);
										} else {
											__eflags = _t51 != 0x20;
											if(_t51 != 0x20) {
												E00404AC0();
												E00404BA0(_t122, _v24);
											} else {
												goto L24;
											}
										}
									} else {
										E00404BA0(_t122, 0x40bb88);
										_t92 = _t92 + 1;
									}
								} else {
									E00404BA0(_t122, 0x40bb74);
									_t92 = _t92 + 3;
								}
							} else {
								E00404BA0(_t122, 0x40bb60);
								_t92 = _t92 + 1;
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						} else {
							_v8 = E0040CA08(_t124, _t92);
							E00404DF8(_t124, _v8, _t92,  &_v20);
							E00404BA0(_t122, _v20);
							_t92 = _t92 + _v8;
						}
					}
				} else {
					_t75 =  *0x46c744; // 0x9
					_t76 = _t75 - 4;
					if(_t76 == 0 || _t76 + 0xfffffff3 - 2 < 0) {
						_t77 = 1;
					} else {
						_t77 = 0;
					}
					if(_t77 == 0) {
						E0040492C(_t122, _t124);
					} else {
						while(_t92 <= E00404B98(_t124)) {
							_t83 =  *(_t124 + _t92 - 1) - 0x47;
							__eflags = _t83;
							if(_t83 != 0) {
								__eflags = _t83 != 0x20;
								if(_t83 != 0x20) {
									E00404AC0();
									E00404BA0(_t122, _v16);
								}
							}
							_t92 = _t92 + 1;
							__eflags = _t92;
						}
					}
				}
				L28:
				_pop(_t111);
				 *[fs:eax] = _t111;
				_push(E0040BB41);
				return E004048FC( &_v24, 4);
			}

0x0040b970
0x0040b975
0x0040b976
0x0040b977
0x0040b978
0x0040b979
0x0040b97d
0x0040b97f
0x0040b983
0x0040b984
0x0040b989
0x0040b98c
0x0040b98f
0x0040b996
0x0040b9ae
0x0040b9c6
0x0040bb10
0x0040bb12
0x0040bb17
0x0040bb19
0x00000000
0x00000000
0x0040ba2f
0x0040ba34
0x0040ba3b
0x0040ba79
0x0040ba7e
0x0040ba80
0x0040ba9f
0x0040baa4
0x0040baa6
0x0040bac7
0x0040bacc
0x0040bace
0x0040bae3
0x0040bae3
0x0040bae5
0x0040baeb
0x0040baf2
0x0040bae7
0x0040bae7
0x0040bae9
0x0040bb00
0x0040bb0a
0x00000000
0x00000000
0x00000000
0x0040bae9
0x0040bad0
0x0040bad7
0x0040badc
0x0040badc
0x0040baa8
0x0040baaf
0x0040bab4
0x0040bab4
0x0040ba82
0x0040ba89
0x0040ba8e
0x0040ba8e
0x0040bb0f
0x0040bb0f
0x0040ba3d
0x0040ba46
0x0040ba54
0x0040ba5e
0x0040ba63
0x0040ba63
0x0040ba3b
0x0040b9cc
0x0040b9cc
0x0040b9d1
0x0040b9d4
0x0040b9e2
0x0040b9de
0x0040b9de
0x0040b9de
0x0040b9e6
0x0040ba21
0x0040b9e8
0x0040ba0d
0x0040b9ee
0x0040b9ee
0x0040b9f0
0x0040b9f2
0x0040b9f4
0x0040b9fd
0x0040ba07
0x0040ba07
0x0040b9f4
0x0040ba0c
0x0040ba0c
0x0040ba0c
0x0040ba18
0x0040b9e6
0x0040bb1f
0x0040bb21
0x0040bb24
0x0040bb27
0x0040bb39

APIs

GetThreadLocale.KERNEL32(?,00000000,0040BB3A,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040B99F

Part of subcall function 0040B638: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040B656

Strings

yyyy, xrefs: 0040BA91
eeee, xrefs: 0040BAAA
ggg, xrefs: 0040BA84

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: f07736268335f3f88afea8dd4b37fced9a43cd399755ffbeb160d65954e7a3c8
Instruction ID: 5cfefc63a2250c1d4e5bdc7e267031db39b03afc12a0182f07ce4114bf8102e0
Opcode Fuzzy Hash: f07736268335f3f88afea8dd4b37fced9a43cd399755ffbeb160d65954e7a3c8
Instruction Fuzzy Hash: D341D5617005054BC711BAB988926BFB2A6DB84304FA4453BE551B37CAD73CFD0296AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042F7FC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0042F7FC(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, void* __ebp, long long __fp0) {
				intOrPtr _v16;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				struct HWND__* _t38;
				intOrPtr _t39;
				intOrPtr* _t41;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr* _t53;
				long _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr* _t65;
				intOrPtr _t66;
				intOrPtr _t70;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr* _t80;
				long long _t87;

				_t87 = __fp0;
				_t80 = _t79 + 0xfffffff8;
				_t70 = __ecx;
				_t45 = __edx;
				_t77 = __eax;
				 *0x46cac4 = __eax;
				_t24 =  *0x46cac4; // 0x0
				 *((intOrPtr*)(_t24 + 4)) = 0;
				GetCursorPos(0x46cad0);
				_t26 =  *0x46cac4; // 0x0
				_t58 = 0x46cad0->x; // 0x0
				 *(_t26 + 0xc) = _t58;
				_t59 =  *0x46cad4; // 0x0
				 *((intOrPtr*)(_t26 + 0x10)) = _t59;
				 *0x46cad8 = GetCursor();
				_t28 =  *0x46cac4; // 0x0
				 *0x46cacc = E0042EA14(_t28);
				 *0x46cadc = _t70;
				_t60 =  *0x42c2b0; // 0x42c2fc
				if(E00403CFC(_t77, _t60) == 0) {
					__eflags = _t45;
					if(__eflags == 0) {
						 *0x46cae0 = 0;
					} else {
						 *0x46cae0 = 1;
					}
				} else {
					_t65 = _t77;
					_t4 = _t65 + 0x44; // 0x44
					_t41 = _t4;
					_t49 =  *_t41;
					if( *((intOrPtr*)(_t41 + 8)) - _t49 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t65 + 0x20)) = 0;
						 *((intOrPtr*)(_t65 + 0x24)) = 0;
					} else {
						 *_t80 =  *((intOrPtr*)(_t65 + 0xc)) - _t49;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 8)) -  *_t41;
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t65 + 0x20)) = __fp0;
						asm("wait");
					}
					_t66 =  *((intOrPtr*)(_t41 + 4));
					if( *((intOrPtr*)(_t41 + 0xc)) - _t66 <= 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t77 + 0x28)) = 0;
						 *((intOrPtr*)(_t77 + 0x2c)) = 0;
					} else {
						_t53 = _t77;
						 *_t80 =  *((intOrPtr*)(_t53 + 0x10)) - _t66;
						asm("fild dword [esp]");
						_v16 =  *((intOrPtr*)(_t41 + 0xc)) -  *((intOrPtr*)(_t41 + 4));
						asm("fild dword [esp+0x4]");
						asm("fdivp st1, st0");
						 *((long long*)(_t53 + 0x28)) = _t87;
						asm("wait");
					}
					if(_t45 == 0) {
						 *0x46cae0 = 0;
					} else {
						 *0x46cae0 = 2;
						 *((intOrPtr*)( *_t77 + 0x30))();
					}
				}
				_t32 =  *0x46cac4; // 0x0
				 *0x46cae4 =  *((intOrPtr*)( *_t32 + 8))();
				_t85 =  *0x46cae4;
				if( *0x46cae4 != 0) {
					_t37 =  *0x46cad4; // 0x0
					_t38 = GetDesktopWindow();
					_t39 =  *0x46cae4; // 0x0
					E004398D8(_t39, _t38, _t85, _t37);
				}
				_t35 = E00403B34(1);
				 *0x46caec = _t35;
				if( *0x46cae0 != 0) {
					_t35 = E0042F52C(0x46cad0, 1);
				}
				return _t35;
			}

0x0042f7fc
0x0042f7ff
0x0042f802
0x0042f804
0x0042f806
0x0042f808
0x0042f80e
0x0042f815
0x0042f81d
0x0042f822
0x0042f827
0x0042f82d
0x0042f830
0x0042f836
0x0042f83e
0x0042f843
0x0042f84d
0x0042f852
0x0042f85a
0x0042f867
0x0042f8f9
0x0042f8fb
0x0042f906
0x0042f8fd
0x0042f8fd
0x0042f8fd
0x0042f86d
0x0042f86d
0x0042f86f
0x0042f86f
0x0042f875
0x0042f87b
0x0042f89d
0x0042f89f
0x0042f8a2
0x0042f87d
0x0042f882
0x0042f885
0x0042f88d
0x0042f891
0x0042f895
0x0042f897
0x0042f89a
0x0042f89a
0x0042f8a8
0x0042f8af
0x0042f8d4
0x0042f8d6
0x0042f8d9
0x0042f8b1
0x0042f8b1
0x0042f8b8
0x0042f8bb
0x0042f8c4
0x0042f8c8
0x0042f8cc
0x0042f8ce
0x0042f8d1
0x0042f8d1
0x0042f8de
0x0042f8f0
0x0042f8e0
0x0042f8e0
0x0042f8eb
0x0042f8eb
0x0042f8de
0x0042f90d
0x0042f917
0x0042f91c
0x0042f923
0x0042f925
0x0042f92b
0x0042f938
0x0042f93d
0x0042f93d
0x0042f949
0x0042f94e
0x0042f95a
0x0042f961
0x0042f961
0x0042f96b

APIs

GetCursorPos.USER32(0046CAD0), ref: 0042F81D
GetCursor.USER32(0046CAD0), ref: 0042F839

Part of subcall function 0042EA14: SetCapture.USER32(00000000,?,0042F84D,0046CAD0), ref: 0042EA23

GetDesktopWindow.USER32 ref: 0042F92B

Strings

`B, xrefs: 0042F944

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$CaptureDesktopWindow
String ID: `B
API String ID: 669539147-3602356314
Opcode ID: 58428ac0cab2fd15611509265b53cbe63cdf4757650e31d71cbc8790f2bef33d
Instruction ID: ccbd46e2e4c8129d257604eecd3a10fb4ebb1b6fee2b104892e83a4bfc618f6b
Opcode Fuzzy Hash: 58428ac0cab2fd15611509265b53cbe63cdf4757650e31d71cbc8790f2bef33d
Instruction Fuzzy Hash: 58418E71604244CFC304EF69E5847267BF1FB88310B55817BD489CB7A1EBB59845DB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C218, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040C218(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				struct _MEMORY_BASIC_INFORMATION _v40;
				char _v301;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v320;
				char _v324;
				intOrPtr _v328;
				char _v332;
				void* _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				intOrPtr _v356;
				char _v360;
				char _v364;
				char _v368;
				void* _v372;
				char _v376;
				intOrPtr _t55;
				intOrPtr _t65;
				intOrPtr _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				intOrPtr _t107;
				void* _t114;
				void* _t115;
				void* _t118;

				_t115 = __esi;
				_t114 = __edi;
				_t98 = __ecx;
				_v376 = 0;
				_v340 = 0;
				_v348 = 0;
				_v344 = 0;
				_v8 = 0;
				_push(_t118);
				_push(0x40c3db);
				_push( *[fs:eax]);
				 *[fs:eax] = _t118 + 0xfffffe8c;
				_t95 =  *((intOrPtr*)(_a4 - 4));
				if( *((intOrPtr*)(_t95 + 0x14)) != 0) {
					_t55 =  *0x46b684; // 0x4075ac
					E004064A4(_t55, __ecx,  &_v8);
				} else {
					_t92 =  *0x46b7e8; // 0x4075a4
					E004064A4(_t92, __ecx,  &_v8);
				}
				_v12 =  *((intOrPtr*)(_t95 + 0x18));
				VirtualQuery( *(_t95 + 0xc),  &_v40, 0x1c);
				if(_v40.State != 0x1000 || GetModuleFileNameA(_v40.AllocationBase,  &_v301, 0x105) == 0) {
					_v372 =  *(_t95 + 0xc);
					_v368 = 5;
					_v364 = _v8;
					_v360 = 0xb;
					_v356 = _v12;
					_v352 = 5;
					_t65 =  *0x46b690; // 0x407554
					E004064A4(_t65, _t98,  &_v376);
					E0040BE40(_t95, _v376, 1, _t114, _t115, 2,  &_v372);
				} else {
					_v336 =  *(_t95 + 0xc);
					_v332 = 5;
					E00404B48( &_v344, 0x105,  &_v301);
					E00408CD8(_v344, 0x105,  &_v340);
					_v328 = _v340;
					_v324 = 0xb;
					_v320 = _v8;
					_v316 = 0xb;
					_v312 = _v12;
					_v308 = 5;
					_t88 =  *0x46b6ec; // 0x40764c
					E004064A4(_t88, 0x105,  &_v348);
					E0040BE40(_t95, _v348, 1, _t114, _t115, 3,  &_v336);
				}
				_pop(_t107);
				 *[fs:eax] = _t107;
				_push(E0040C3E2);
				E004048D8( &_v376);
				E004048FC( &_v348, 3);
				return E004048D8( &_v8);
			}

0x0040c218
0x0040c218
0x0040c218
0x0040c224
0x0040c22a
0x0040c230
0x0040c236
0x0040c23c
0x0040c241
0x0040c242
0x0040c247
0x0040c24a
0x0040c250
0x0040c257
0x0040c26b
0x0040c270
0x0040c259
0x0040c25c
0x0040c261
0x0040c261
0x0040c278
0x0040c285
0x0040c291
0x0040c350
0x0040c356
0x0040c360
0x0040c366
0x0040c370
0x0040c376
0x0040c38c
0x0040c391
0x0040c3a3
0x0040c2b4
0x0040c2b7
0x0040c2bd
0x0040c2d5
0x0040c2e6
0x0040c2f1
0x0040c2f7
0x0040c301
0x0040c307
0x0040c311
0x0040c317
0x0040c32d
0x0040c332
0x0040c344
0x0040c349
0x0040c3ac
0x0040c3af
0x0040c3b2
0x0040c3bd
0x0040c3cd
0x0040c3da

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,0040C3DB), ref: 0040C285
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0040C3DB), ref: 0040C2A7

Part of subcall function 004064A4: LoadStringA.USER32 ref: 004064D6

Strings

Lv@, xrefs: 0040C32D
Tu@, xrefs: 0040C38C

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: Lv@$Tu@
API String ID: 902310565-4215145664
Opcode ID: 324704d1ef58da1400652a3b3f7d401882131f16d6072e6263b5d0bd457887b0
Instruction ID: 196288b1197f5a69391a8494de256bca2deaf010ea4d537ccacff94509af93b0
Opcode Fuzzy Hash: 324704d1ef58da1400652a3b3f7d401882131f16d6072e6263b5d0bd457887b0
Instruction Fuzzy Hash: 94510370A04258DFDB60DB68CD85BC9B7F4AB48304F5041EAE908EB381D778AE84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6E8, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106
threadCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040B6E8(void* __ebx, void* __edi, void* __esi) {
				int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				void* _t53;
				void* _t54;
				intOrPtr _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t87;
				intOrPtr _t90;

				_t89 = _t90;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_t90);
				_push(0x40b7fb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t90;
				_v8 = GetThreadLocale();
				_t53 = 1;
				_t86 = 0x46c6a8;
				_t83 = 0x46c6d8;
				do {
					_t3 = _t53 + 0x44; // 0x45
					E0040B6AC(_t3 - 1, _t53 - 1,  &_v16, 0xb, _t89);
					E0040492C(_t86, _v16);
					_t6 = _t53 + 0x38; // 0x39
					E0040B6AC(_t6 - 1, _t53 - 1,  &_v20, 0xb, _t89);
					E0040492C(_t83, _v20);
					_t53 = _t53 + 1;
					_t83 = _t83 + 4;
					_t86 = _t86 + 4;
				} while (_t53 != 0xd);
				_t54 = 1;
				_t87 = 0x46c708;
				_t84 = 0x46c724;
				do {
					_t8 = _t54 + 5; // 0x6
					asm("cdq");
					_v12 = _t8 % 7;
					E0040B6AC(_v12 + 0x31, _t54 - 1,  &_v24, 6, _t89);
					E0040492C(_t87, _v24);
					E0040B6AC(_v12 + 0x2a, _t54 - 1,  &_v28, 6, _t89);
					E0040492C(_t84, _v28);
					_t54 = _t54 + 1;
					_t84 = _t84 + 4;
					_t87 = _t87 + 4;
				} while (_t54 != 8);
				_pop(_t80);
				 *[fs:eax] = _t80;
				_push(E0040B802);
				return E004048FC( &_v28, 4);
			}

0x0040b6e9
0x0040b6ed
0x0040b6ee
0x0040b6ef
0x0040b6f0
0x0040b6f1
0x0040b6f2
0x0040b6f8
0x0040b6f9
0x0040b6fe
0x0040b701
0x0040b709
0x0040b70c
0x0040b711
0x0040b716
0x0040b71b
0x0040b72a
0x0040b72e
0x0040b739
0x0040b74d
0x0040b751
0x0040b75c
0x0040b761
0x0040b762
0x0040b765
0x0040b768
0x0040b76d
0x0040b772
0x0040b777
0x0040b77c
0x0040b77c
0x0040b784
0x0040b787
0x0040b79f
0x0040b7aa
0x0040b7c4
0x0040b7cf
0x0040b7d4
0x0040b7d5
0x0040b7d8
0x0040b7db
0x0040b7e2
0x0040b7e5
0x0040b7e8
0x0040b7fa

APIs

GetThreadLocale.KERNEL32(00000000,0040B7FB,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040B704

Strings

$w@, xrefs: 0040B791
dv@, xrefs: 0040B722
\w@, xrefs: 0040B7B6

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: LocaleThread
String ID: $w@$\w@$dv@
API String ID: 635194068-795844213
Opcode ID: e8b631f71a2c72cc97497651516a04cf5e71e218840424ebdea8e346d49b3ef9
Instruction ID: d2aeff9cf842c965db5a1a4bb7c046fcb571af86be91f48f85d2934270be0225
Opcode Fuzzy Hash: e8b631f71a2c72cc97497651516a04cf5e71e218840424ebdea8e346d49b3ef9
Instruction Fuzzy Hash: 9A31B4B1B001085BDB00EA95C881A6F77A9DBC8314F61843BFA09EB381D73DAD0587AD

Uniqueness

Uniqueness Score: -1.00%

Function 00444F1C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00444F1C(intOrPtr* __eax) {
				struct tagMENUITEMINFOA _v128;
				intOrPtr _v132;
				int _t16;
				intOrPtr* _t29;
				struct HMENU__* _t36;
				MENUITEMINFOA* _t37;

				_t37 =  &_v128;
				_t29 = __eax;
				_t16 =  *0x46b7e4; // 0x46c740
				if( *((char*)(_t16 + 0xd)) != 0 &&  *((intOrPtr*)(__eax + 0x38)) != 0) {
					_t36 =  *((intOrPtr*)( *__eax + 0x34))();
					_t37->cbSize = 0x2c;
					_v132 = 0x10;
					_v128.hbmpUnchecked =  &(_v128.cch);
					_v128.dwItemData = 0x50;
					_t16 = GetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
					if(_t16 != 0) {
						_t16 = E004452D0(_t29);
						asm("sbb edx, edx");
						if(_t16 != (_v128.cbSize & 0x00006000) + 1) {
							_v128.cbSize = ((E004452D0(_t29) & 0x0000007f) << 0x0000000d) + ((E004452D0(_t29) & 0x0000007f) << 0x0000000d) * 0x00000002 | _v128 & 0xffff9fff;
							_v132 = 0x10;
							_t16 = SetMenuItemInfoA(_t36, 0, 0xffffffff, _t37);
							if(_t16 != 0) {
								return DrawMenuBar( *(_t29 + 0x38));
							}
						}
					}
				}
				return _t16;
			}

0x00444f1e
0x00444f21
0x00444f23
0x00444f2c
0x00444f43
0x00444f45
0x00444f4c
0x00444f58
0x00444f5c
0x00444f6a
0x00444f71
0x00444f75
0x00444f87
0x00444f8c
0x00444faa
0x00444fae
0x00444fbc
0x00444fc3
0x00000000
0x00444fc9
0x00444fc3
0x00444f8c
0x00444f71
0x00444fd6

APIs

GetMenuItemInfoA.USER32 ref: 00444F6A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 00444FBC
DrawMenuBar.USER32(00000000,00000000,00000000,000000FF), ref: 00444FC9

Strings

P, xrefs: 00444F5C

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: c14747505f4340e9aa8d1ea16d65bfc5ddb5d15fe1dda488db8d7690d98b1983
Instruction ID: 16f723e884044a92f11bf90135fd6b3d96553bb923c24ad6aec4227bb82597e1
Opcode Fuzzy Hash: c14747505f4340e9aa8d1ea16d65bfc5ddb5d15fe1dda488db8d7690d98b1983
Instruction Fuzzy Hash: D11182306052105FE3109B29CC85B4B76D5AF85364F148A6AF054DB3E9D779C898C78A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F378, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040F378(short* __eax, void* __ecx) {
				void* _t7;
				signed short _t18;
				intOrPtr* _t19;

				_t12 = __eax;
				_t18 =  *((intOrPtr*)(__eax));
				if(_t18 >= 0x14) {
					if(_t18 != 0x100) {
						if(_t18 != 0x101) {
							if((_t18 & 0x00002000) == 0) {
								_t7 = E00410DE0(_t18, _t19);
								if(_t7 == 0) {
									L0040DE68();
									L0040DE60();
								} else {
									_t7 =  *((intOrPtr*)( *((intOrPtr*)( *_t19)) + 0x24))();
								}
							} else {
								_t7 = E0040F1FC(__eax);
							}
						} else {
							_t7 =  *0x46c810();
						}
					} else {
						 *__eax = 0;
						_t7 = E004048D8(__eax + 8);
					}
				} else {
					_push(__eax);
					L0040DE68();
					_t7 = E0040F0C8(__eax);
				}
				return _t7;
			}

0x0040f37b
0x0040f37d
0x0040f384
0x0040f398
0x0040f3ae
0x0040f3bf
0x0040f3ce
0x0040f3d5
0x0040f3e4
0x0040f3ea
0x0040f3d7
0x0040f3de
0x0040f3de
0x0040f3c1
0x0040f3c3
0x0040f3c3
0x0040f3b0
0x0040f3b2
0x0040f3b2
0x0040f39a
0x0040f39a
0x0040f3a2
0x0040f3a2
0x0040f386
0x0040f386
0x0040f387
0x0040f38c
0x0040f38c
0x0040f3f2

APIs

VariantClear.OLEAUT32(?), ref: 0040F387

Strings

0@, xrefs: 0040F3B2

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID: 0@
API String ID: 1473721057-11155133
Opcode ID: 6e20a8ac693858a505698d18ca0d58f29d81ea1f371e7e2d1e011388edbc198b
Instruction ID: df1608a3ef615c64b4e98e5df475b425b0280191f1dae7e5ea1b4227425e2772
Opcode Fuzzy Hash: 6e20a8ac693858a505698d18ca0d58f29d81ea1f371e7e2d1e011388edbc198b
Instruction Fuzzy Hash: 72F0AF717042008ACB307B76CCC45AA22999F40768760443BF906BBAD2DB7C8C4ED39F

Uniqueness

Uniqueness Score: -1.00%

Function 00422F64, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00422F64(intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t15;
				void* _t16;
				intOrPtr _t18;
				signed int _t19;
				void* _t20;
				intOrPtr _t21;

				_t19 = _a12;
				if( *0x46c923 != 0) {
					_t16 = 0;
					if((_t19 & 0x00000003) != 0) {
						L7:
						_t16 = 0x12340042;
					} else {
						_t21 = _a4;
						if(_t21 >= 0 && _t21 < GetSystemMetrics(0) && _a8 >= 0 && GetSystemMetrics(1) > _a8) {
							goto L7;
						}
					}
				} else {
					_t18 =  *0x46c904; // 0x422f64
					 *0x46c904 = E00422CC0(3, _t15, "MonitorFromPoint", _t18, _t20);
					_t16 =  *0x46c904(_a4, _a8, _t19);
				}
				return _t16;
			}

0x00422f6a
0x00422f74
0x00422f9e
0x00422fa7
0x00422fcf
0x00422fcf
0x00422fa9
0x00422fa9
0x00422fae
0x00000000
0x00000000
0x00422fae
0x00422f76
0x00422f7b
0x00422f88
0x00422f9a
0x00422f9a
0x00422fda

APIs

GetSystemMetrics.USER32 ref: 00422FB2
GetSystemMetrics.USER32 ref: 00422FC4

Part of subcall function 00422CC0: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00422D44

Strings

d/B, xrefs: 00422F7B, 00422F88, 00422F94
MonitorFromPoint, xrefs: 00422F76

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint$d/B
API String ID: 1792783759-3712818131
Opcode ID: ddf4d2c821112c94676a0757cf479bbeb650d7195a48f158df8ee4739bd9d0b6
Instruction ID: dfc095556206960d9468d4a1fcc27c38236b12b6a8beccb02ea4b6acd3753549
Opcode Fuzzy Hash: ddf4d2c821112c94676a0757cf479bbeb650d7195a48f158df8ee4739bd9d0b6
Instruction Fuzzy Hash: 6801F731301128BFDB145F11EF84B6E7764EB40354F82402AF854D7210D3F49C809B69

Uniqueness

Uniqueness Score: -1.00%

Function 00422E3C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00422E3C(intOrPtr* _a4, signed int _a8) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t14;
				intOrPtr _t16;
				signed int _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t14 = _a4;
				if( *0x46c922 != 0) {
					_t19 = 0;
					if((_t17 & 0x00000003) != 0 ||  *((intOrPtr*)(_t14 + 8)) > 0 &&  *((intOrPtr*)(_t14 + 0xc)) > 0 && GetSystemMetrics(0) >  *_t14 && GetSystemMetrics(1) >  *((intOrPtr*)(_t14 + 4))) {
						_t19 = 0x12340042;
					}
				} else {
					_t16 =  *0x46c900; // 0x422e3c
					 *0x46c900 = E00422CC0(2, _t14, "MonitorFromRect", _t16, _t18);
					_t19 =  *0x46c900(_t14, _t17);
				}
				return _t19;
			}

0x00422e42
0x00422e45
0x00422e4f
0x00422e74
0x00422e7d
0x00422ea4
0x00422ea4
0x00422e51
0x00422e56
0x00422e63
0x00422e70
0x00422e70
0x00422eaf

APIs

GetSystemMetrics.USER32 ref: 00422E8D
GetSystemMetrics.USER32 ref: 00422E99

Part of subcall function 00422CC0: GetProcAddress.KERNEL32(74EA0000,00000000), ref: 00422D44

Strings

MonitorFromRect, xrefs: 00422E51
<.B, xrefs: 00422E56, 00422E63, 00422E6A

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$AddressProc
String ID: <.B$MonitorFromRect
API String ID: 1792783759-648912088
Opcode ID: 242a903d93c7da9cbd469b88993d0670bd0572d17d908c85686cf833cadd1c7a
Instruction ID: a4dfcd777aeac738e5abfd29faaf3764d3cd9facc5e49b10a5c824f5ead6166e
Opcode Fuzzy Hash: 242a903d93c7da9cbd469b88993d0670bd0572d17d908c85686cf833cadd1c7a
Instruction Fuzzy Hash: C001A271300224BFD7209F05FA85B67B764EB51361F868067E844CB302C3F8DC449BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411000, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00411000() {
				intOrPtr _t14;
				intOrPtr* _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;
				intOrPtr* _t19;
				intOrPtr* _t20;
				intOrPtr _t23;

				_push(_t23);
				_push(0x4110a1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t23;
				 *0x46c81c =  *0x46c81c - 1;
				if( *0x46c81c < 0) {
					E00410B0C();
					 *0x46c80c = E0040F108;
					 *0x46c810 = E0040ED30;
					 *0x46c814 = E0040EC40;
					 *0x46c818 = E0040ED30;
					_t16 =  *0x46b610; // 0x45600c
					 *_t16 = E0040F408;
					_t17 =  *0x46b434; // 0x456010
					 *_t17 = 0x410800;
					_t18 =  *0x46b680; // 0x456014
					 *_t18 = E0040F730;
					_t19 =  *0x46b7a0; // 0x456018
					 *_t19 = E0040FA5C;
					_t20 =  *0x46b69c; // 0x45601c
					 *_t20 = E0041017C;
					_push(0x46c824);
					L00406AAC();
				}
				_pop(_t14);
				 *[fs:eax] = _t14;
				_push(E004110A8);
				return 0;
			}

0x00411005
0x00411006
0x0041100b
0x0041100e
0x00411011
0x00411018
0x0041101f
0x00411029
0x00411033
0x0041103d
0x00411043
0x0041104d
0x00411053
0x0041105a
0x00411060
0x00411067
0x0041106d
0x00411074
0x0041107a
0x00411081
0x00411087
0x00411089
0x0041108e
0x0041108e
0x00411095
0x00411098
0x0041109b
0x00000000

APIs

RtlInitializeCriticalSection.KERNEL32(0046C824,00000000,004110A1), ref: 0041108E

Strings

@@, xrefs: 0041103D
0@, xrefs: 00411043
0@, xrefs: 00411033

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection
String ID: 0@$0@$@@
API String ID: 32694325-667395913
Opcode ID: 72b37e6581381124cb1b8e2d3409cdf0e337a1d09101ee150b721c821db0efb0
Instruction ID: c0f56dd991226db7d2d7cdec1604ccd3fe30c5ce7541fac9c855d0a903149762
Opcode Fuzzy Hash: 72b37e6581381124cb1b8e2d3409cdf0e337a1d09101ee150b721c821db0efb0
Instruction Fuzzy Hash: 5301E5746042058F8361AF29E8815227BE5E78A345351C877E848DBB64E3B998918FEE

Uniqueness

Uniqueness Score: -1.00%

Function 0040D36C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D36C() {
				_Unknown_base(*)()* _t1;
				struct HINSTANCE__* _t3;

				_t1 = GetModuleHandleA("kernel32.dll");
				_t3 = _t1;
				if(_t3 != 0) {
					_t1 = GetProcAddress(_t3, "GetDiskFreeSpaceExA");
					 *0x456154 = _t1;
				}
				if( *0x456154 == 0) {
					 *0x456154 = E00408D94;
					return E00408D94;
				}
				return _t1;
			}

0x0040d372
0x0040d377
0x0040d37b
0x0040d383
0x0040d388
0x0040d388
0x0040d394
0x0040d39b
0x00000000
0x0040d39b
0x0040d3a1

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040DE35,00000000,0040DE48), ref: 0040D372
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040D383

Strings

kernel32.dll, xrefs: 0040D36D
GetDiskFreeSpaceExA, xrefs: 0040D37D

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 08d6d15f74333d8e6698f18addd274167afd4186098ecec5c60f5efbf386cf0f
Instruction ID: 774726f393d23abb16696189f698a53e33fa1aaa8d5f3f84b5577898b8651e63
Opcode Fuzzy Hash: 08d6d15f74333d8e6698f18addd274167afd4186098ecec5c60f5efbf386cf0f
Instruction Fuzzy Hash: B4D0A770B417815FD700BBE4AD8572223958B20319B51013F69027B3C3D6BCC81C8E0E

Uniqueness

Uniqueness Score: -1.00%

Function 0042F52C, Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0042F52C(intOrPtr* __eax, signed int __edx) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t49;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				struct HICON__* _t65;
				intOrPtr _t67;
				intOrPtr* _t72;
				intOrPtr _t74;
				intOrPtr* _t75;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t85;
				struct HWND__* _t88;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t93;
				intOrPtr _t97;
				intOrPtr _t100;
				intOrPtr _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t106;
				struct HWND__* _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t114;
				intOrPtr _t117;
				char _t118;
				intOrPtr _t119;
				void* _t131;
				intOrPtr _t135;
				intOrPtr _t140;
				intOrPtr* _t155;
				void* _t158;
				void* _t165;
				void* _t166;

				_t155 = __eax;
				if( *0x46cae0 != 0) {
					L3:
					_t49 =  *0x46cac0; // 0x0
					_t117 = E0042F3F8(_t155,  &_v28, _t49);
					if( *0x46cae0 == 0) {
						_t168 =  *0x46cae4;
						if( *0x46cae4 != 0) {
							_t106 =  *0x46cad4; // 0x0
							_t107 = GetDesktopWindow();
							_t108 =  *0x46cae4; // 0x0
							E004398D8(_t108, _t107, _t168, _t106);
						}
					}
					_t53 =  *0x46cac0; // 0x0
					if( *((char*)(_t53 + 0x9b)) != 0) {
						__eflags =  *0x46cae0;
						_t6 =  &_v24;
						 *_t6 =  *0x46cae0 != 0;
						__eflags =  *_t6;
						 *0x46cae0 = 2;
					} else {
						 *0x46cae0 = 1;
						_v24 = 0;
					}
					_t54 =  *0x46cac4; // 0x0
					if(_t117 ==  *((intOrPtr*)(_t54 + 4))) {
						L12:
						_t55 =  *0x46cac4; // 0x0
						 *((intOrPtr*)(_t55 + 0xc)) =  *_t155;
						 *((intOrPtr*)(_t55 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
						_t56 =  *0x46cac4; // 0x0
						if( *((intOrPtr*)(_t56 + 4)) != 0) {
							_t97 =  *0x46cac4; // 0x0
							E00431160( *((intOrPtr*)(_t97 + 4)),  &_v20, _t155);
							_t100 =  *0x46cac4; // 0x0
							 *((intOrPtr*)(_t100 + 0x14)) = _v20;
							 *((intOrPtr*)(_t100 + 0x18)) = _v16;
						}
						_t131 = E0042F450(2);
						_t121 =  *_t155;
						_t60 =  *0x46cac4; // 0x0
						_t158 =  *((intOrPtr*)( *_t60 + 4))( *((intOrPtr*)(_t155 + 4)));
						if( *0x46cae4 != 0) {
							if(_t117 == 0 || ( *(_t117 + 0x51) & 0x00000020) != 0) {
								_t82 =  *0x46cae4; // 0x0
								E00439894(_t82, _t158);
								_t84 =  *0x46cae4; // 0x0
								_t177 =  *((char*)(_t84 + 0x6a));
								if( *((char*)(_t84 + 0x6a)) != 0) {
									_t121 =  *((intOrPtr*)(_t155 + 4));
									_t85 =  *0x46cae4; // 0x0
									E004399C0(_t85,  *((intOrPtr*)(_t155 + 4)),  *_t155, __eflags);
								} else {
									_t88 = GetDesktopWindow();
									_t121 =  *_t155;
									_t89 =  *0x46cae4; // 0x0
									E004398D8(_t89, _t88, _t177,  *((intOrPtr*)(_t155 + 4)));
								}
							} else {
								_t91 =  *0x46cae4; // 0x0
								E00439A34(_t91, _t131, __eflags);
								_t93 =  *0x46b7bc; // 0x46cb48
								SetCursor(E0044F3AC( *_t93, _t121, _t158));
							}
						}
						_t62 =  *0x46b7bc; // 0x46cb48
						_t65 = SetCursor(E0044F3AC( *_t62, _t121, _t158));
						if( *0x46cae0 != 2) {
							L32:
							return _t65;
						} else {
							_t179 = _t117;
							if(_t117 != 0) {
								_t118 = E0042F48C();
								_t67 =  *0x46cac4; // 0x0
								 *((intOrPtr*)(_t67 + 0x58)) = _t118;
								__eflags = _t118;
								if(__eflags != 0) {
									E00431160(_t118,  &_v24, _t155);
									_t65 = E00403D6C(_t118, __eflags);
									_t135 =  *0x46cac4; // 0x0
									 *(_t135 + 0x54) = _t65;
								} else {
									_t78 =  *0x46cac4; // 0x0
									_t65 = E00403D6C( *((intOrPtr*)(_t78 + 4)), __eflags);
									_t140 =  *0x46cac4; // 0x0
									 *(_t140 + 0x54) = _t65;
								}
							} else {
								_push( *((intOrPtr*)(_t155 + 4)));
								_t80 =  *0x46cac4; // 0x0
								_t65 = E00403D6C( *((intOrPtr*)(_t80 + 0x38)), _t179);
							}
							if( *0x46cac4 == 0) {
								goto L32;
							} else {
								_t119 =  *0x46cac4; // 0x0
								_t41 = _t119 + 0x5c; // 0x5c
								_t42 = _t119 + 0x44; // 0x44
								_t65 = E0040851C(_t42, 0x10, _t41);
								if(_t65 != 0) {
									goto L32;
								}
								if(_v28 != 0) {
									_t75 =  *0x46cac4; // 0x0
									 *((intOrPtr*)( *_t75 + 0x34))();
								}
								_t72 =  *0x46cac4; // 0x0
								 *((intOrPtr*)( *_t72 + 0x30))();
								_t74 =  *0x46cac4; // 0x0
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								return _t74;
							}
						}
					}
					_t65 = E0042F450(1);
					if( *0x46cac4 == 0) {
						goto L32;
					}
					_t102 =  *0x46cac4; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t117;
					_t103 =  *0x46cac4; // 0x0
					 *((intOrPtr*)(_t103 + 8)) = _v28;
					_t104 =  *0x46cac4; // 0x0
					 *((intOrPtr*)(_t104 + 0xc)) =  *_t155;
					 *((intOrPtr*)(_t104 + 0x10)) =  *((intOrPtr*)(_t155 + 4));
					_t65 = E0042F450(0);
					if( *0x46cac4 == 0) {
						goto L32;
					}
					goto L12;
				}
				_t110 =  *0x46cad0; // 0x0
				asm("cdq");
				_t165 = (_t110 -  *__eax ^ __edx) - __edx -  *0x46cadc; // 0x0
				if(_t165 >= 0) {
					goto L3;
				}
				_t114 =  *0x46cad4; // 0x0
				asm("cdq");
				_t65 = (_t114 -  *((intOrPtr*)(__eax + 4)) ^ __edx) - __edx;
				_t166 = _t65 -  *0x46cadc; // 0x0
				if(_t166 < 0) {
					goto L32;
				}
				goto L3;
			}

0x0042f532
0x0042f53b
0x0042f56a
0x0042f56a
0x0042f586
0x0042f58f
0x0042f591
0x0042f598
0x0042f59a
0x0042f5a0
0x0042f5ad
0x0042f5b2
0x0042f5b2
0x0042f598
0x0042f5b7
0x0042f5c3
0x0042f5d3
0x0042f5da
0x0042f5da
0x0042f5da
0x0042f5df
0x0042f5c5
0x0042f5c5
0x0042f5cc
0x0042f5cc
0x0042f5e6
0x0042f5ee
0x0042f63b
0x0042f63b
0x0042f642
0x0042f648
0x0042f64b
0x0042f654
0x0042f65c
0x0042f664
0x0042f669
0x0042f672
0x0042f679
0x0042f679
0x0042f687
0x0042f689
0x0042f68b
0x0042f695
0x0042f69e
0x0042f6a2
0x0042f6ac
0x0042f6b1
0x0042f6b6
0x0042f6bb
0x0042f6bf
0x0042f6da
0x0042f6df
0x0042f6e4
0x0042f6c1
0x0042f6c5
0x0042f6cc
0x0042f6ce
0x0042f6d3
0x0042f6d3
0x0042f6eb
0x0042f6eb
0x0042f6f0
0x0042f6f8
0x0042f705
0x0042f705
0x0042f6a2
0x0042f70d
0x0042f71a
0x0042f726
0x0042f7f9
0x0042f7f9
0x0042f72c
0x0042f72c
0x0042f72e
0x0042f74f
0x0042f751
0x0042f756
0x0042f759
0x0042f75b
0x0042f789
0x0042f798
0x0042f79d
0x0042f7a3
0x0042f75d
0x0042f765
0x0042f771
0x0042f776
0x0042f77c
0x0042f77c
0x0042f730
0x0042f733
0x0042f736
0x0042f743
0x0042f743
0x0042f7ad
0x00000000
0x0042f7af
0x0042f7af
0x0042f7b5
0x0042f7b8
0x0042f7c0
0x0042f7c7
0x00000000
0x00000000
0x0042f7ce
0x0042f7d0
0x0042f7d7
0x0042f7d7
0x0042f7da
0x0042f7e1
0x0042f7e4
0x0042f7ef
0x0042f7f0
0x0042f7f1
0x0042f7f2
0x00000000
0x0042f7f2
0x0042f7ad
0x0042f726
0x0042f5f2
0x0042f5fe
0x00000000
0x00000000
0x0042f604
0x0042f609
0x0042f60c
0x0042f614
0x0042f617
0x0042f61e
0x0042f624
0x0042f629
0x0042f635
0x00000000
0x00000000
0x00000000
0x0042f635
0x0042f53d
0x0042f544
0x0042f549
0x0042f54f
0x00000000
0x00000000
0x0042f551
0x0042f559
0x0042f55c
0x0042f55e
0x0042f564
0x00000000
0x00000000
0x00000000

APIs

GetDesktopWindow.USER32 ref: 0042F5A0
GetDesktopWindow.USER32 ref: 0042F6C5
SetCursor.USER32(00000000), ref: 0042F71A

Part of subcall function 00439A34: 73D61770.COMCTL32(00000000,?,0042F6F5), ref: 00439A50
Part of subcall function 00439A34: ShowCursor.USER32(000000FF,00000000,?,0042F6F5), ref: 00439A6B

SetCursor.USER32(00000000), ref: 0042F705

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$DesktopWindow$D61770Show
String ID:
API String ID: 1612473249-0
Opcode ID: 0141ce7e8db474e7a0e16c95bc86b8af959b9e677734ec3a18b76edcba2f00c9
Instruction ID: 7176c237febbd258acfb40c5991fc9fe254596840763dcf5a883c21adeea5d34
Opcode Fuzzy Hash: 0141ce7e8db474e7a0e16c95bc86b8af959b9e677734ec3a18b76edcba2f00c9
Instruction Fuzzy Hash: EE915F752001558FC700DFA9E9C4B6677F1BB98304F98817AE484C77A2D7B8EC45CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1FC, Relevance: 6.1, APIs: 4, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040F1FC(intOrPtr* __eax) {
				char _v260;
				char _v768;
				char _v772;
				intOrPtr* _v776;
				signed short* _v780;
				char _v784;
				signed int _v788;
				char _v792;
				intOrPtr* _v796;
				signed char _t43;
				intOrPtr* _t60;
				void* _t79;
				void* _t81;
				void* _t84;
				void* _t85;
				intOrPtr* _t92;
				void* _t96;
				char* _t97;
				void* _t98;

				_v776 = __eax;
				if(( *(_v776 + 1) & 0x00000020) == 0) {
					E0040F0C8(0x80070057);
				}
				_t43 =  *_v776;
				if((_t43 & 0x00000fff) == 0xc) {
					if((_t43 & 0x00000040) == 0) {
						_v780 =  *((intOrPtr*)(_v776 + 8));
					} else {
						_v780 =  *((intOrPtr*)( *((intOrPtr*)(_v776 + 8))));
					}
					_v788 =  *_v780 & 0x0000ffff;
					_t79 = _v788 - 1;
					if(_t79 >= 0) {
						_t85 = _t79 + 1;
						_t96 = 0;
						_t97 =  &_v772;
						do {
							_v796 = _t97;
							_push(_v796 + 4);
							_t22 = _t96 + 1; // 0x1
							_push(_v780);
							L0040E2CC();
							E0040F0C8(_v780);
							_push( &_v784);
							_t25 = _t96 + 1; // 0x1
							_push(_v780);
							L0040E2D4();
							E0040F0C8(_v780);
							 *_v796 = _v784 -  *((intOrPtr*)(_v796 + 4)) + 1;
							_t96 = _t96 + 1;
							_t97 = _t97 + 8;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
					}
					_t81 = _v788 - 1;
					if(_t81 >= 0) {
						_t84 = _t81 + 1;
						_t60 =  &_v768;
						_t92 =  &_v260;
						do {
							 *_t92 =  *_t60;
							_t92 = _t92 + 4;
							_t60 = _t60 + 8;
							_t84 = _t84 - 1;
						} while (_t84 != 0);
						do {
							goto L12;
						} while (E0040F1A0(_t83, _t98) != 0);
						goto L15;
					}
					L12:
					_t83 = _v788 - 1;
					if(E0040F170(_v788 - 1, _t98) != 0) {
						_push( &_v792);
						_push( &_v260);
						_push(_v780);
						L0040E2DC();
						E0040F0C8(_v780);
						E0040F3F4(_v792);
					}
				}
				L15:
				_push(_v776);
				L0040DE68();
				return E0040F0C8(_v776);
			}

0x0040f208
0x0040f218
0x0040f21f
0x0040f21f
0x0040f22a
0x0040f238
0x0040f247
0x0040f265
0x0040f249
0x0040f254
0x0040f254
0x0040f274
0x0040f280
0x0040f283
0x0040f285
0x0040f286
0x0040f288
0x0040f28e
0x0040f290
0x0040f29f
0x0040f2a0
0x0040f2aa
0x0040f2ab
0x0040f2b0
0x0040f2bb
0x0040f2bc
0x0040f2c6
0x0040f2c7
0x0040f2cc
0x0040f2e7
0x0040f2e9
0x0040f2ea
0x0040f2ed
0x0040f2ed
0x0040f28e
0x0040f2f6
0x0040f2f9
0x0040f2fb
0x0040f2fc
0x0040f302
0x0040f308
0x0040f30a
0x0040f30c
0x0040f30f
0x0040f312
0x0040f312
0x0040f315
0x00000000
0x00000000
0x00000000
0x0040f315
0x0040f315
0x0040f31c
0x0040f327
0x0040f32f
0x0040f336
0x0040f33d
0x0040f33e
0x0040f343
0x0040f34e
0x0040f34e
0x0040f35c
0x0040f360
0x0040f366
0x0040f367
0x0040f377

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0040F2AB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0040F2C7
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0040F33E
VariantClear.OLEAUT32(?), ref: 0040F367

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 20dd1355b83340b855608860b8bd2be3f434ff2638bf0f62256490c5c4da067a
Instruction ID: 843900944ac7d10d7bcb082feeaa8ce30d586445e6df111c735771b763e902e0
Opcode Fuzzy Hash: 20dd1355b83340b855608860b8bd2be3f434ff2638bf0f62256490c5c4da067a
Instruction Fuzzy Hash: 24412E75A016198FCB71DB59C891AC9B3FCAB48314F0041FAE508F7642DA38AF888F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD70, Relevance: 6.1, APIs: 4, Instructions: 97
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CD70() {
				char* _v28;
				char _v156;
				short _v414;
				signed short _t16;
				signed int _t18;
				int _t20;
				void* _t22;
				void* _t25;
				int _t26;
				int _t30;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				signed int _t41;
				int* _t43;
				short* _t44;
				void* _t52;

				 *0x46c740 = 0x409;
				 *0x46c744 = 9;
				 *0x46c748 = 1;
				_t16 = GetThreadLocale();
				if(_t16 != 0) {
					 *0x46c740 = _t16;
				}
				if(_t16 != 0) {
					 *0x46c744 = _t16 & 0x3ff;
					 *0x46c748 = (_t16 & 0x0000ffff) >> 0xa;
				}
				memcpy(0x456130, 0x40cec8, 8 << 2);
				if( *0x4560e8 != 2) {
					_t18 = GetSystemMetrics(0x4a);
					__eflags = _t18;
					 *0x46c74d = _t18 & 0xffffff00 | _t18 != 0x00000000;
					_t20 = GetSystemMetrics(0x2a);
					__eflags = _t20;
					_t35 = _t34 & 0xffffff00 | _t20 != 0x00000000;
					 *0x46c74c = _t35;
					__eflags = _t35;
					if(__eflags != 0) {
						return E0040CCF8(__eflags, _t52);
					}
				} else {
					_t22 = E0040CD58();
					if(_t22 != 0) {
						 *0x46c74d = 0;
						 *0x46c74c = 0;
						return _t22;
					}
					E0040CCF8(__eflags, _t52);
					_t41 = 0x20;
					_t25 = E004036A0(0x456130, 0x20, 0x40cec8);
					_t36 = _t34 & 0xffffff00 | __eflags != 0x00000000;
					 *0x46c74c = _t36;
					__eflags = _t36;
					if(_t36 != 0) {
						 *0x46c74d = 0;
						return _t25;
					}
					_t26 = 0x80;
					_t43 =  &_v156;
					do {
						 *_t43 = _t26;
						_t26 = _t26 + 1;
						_t43 =  &(_t43[0]);
						__eflags = _t26 - 0x100;
					} while (_t26 != 0x100);
					_v28 =  &_v156;
					_t30 =  *0x46c740; // 0x409
					GetStringTypeA(_t30, 2, _v28, 0x80,  &_v414);
					_t20 = 0x80;
					_t44 =  &_v414;
					while(1) {
						__eflags =  *_t44 - 2;
						_t41 = _t41 & 0xffffff00 |  *_t44 == 0x00000002;
						 *0x46c74d = _t41;
						__eflags = _t41;
						if(_t41 != 0) {
							goto L17;
						}
						_t44 = _t44 + 2;
						_t20 = _t20 - 1;
						__eflags = _t20;
						if(_t20 != 0) {
							continue;
						} else {
							return _t20;
						}
						L18:
					}
				}
				L17:
				return _t20;
				goto L18;
			}

0x0040cd7c
0x0040cd86
0x0040cd90
0x0040cd9a
0x0040cda1
0x0040cda3
0x0040cda3
0x0040cdab
0x0040cdb7
0x0040cdc3
0x0040cdc3
0x0040cdd7
0x0040cde0
0x0040ce95
0x0040ce9a
0x0040ce9f
0x0040cea6
0x0040ceab
0x0040cead
0x0040ceb0
0x0040ceb6
0x0040ceb8
0x00000000
0x0040cec0
0x0040cde6
0x0040cde6
0x0040cded
0x0040cdef
0x0040cdf6
0x00000000
0x0040cdf6
0x0040ce03
0x0040ce13
0x0040ce15
0x0040ce1a
0x0040ce1d
0x0040ce23
0x0040ce25
0x0040ce27
0x00000000
0x0040ce27
0x0040ce33
0x0040ce38
0x0040ce3e
0x0040ce3e
0x0040ce40
0x0040ce41
0x0040ce42
0x0040ce42
0x0040ce4f
0x0040ce64
0x0040ce6a
0x0040ce6f
0x0040ce74
0x0040ce7a
0x0040ce7a
0x0040ce7e
0x0040ce81
0x0040ce87
0x0040ce89
0x00000000
0x00000000
0x0040ce8b
0x0040ce8e
0x0040ce8e
0x0040ce8f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ce8f
0x0040ce7a
0x0040cec7
0x0040cec7
0x00000000

APIs

GetStringTypeA.KERNEL32(00000409,00000002,?,00000080,?), ref: 0040CE6A
GetThreadLocale.KERNEL32 ref: 0040CD9A

Part of subcall function 0040CCF8: GetCPInfo.KERNEL32(00000000,?), ref: 0040CD11

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: ff4196ebc797769f0df66b777c004e895f58bad5066ceb6ddaa887d45ae9354e
Instruction ID: 3d44840dc6829586607fb4aaec7bc2f8aea36e2cb7e8dd38ec3613f972c2eaf6
Opcode Fuzzy Hash: ff4196ebc797769f0df66b777c004e895f58bad5066ceb6ddaa887d45ae9354e
Instruction Fuzzy Hash: 5531D921540356CAD7209B29ECC177A3794DB11306F84C177E8C5AB3D2EBBC48499B9F

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9B8, Relevance: 6.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0041F9B8(intOrPtr __eax, void* __edx) {
				intOrPtr _v8;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t33;
				struct HDC__* _t47;
				intOrPtr _t54;
				intOrPtr _t58;
				struct HDC__* _t66;
				void* _t67;
				intOrPtr _t76;
				void* _t81;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t86;

				_t84 = _t86;
				_push(_t67);
				_v8 = __eax;
				_t33 = _v8;
				if( *((intOrPtr*)(_t33 + 0x58)) == 0) {
					return _t33;
				} else {
					E0041DBC0(_v8);
					_push(_t84);
					_push(0x41fa97);
					_push( *[fs:eax]);
					 *[fs:eax] = _t86;
					E00420CDC( *((intOrPtr*)(_v8 + 0x58)));
					E0041F834( *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8));
					_t47 = E00420DDC( *((intOrPtr*)(_v8 + 0x58)));
					_push(0);
					L00406B8C();
					_t66 = _t47;
					_t81 =  *( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28)) + 8);
					if(_t81 == 0) {
						 *((intOrPtr*)(_v8 + 0x5c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x5c)) = SelectObject(_t66, _t81);
					}
					_t54 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x58)) + 0x28));
					_t82 =  *((intOrPtr*)(_t54 + 0x10));
					if(_t82 == 0) {
						 *((intOrPtr*)(_v8 + 0x60)) = 0;
					} else {
						_push(0xffffffff);
						_push(_t82);
						_push(_t66);
						L00406CB4();
						 *((intOrPtr*)(_v8 + 0x60)) = _t54;
						_push(_t66);
						L00406C8C();
					}
					E0041DEB4(_v8, _t66);
					_t58 =  *0x4566f4; // 0x2130acc
					E004147A0(_t58, _t66, _t67, _v8, _t82);
					_pop(_t76);
					 *[fs:eax] = _t76;
					_push(0x41fa9e);
					return E0041DD2C(_v8);
				}
			}

0x0041f9b9
0x0041f9bb
0x0041f9be
0x0041f9c1
0x0041f9c8
0x0041faa2
0x0041f9ce
0x0041f9d1
0x0041f9d8
0x0041f9d9
0x0041f9de
0x0041f9e1
0x0041f9ea
0x0041f9fb
0x0041fa06
0x0041fa0b
0x0041fa0d
0x0041fa12
0x0041fa1d
0x0041fa22
0x0041fa38
0x0041fa24
0x0041fa2e
0x0041fa2e
0x0041fa41
0x0041fa44
0x0041fa49
0x0041fa67
0x0041fa4b
0x0041fa4b
0x0041fa4d
0x0041fa4e
0x0041fa4f
0x0041fa57
0x0041fa5a
0x0041fa5b
0x0041fa5b
0x0041fa6f
0x0041fa77
0x0041fa7c
0x0041fa83
0x0041fa86
0x0041fa89
0x0041fa96
0x0041fa96

APIs

Part of subcall function 0041DBC0: RtlEnterCriticalSection.KERNEL32(0046C8C0,00000000,0041C66E,00000000,0041C6CD), ref: 0041DBC8
Part of subcall function 0041DBC0: RtlLeaveCriticalSection.KERNEL32(0046C8C0,0046C8C0,00000000,0041C66E,00000000,0041C6CD), ref: 0041DBD5
Part of subcall function 0041DBC0: RtlEnterCriticalSection.KERNEL32(00000038,0046C8C0,0046C8C0,00000000,0041C66E,00000000,0041C6CD), ref: 0041DBDE

Part of subcall function 00420DDC: 7378AC50.USER32(00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E32
Part of subcall function 00420DDC: 7378AD70.GDI32(00000000,0000000C,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E47
Part of subcall function 00420DDC: 7378AD70.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E51
Part of subcall function 00420DDC: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E75
Part of subcall function 00420DDC: 7378B380.USER32(00000000,00000000,00000000,?,?,?,?,0041FA0B,00000000,0041FA97), ref: 00420E80

7378A590.GDI32(00000000,00000000,0041FA97), ref: 0041FA0D
SelectObject.GDI32(00000000,?), ref: 0041FA26
7378B410.GDI32(00000000,?,000000FF,00000000,00000000,0041FA97), ref: 0041FA4F
7378B150.GDI32(00000000,00000000,?,000000FF,00000000,00000000,0041FA97), ref: 0041FA5B

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: 7378$CriticalSection$Enter$A590B150B380B410CreateHalftoneLeaveObjectPaletteSelect
String ID:
API String ID: 405406452-0
Opcode ID: e0959650a72b03354ff32fc3d5444e8c386ad141c6534e41900f38788add776d
Instruction ID: 35ef3e08190a9ff5bd686f966347182a7bbb97e006c82ae2151e81531ae4ef27
Opcode Fuzzy Hash: e0959650a72b03354ff32fc3d5444e8c386ad141c6534e41900f38788add776d
Instruction Fuzzy Hash: 58314B74A04614EFD704DF59C981D8DB7F5EF48324B6241A6F808AB362C738EE81DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004455A4, Relevance: 6.1, APIs: 4, Instructions: 72
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004455A4(void* __eax, struct HMENU__* __edx, int _a4, int _a8, CHAR* _a12) {
				intOrPtr _v8;
				void* __ecx;
				void* __edi;
				int _t27;
				void* _t40;
				int _t41;
				int _t50;

				_t50 = _t41;
				_t49 = __edx;
				_t40 = __eax;
				if(E00444C80(__eax) == 0) {
					return GetMenuStringA(__edx, _t50, _a12, _a8, _a4);
				}
				_v8 = 0;
				if((GetMenuState(__edx, _t50, _a4) & 0x00000010) == 0) {
					_t27 = GetMenuItemID(_t49, _t50);
					_t51 = _t27;
					if(_t27 != 0xffffffff) {
						_v8 = E00444AFC(_t40, 0, _t51);
					}
				} else {
					_t49 = GetSubMenu(_t49, _t50);
					_v8 = E00444AFC(_t40, 1, _t37);
				}
				if(_v8 == 0) {
					return 0;
				} else {
					 *_a12 = 0;
					E00408ED8(_a12, _a8,  *((intOrPtr*)(_v8 + 0x30)));
					return E00408E14(_a12, _t49);
				}
			}

0x004455ab
0x004455ad
0x004455af
0x004455ba
0x00000000
0x0044563e
0x004455be
0x004455ce
0x004455eb
0x004455f0
0x004455f5
0x00445602
0x00445602
0x004455d0
0x004455d7
0x004455e4
0x004455e4
0x00445609
0x00000000
0x0044560b
0x0044560e
0x0044561d
0x00000000
0x00445625

APIs

GetMenuState.USER32 ref: 004455C7
GetSubMenu.USER32 ref: 004455D2
GetMenuItemID.USER32(?,?), ref: 004455EB
GetMenuStringA.USER32(?,?,?,?,?), ref: 0044563E

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: d9e7d2fa38968ba48c10af4f3e814f37bc868931b1b83d2fc6c5c74a27963b5a
Instruction ID: 29390b67ace43ebf1ee8fce533e5fe0616fb3428684336a69edf6ebe99dee729
Opcode Fuzzy Hash: d9e7d2fa38968ba48c10af4f3e814f37bc868931b1b83d2fc6c5c74a27963b5a
Instruction Fuzzy Hash: 3C11B431601104AFEB00EF6ECC81AAF77E89F49364B11443BF809D7382D6789D0197A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041B0BC, Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041B0BC(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x46c664; // 0x400000
				 *0x456424 = _t6;
				_t8 =  *0x456438; // 0x41b0ac
				_t9 =  *0x46c664; // 0x400000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00406D94 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x46c664; // 0x400000
						_t20 =  *0x456438; // 0x41b0ac
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x456414);
				}
				_t13 =  *0x46c664; // 0x400000
				_t24 =  *0x456438; // 0x41b0ac
				_t22 = E004072A4(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E0041AFC8(_a4, _a8));
				}
				return _t22;
			}

0x0041b0c3
0x0041b0c8
0x0041b0d1
0x0041b0d7
0x0041b0dd
0x0041b0e5
0x0041b0e7
0x0041b0ea
0x0041b0f8
0x0041b0fa
0x0041b100
0x0041b106
0x0041b106
0x0041b110
0x0041b110
0x0041b126
0x0041b133
0x0041b143
0x0041b14a
0x0041b15b
0x0041b15b
0x0041b166

APIs

GetClassInfoA.USER32 ref: 0041B0DD
UnregisterClassA.USER32 ref: 0041B106
RegisterClassA.USER32 ref: 0041B110
SetWindowLongA.USER32 ref: 0041B15B

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 65a8823dedcaee43c068c569328772e78566eb564f3da72f409e3bf9a6670b23
Instruction ID: fb1c92636078c9e7fef26b9de8bbd366fb6f0dd97c6ad16b06dfa19d866604bf
Opcode Fuzzy Hash: 65a8823dedcaee43c068c569328772e78566eb564f3da72f409e3bf9a6670b23
Instruction Fuzzy Hash: 49015E717042046BCB00EBA9DC91FAB77A8E709714F514136F944E73D2D7B9E88087AE

Uniqueness

Uniqueness Score: -1.00%

Function 00416AD8, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00416AD8(void* __eax, struct HINSTANCE__* __edx, CHAR* _a4) {
				CHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				CHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceA(__edx, _v8, _a4);
				 *(_t23 + 0x10) = _t29;
				_t33 = _t29;
				if(_t29 == 0) {
					E00416A68(_t23, _t24, _t29, _t31, _t33, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x416b7c
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				_t34 = _t30;
				if(_t30 == 0) {
					E00416A68(_t23, _t24, _t30, _t31, _t34, _t32);
				}
				_t7 = _t23 + 0x10; // 0x416b7c
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x416834
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E004167F4(_t23, _t25, _t18);
			}

0x00416adf
0x00416ae2
0x00416ae4
0x00416af4
0x00416af6
0x00416af9
0x00416afb
0x00416afe
0x00416b03
0x00416b03
0x00416b04
0x00416b0e
0x00416b10
0x00416b13
0x00416b15
0x00416b18
0x00416b1d
0x00416b1e
0x00416b28
0x00416b29
0x00416b2d
0x00416b36
0x00416b41

APIs

FindResourceA.KERNEL32(?,?,?), ref: 00416AEF
LoadResource.KERNEL32(?,00416B7C,?,?,?,004128F4,?,00000001,00000000,?,00416A48,?), ref: 00416B09
SizeofResource.KERNEL32(?,00416B7C,?,00416B7C,?,?,?,004128F4,?,00000001,00000000,?,00416A48,?), ref: 00416B23
LockResource.KERNEL32(00416834,00000000,?,00416B7C,?,00416B7C,?,?,?,004128F4,?,00000001,00000000,?,00416A48,?), ref: 00416B2D

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 6a27572a77ce4460648f0347f59ec7365a5485df1365e26926fc3b4399cc33b3
Instruction ID: 0b38a6c94698065b639f5a13b8d2cd30a2826db5d62cbc47659f0318ffa6b0ce
Opcode Fuzzy Hash: 6a27572a77ce4460648f0347f59ec7365a5485df1365e26926fc3b4399cc33b3
Instruction Fuzzy Hash: A5F06DB26052146F8704EF5DA881DAB77ECDE89364312406FF908E7246DA39ED518778

Uniqueness

Uniqueness Score: -1.00%

Function 0042F36C, Relevance: 6.0, APIs: 4, Instructions: 37
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0042F36C(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t9;
				signed int _t16;
				struct HWND__* _t19;
				DWORD* _t20;

				_t17 = __ecx;
				_push(__ecx);
				_t19 = __eax;
				_t16 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t20) != 0 && GetCurrentProcessId() ==  *_t20) {
					_t9 =  *0x46cab4; // 0x2130dd0
					if(GlobalFindAtomA(E00404D98(_t9)) !=  *0x46cab0) {
						_t16 = 0 | E0042E458(_t19, _t17) != 0x00000000;
					} else {
						_t16 = 0 | GetPropA(_t19,  *0x46cab0 & 0x0000ffff) != 0x00000000;
					}
				}
				return _t16;
			}

0x0042f36c
0x0042f36e
0x0042f36f
0x0042f371
0x0042f375
0x0042f38c
0x0042f3a3
0x0042f3c3
0x0042f3a5
0x0042f3b5
0x0042f3b5
0x0042f3a3
0x0042f3cb

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0042F379
GetCurrentProcessId.KERNEL32(00000000,?,?,-0000000C,00000000,0042F3E4,0042F1A6,0046CAE8,00000000,0042EF96,?,-0000000C,?), ref: 0042F382
GlobalFindAtomA.KERNEL32 ref: 0042F397
GetPropA.USER32 ref: 0042F3AE

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: bd4dccc231e7a156dd943c8e9573dd240920f96161fe8e4c8733a3906d6e44d3
Instruction ID: ec4a4ca0e8c4c05d345d100ee6c3ded6005090fb8512e15eb515f1930f6a062b
Opcode Fuzzy Hash: bd4dccc231e7a156dd943c8e9573dd240920f96161fe8e4c8733a3906d6e44d3
Instruction Fuzzy Hash: 06F0A75130153257D610F7B67D8197F11AC9D007583C1403BFC45D2141F72CCC65557E

Uniqueness

Uniqueness Score: -1.00%

Function 0042E48C, Relevance: 6.0, APIs: 4, Instructions: 35
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0042E48C(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x46cab8; // 0x2130dec
					if(GlobalFindAtomA(E00404D98(_t5)) !=  *0x46cab2) {
						_t15 = E0042E458(_t12, _t13);
					} else {
						_t15 = GetPropA(_t12,  *0x46cab2 & 0x0000ffff);
					}
				}
				return _t15;
			}

0x0042e48c
0x0042e48e
0x0042e48f
0x0042e491
0x0042e495
0x0042e4ac
0x0042e4c3
0x0042e4de
0x0042e4c5
0x0042e4d3
0x0042e4d3
0x0042e4c3
0x0042e4e5

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0042E499
GetCurrentProcessId.KERNEL32(?,?,00000000,004510CB,?,?,x\E,00000001,00451237,?,?,?,x\E), ref: 0042E4A2
GlobalFindAtomA.KERNEL32 ref: 0042E4B7
GetPropA.USER32 ref: 0042E4CE

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: eeeeee73f040e9cc297949374c521227171f641d2d78d384168de90721fc0dc8
Instruction ID: ab76534a09e0502dd299d528c4f4e87d9cd86b64d32762fae521777a54fee2b0
Opcode Fuzzy Hash: eeeeee73f040e9cc297949374c521227171f641d2d78d384168de90721fc0dc8
Instruction Fuzzy Hash: 32F01CA130023566D620B7B77D8593B218C8A047A8346093BFD42E6646E63C9C41C3BD

Uniqueness

Uniqueness Score: -1.00%

Function 0044FC18, Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044FC18(void* __ecx) {
				void* _t2;
				DWORD* _t7;

				_t2 =  *0x46cb44; // 0x2131268
				if( *((char*)(_t2 + 0xa5)) == 0) {
					if( *0x46cb5c == 0) {
						_t2 = SetWindowsHookExA(3, E0044FBD4, 0, GetCurrentThreadId());
						 *0x46cb5c = _t2;
					}
					if( *0x46cb58 == 0) {
						_t2 = CreateEventA(0, 0, 0, 0);
						 *0x46cb58 = _t2;
					}
					if( *0x46cb60 == 0) {
						_t2 = CreateThread(0, 0x3e8, E0044FB78, 0, 0, _t7);
						 *0x46cb60 = _t2;
					}
				}
				return _t2;
			}

0x0044fc19
0x0044fc25
0x0044fc2e
0x0044fc40
0x0044fc45
0x0044fc45
0x0044fc51
0x0044fc5b
0x0044fc60
0x0044fc60
0x0044fc6c
0x0044fc7f
0x0044fc84
0x0044fc84
0x0044fc6c
0x0044fc8a

APIs

GetCurrentThreadId.KERNEL32 ref: 0044FC30
SetWindowsHookExA.USER32 ref: 0044FC40
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0044FC5B
CreateThread.KERNEL32 ref: 0044FC7F

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: 4310e3e639845a6ed95bccf027b28d5125fe035c2a7b7a7426f9743de2072eb5
Instruction ID: 93b0bc1b4b7117c742403f29caa34a7babcff3da54cd75ea2c12038411043938
Opcode Fuzzy Hash: 4310e3e639845a6ed95bccf027b28d5125fe035c2a7b7a7426f9743de2072eb5
Instruction Fuzzy Hash: 9BF0D0B0A84384AEF6106B61FC97F363694A315F16F50013BF5856A5D1D3F928448A5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040722C, Relevance: 6.0, APIs: 4, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040722C(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}

0x0040722f
0x00407236
0x0040723b
0x00407241
0x00407246

APIs

GlobalHandle.KERNEL32 ref: 0040722F
GlobalUnWire.KERNEL32(00000000), ref: 00407236
GlobalReAlloc.KERNEL32 ref: 0040723B
GlobalFix.KERNEL32 ref: 00407241

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: 357638971d4e1e95c2bffc47e8f25dec32ee20177e9caf823c5294cde820cf1d
Instruction ID: 596118dcadbed1dba26da45d5b86c902fdabe78314c020c3ca3f33bfbcf0cddf
Opcode Fuzzy Hash: 357638971d4e1e95c2bffc47e8f25dec32ee20177e9caf823c5294cde820cf1d
Instruction Fuzzy Hash: 00B008D4A1060228E804B7F24C0AD3B045C988A6583A2896F340BF2082997DA821083A

Uniqueness

Uniqueness Score: -1.00%

Function 00444DF8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00444DF8(intOrPtr __eax, void* __ecx, void* __edx) {
				char _v8;
				signed short _v10;
				intOrPtr _v16;
				char _v17;
				char _v24;
				intOrPtr _t34;
				intOrPtr _t40;
				intOrPtr _t42;
				intOrPtr _t48;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t59;
				intOrPtr _t65;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				intOrPtr _t73;

				_t53 = __ecx;
				_t70 = _t72;
				_t73 = _t72 + 0xffffffec;
				_t51 = __edx;
				_v16 = __eax;
				_v10 =  *((intOrPtr*)(__edx + 4));
				if(_v10 == 0) {
					return 0;
				} else {
					if(GetKeyState(0x10) < 0) {
						_v10 = _v10 + 0x2000;
					}
					if(GetKeyState(0x11) < 0) {
						_v10 = _v10 + 0x4000;
					}
					if(( *(_t51 + 0xb) & 0x00000020) != 0) {
						_v10 = _v10 + 0x8000;
					}
					_v24 =  *((intOrPtr*)(_v16 + 0x34));
					_t34 =  *0x46cb38; // 0x2130da8
					E00422AB0(_t34, _t53,  &_v24);
					_push(_t70);
					_push(0x444ef6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t73;
					while(1) {
						_v17 = 0;
						_v8 = E00444AFC(_v16, 2, _v10 & 0x0000ffff);
						if(_v8 != 0) {
							break;
						}
						if(_v24 == 0 || _v17 != 2) {
							_pop(_t65);
							_pop(_t56);
							 *[fs:eax] = _t65;
							_push(0x444efd);
							_t40 =  *0x46cb38; // 0x2130da8
							return E00422A9C(_t40, _t56);
						} else {
							continue;
						}
						goto L14;
					}
					_t42 =  *0x46cb38; // 0x2130da8
					E00422AB0(_t42, 2,  &_v8);
					_push(_t70);
					_push( *[fs:eax]);
					 *[fs:eax] = _t73;
					_v17 = E00444CA4( &_v8, 0, _t70);
					_pop(_t68);
					_t59 = 0x444ecb;
					 *[fs:eax] = _t68;
					_push(0x444ed2);
					_t48 =  *0x46cb38; // 0x2130da8
					return E00422A9C(_t48, _t59);
				}
				L14:
			}

0x00444df8
0x00444df9
0x00444dfb
0x00444dff
0x00444e01
0x00444e0b
0x00444e14
0x00444f13
0x00444e1a
0x00444e24
0x00444e26
0x00444e26
0x00444e36
0x00444e38
0x00444e38
0x00444e42
0x00444e44
0x00444e44
0x00444e50
0x00444e56
0x00444e5b
0x00444e62
0x00444e63
0x00444e68
0x00444e6b
0x00444e6e
0x00444e6e
0x00444e80
0x00444e87
0x00000000
0x00000000
0x00444ed6
0x00444ee0
0x00444ee2
0x00444ee3
0x00444ee6
0x00444eeb
0x00444ef5
0x00000000
0x00000000
0x00000000
0x00000000
0x00444ed6
0x00444e8c
0x00444e91
0x00444e98
0x00444e9e
0x00444ea1
0x00444eb0
0x00444eb5
0x00444eb7
0x00444eb8
0x00444ebb
0x00444ec0
0x00444eca
0x00444eca
0x00000000

APIs

GetKeyState.USER32(00000010), ref: 00444E1C
GetKeyState.USER32(00000011), ref: 00444E2E

Strings

, xrefs: 00444E3E

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: 57dcf362e4ab221c7bb070aeb9e2dfd0eb6fcbb3e6f05373a2f46180ed37068e
Instruction ID: a34dd930d581866ba378d7c391865ff70932b34d003deb91ea8551dd1e72d0d4
Opcode Fuzzy Hash: 57dcf362e4ab221c7bb070aeb9e2dfd0eb6fcbb3e6f05373a2f46180ed37068e
Instruction Fuzzy Hash: 77310A70A04204EFFB11DBA5D9427ADB7F5FF88304F6184B7E804A6691E7B85E00C669

Uniqueness

Uniqueness Score: -1.00%

Function 0042B6DC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0042B6DC(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t33;
				long _t46;
				CHAR* _t48;
				void* _t55;
				intOrPtr _t67;
				void* _t74;
				char _t76;
				void* _t79;

				_t74 = __edi;
				_t78 = _t79;
				_push(__ebx);
				_push(__esi);
				_v32 = 0;
				_v8 = 0;
				_v12 = 0;
				_t76 = __edx;
				_t55 = __eax;
				_push(_t79);
				_push(0x42b7d4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79 + 0xffffffe4;
				_t81 = __edx;
				if(__edx == 0) {
					E0040BEC0(0x42b27c, 1);
					E004042EC();
				}
				_v28 = _t76;
				_v24 = 0xb;
				E0042B428(_t55, _t55,  &_v32, 0, _t74, _t76);
				_v20 = _v32;
				_v16 = 0xb;
				E00409534("IE(AL(\"%s\",4),\"AL(\\\"%0:s\\\",3)\",\"JK(\\\"%1:s\\\",\\\"%0:s\\\")\")", 1,  &_v28,  &_v8);
				_t33 = E0042BD6C(_t55, _t74, _t78, _t81);
				_t82 = _t33;
				if(_t33 != 0) {
					E0042B428(_t55, _t55,  &_v12, 0, _t74, _t76);
					if(E0042BCC4(_t55, _t55, _v8, 1, _t76, _t82, 0) != 0 && _v12 != 0) {
						 *((char*)(_t55 + 0x10)) = 1;
						E0040492C(_t55 + 0x14, _v8);
						_t46 = E00404D98(_v8);
						_t48 = E00404D98(_v12);
						WinHelpA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x1c)))) + 0xc))(), _t48, 0x102, _t46);
					}
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x42b7db);
				E004048D8( &_v32);
				return E004048FC( &_v12, 2);
			}

0x0042b6dc
0x0042b6dd
0x0042b6e2
0x0042b6e3
0x0042b6e6
0x0042b6e9
0x0042b6ec
0x0042b6ef
0x0042b6f1
0x0042b6f5
0x0042b6f6
0x0042b6fb
0x0042b6fe
0x0042b701
0x0042b703
0x0042b711
0x0042b716
0x0042b716
0x0042b71f
0x0042b722
0x0042b72d
0x0042b735
0x0042b738
0x0042b749
0x0042b750
0x0042b755
0x0042b757
0x0042b760
0x0042b775
0x0042b77d
0x0042b787
0x0042b78f
0x0042b79d
0x0042b7ac
0x0042b7ac
0x0042b775
0x0042b7b3
0x0042b7b6
0x0042b7b9
0x0042b7c1
0x0042b7d3

APIs

WinHelpA.USER32 ref: 0042B7AC

Strings

46B, xrefs: 0042B70C
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")"), xrefs: 0042B744

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Help
String ID: 46B$IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
API String ID: 2830496658-3676487480
Opcode ID: f30cd33fcecd5fff5826f94becaec5fd193364c59777153f40291d9772b23aee
Instruction ID: dd00c1cbc605c0e2dcb93fa119999c8a3e19719274b4001bda3df1dda97c3485
Opcode Fuzzy Hash: f30cd33fcecd5fff5826f94becaec5fd193364c59777153f40291d9772b23aee
Instruction Fuzzy Hash: 8E315874B002149BDB04EFA5D88169EB7B5EF88304F90447AF904E7392D77C9E45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00451C04, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00451C04(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				intOrPtr _t36;
				long _t41;
				intOrPtr _t52;
				intOrPtr _t66;
				intOrPtr* _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t75;
				intOrPtr _t76;

				_t72 = __esi;
				_t71 = __edi;
				_t74 = _t75;
				_t76 = _t75 + 0xfffffff0;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v16 = 0;
				_v20 = 0;
				_v8 = __eax;
				_push(_t74);
				_push(0x451d14);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				_t56 = E00451B8C(_v8);
				if( *((char*)(_v8 + 0x88)) != 0) {
					_t52 = _v8;
					_t79 =  *((intOrPtr*)(_t52 + 0x48));
					if( *((intOrPtr*)(_t52 + 0x48)) == 0) {
						E0045215C(_v8);
					}
				}
				E0044FACC(_t56,  &_v20);
				E0042E710(_v20, 0,  &_v16, _t79);
				_t36 =  *0x46cb44; // 0x2131268
				E00451DC4(_t36, _v16, _t79);
				_v9 = 1;
				_push(_t74);
				_push(0x451cbb);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				if( *((short*)(_v8 + 0x102)) != 0) {
					_t56 = _v8;
					 *((intOrPtr*)(_v8 + 0x100))();
				}
				if(_v9 != 0) {
					E00451B28();
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_t41 = GetCurrentThreadId();
				_t67 =  *0x46b7e0; // 0x46c030
				if(_t41 ==  *_t67 && E00419D80(0, _t56, _t71, _t72) != 0) {
					_v9 = 0;
				}
				if(_v9 != 0) {
					WaitMessage();
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E00451D1B);
				return E004048FC( &_v20, 2);
			}

0x00451c04
0x00451c04
0x00451c05
0x00451c07
0x00451c0a
0x00451c0b
0x00451c0c
0x00451c0f
0x00451c12
0x00451c15
0x00451c1a
0x00451c1b
0x00451c20
0x00451c23
0x00451c2e
0x00451c3a
0x00451c3c
0x00451c3f
0x00451c43
0x00451c48
0x00451c48
0x00451c43
0x00451c52
0x00451c5d
0x00451c65
0x00451c6a
0x00451c6f
0x00451c75
0x00451c76
0x00451c7b
0x00451c7e
0x00451c8c
0x00451c91
0x00451c9d
0x00451c9d
0x00451ca7
0x00451cac
0x00451cac
0x00451cb3
0x00451cb6
0x00451cd0
0x00451cd5
0x00451cdd
0x00451cea
0x00451cea
0x00451cf2
0x00451cf4
0x00451cf4
0x00451cfb
0x00451cfe
0x00451d01
0x00451d13

APIs

Part of subcall function 00451B8C: GetCursorPos.USER32 ref: 00451B95

GetCurrentThreadId.KERNEL32 ref: 00451CD0
WaitMessage.USER32(00000000,00451D14,?,?,?,x\E), ref: 00451CF4

Strings

x\E, xrefs: 00451C0A

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentCursorMessageThreadWait
String ID: x\E
API String ID: 535285469-3038463933
Opcode ID: bda62915008294426a8313eec69679c70752f4d17d9967ccd1e74079feed9952
Instruction ID: 1980c15cd4779aa1eba605ecaa57160827e8da7623af86700927e987b67b0f25
Opcode Fuzzy Hash: bda62915008294426a8313eec69679c70752f4d17d9967ccd1e74079feed9952
Instruction Fuzzy Hash: B431B530A04244AFDB02DF64C886BEEB7F5EB45304F6144B6EC00973A2D7796E48CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3E4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
threadCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040A3E4(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				char _v280;
				char* _t32;
				intOrPtr* _t49;
				intOrPtr _t58;
				void* _t63;
				void* _t67;

				_v8 = 0;
				_t49 = __edx;
				_t63 = __eax;
				_push(_t67);
				_push(0x40a4c2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffeec;
				E004048D8(__edx);
				_v24 =  *((intOrPtr*)(_a4 - 0xe));
				_v22 =  *((intOrPtr*)(_a4 - 0x10));
				_v18 =  *((intOrPtr*)(_a4 - 0x12));
				if(_t63 > 2) {
					E00404970( &_v8, 0x40a4e4);
				} else {
					E00404970( &_v8, 0x40a4d8);
				}
				_t32 = E00404D98(_v8);
				if(GetDateFormatA(GetThreadLocale(), 4,  &_v24, _t32,  &_v280, 0x100) != 0) {
					E00404B48(_t49, 0x100,  &_v280);
					if(_t63 == 1 &&  *((char*)( *_t49)) == 0x30) {
						E00404DF8( *_t49, E00404B98( *_t49) - 1, 2, _t49);
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(E0040A4C9);
				return E004048D8( &_v8);
			}

0x0040a3f1
0x0040a3f4
0x0040a3f6
0x0040a3fa
0x0040a3fb
0x0040a400
0x0040a403
0x0040a408
0x0040a414
0x0040a41f
0x0040a42a
0x0040a431
0x0040a44a
0x0040a433
0x0040a43b
0x0040a43b
0x0040a45e
0x0040a477
0x0040a486
0x0040a48c
0x0040a4a7
0x0040a4a7
0x0040a48c
0x0040a4ae
0x0040a4b1
0x0040a4b4
0x0040a4c1

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040A4C2), ref: 0040A46A
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040A4C2), ref: 0040A470

Strings

yyyy, xrefs: 0040A445

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: a51e60f97f6dfb4d9ba8fec048f3a54f96249a7e51ba37e147abddd4d55202b8
Instruction ID: 41ef5c40b37fe4040f877edef11354f3dbc1f78a115f05ff9b520fa3e4740024
Opcode Fuzzy Hash: a51e60f97f6dfb4d9ba8fec048f3a54f96249a7e51ba37e147abddd4d55202b8
Instruction Fuzzy Hash: BF217478610208ABD710FBA9C846AAE73B8EF49700F514477F905F7392D7789E10876A

Uniqueness

Uniqueness Score: -1.00%

Function 00420F3C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00420F3C(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t77;
				void* _t78;
				intOrPtr _t79;
				intOrPtr _t80;

				_t77 = _t78;
				_t79 = _t78 + 0xfffffff8;
				_v8 = __eax;
				_v12 = E00403B34(1);
				_push(_t77);
				_push(0x420fc3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t79;
				 *((intOrPtr*)(_v12 + 8)) = __edx;
				 *((intOrPtr*)(_v12 + 0x10)) = __ecx;
				memcpy(_v12 + 0x18, _a12, 0x15 << 2);
				_t80 = _t79 + 0xc;
				 *((char*)(_v12 + 0x70)) = _a8;
				if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
					 *((intOrPtr*)(_v12 + 0x14)) =  *((intOrPtr*)(_v12 + 8));
				}
				_t62 =  *0x41282c; // 0x412878
				 *((intOrPtr*)(_v12 + 0x6c)) = E00403D20(_a4, _t62);
				_pop(_t64);
				 *[fs:eax] = _t64;
				_push(0x46c8a8);
				L0040698C();
				_push(_t77);
				_push(0x421023);
				_push( *[fs:edx]);
				 *[fs:edx] = _t80;
				E0041FAA8( *((intOrPtr*)(_v8 + 0x28)));
				 *((intOrPtr*)(_v8 + 0x28)) = _v12;
				E0041FAA4(_v12);
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x42102a);
				_push(0x46c8a8);
				L00406AB4();
				return 0;
			}

0x00420f3d
0x00420f3f
0x00420f49
0x00420f58
0x00420f5d
0x00420f5e
0x00420f63
0x00420f66
0x00420f6c
0x00420f72
0x00420f85
0x00420f85
0x00420f8d
0x00420f97
0x00420fa2
0x00420fa2
0x00420fa8
0x00420fb6
0x00420fbb
0x00420fbe
0x00420fda
0x00420fdf
0x00420fe6
0x00420fe7
0x00420fec
0x00420fef
0x00420ff8
0x00421003
0x00421006
0x0042100d
0x00421010
0x00421013
0x00421018
0x0042101d
0x00421022

APIs

RtlEnterCriticalSection.KERNEL32(0046C8A8), ref: 00420FDF
RtlLeaveCriticalSection.KERNEL32(0046C8A8,0042102A,0046C8A8), ref: 0042101D

Strings

x(A, xrefs: 00420FA8

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID: x(A
API String ID: 3168844106-4179967830
Opcode ID: f2394203cef6deed8e9781c26f3ca885a14d1ab4659fce53e8882b0c9a2edba2
Instruction ID: e7d00248bd746318a9e501f5848ec07b37d651030300d9f6c40ecd5797afd9da
Opcode Fuzzy Hash: f2394203cef6deed8e9781c26f3ca885a14d1ab4659fce53e8882b0c9a2edba2
Instruction Fuzzy Hash: 8C21A175A04304EFC715DF69D881889BBF5FF4C320B6281A6F804A7761D774AE80CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040F684, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040F684(signed short* __eax, void* __ecx, intOrPtr* __edx) {
				intOrPtr* _v16;
				void* _t15;
				signed short* _t23;
				signed short _t34;
				intOrPtr* _t35;
				void* _t36;

				_t12 = __eax;
				_push(__ecx);
				_t35 = __edx;
				_t23 = __eax;
				if(( *__eax & 0x0000bfe8) != 0) {
					_t12 = E0040F378(__eax, __ecx);
				}
				_t34 =  *_t35;
				if(_t34 >= 0x14) {
					if(_t34 != 0x100) {
						if(_t34 != 0x101) {
							if((_t34 & 0x00002000) == 0) {
								if(E00410DE0(_t34, _t36) == 0) {
									_push(_t35);
									_push(_t23);
									L0040DE70();
									_t15 = E0040F0C8(_t14);
								} else {
									_t15 =  *((intOrPtr*)( *_v16 + 0x28))(0);
								}
							} else {
								_t15 = E0040F49C(_t23, E0040F67C, _t35);
							}
						} else {
							 *_t23 = _t34;
							_t23[4] =  *(_t35 + 8);
							_t15 =  *0x46c818();
						}
					} else {
						 *_t23 = 0x100;
						_t23[4] = 0;
						_t15 = E0040492C( &(_t23[4]),  *(_t35 + 8));
					}
				} else {
					_push(_t35);
					_push(_t23);
					L0040DE70();
					_t15 = E0040F0C8(_t12);
				}
				return _t15;
			}

0x0040f684
0x0040f687
0x0040f688
0x0040f68a
0x0040f691
0x0040f695
0x0040f695
0x0040f69a
0x0040f6a1
0x0040f6b6
0x0040f6d4
0x0040f6ee
0x0040f70b
0x0040f71e
0x0040f71f
0x0040f720
0x0040f725
0x0040f70d
0x0040f719
0x0040f719
0x0040f6f0
0x0040f6f9
0x0040f6f9
0x0040f6d6
0x0040f6d6
0x0040f6dc
0x0040f6e1
0x0040f6e1
0x0040f6b8
0x0040f6b8
0x0040f6bf
0x0040f6c8
0x0040f6c8
0x0040f6a3
0x0040f6a3
0x0040f6a4
0x0040f6a5
0x0040f6aa
0x0040f6aa
0x0040f72e

APIs

VariantCopy.OLEAUT32(?), ref: 0040F6A5

Part of subcall function 0040F378: VariantClear.OLEAUT32(?), ref: 0040F387

Strings

0@, xrefs: 0040F6E1

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopy
String ID: 0@
API String ID: 274517740-11155133
Opcode ID: 901ba4050afa846b531fb92995a7012233c6f5c98ce241cb068a0ba5da9e162e
Instruction ID: a9f673ec4e3867c900f9095e13f01d70f45f13cb5d0ed7ecd11107d5c8b13ea3
Opcode Fuzzy Hash: 901ba4050afa846b531fb92995a7012233c6f5c98ce241cb068a0ba5da9e162e
Instruction Fuzzy Hash: DB11737071020086D730AB79C8C596B37D69F55750710847BE84AABBE6EA3D8C4EC29F

Uniqueness

Uniqueness Score: -1.00%

Function 004319D8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004319D8(void* __eflags, intOrPtr _a4) {
				char _v5;
				struct tagRECT _v21;
				struct tagRECT _v40;
				void* _t40;
				void* _t41;
				void* _t46;

				_v5 = 1;
				_t45 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198));
				_t46 = E00414500( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x30)) + 0x198)),  *((intOrPtr*)(_a4 - 4)));
				if(_t46 <= 0) {
					L5:
					_v5 = 0;
				} else {
					do {
						_t46 = _t46 - 1;
						_t40 = E0041449C(_t45, _t41, _t46);
						if( *((char*)(_t40 + 0x57)) == 0 || ( *(_t40 + 0x50) & 0x00000040) == 0) {
							goto L4;
						} else {
							E00430FBC(_t40,  &_v40);
							IntersectRect( &_v21, _a4 + 0xffffffec,  &_v40);
							if(EqualRect( &_v21, _a4 + 0xffffffec) == 0) {
								goto L4;
							}
						}
						goto L6;
						L4:
					} while (_t46 > 0);
					goto L5;
				}
				L6:
				return _v5;
			}

0x004319e1
0x004319ee
0x00431a01
0x00431a05
0x00431a55
0x00431a55
0x00431a07
0x00431a07
0x00431a07
0x00431a11
0x00431a17
0x00000000
0x00431a1f
0x00431a24
0x00431a38
0x00431a4f
0x00000000
0x00000000
0x00431a4f
0x00000000
0x00431a51
0x00431a51
0x00000000
0x00431a07
0x00431a59
0x00431a62

APIs

IntersectRect.USER32 ref: 00431A38
EqualRect.USER32 ref: 00431A48

Strings

@, xrefs: 00431A19

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: 17dc53796a11454fd283070864220aafaefdc98c5cce647465ed30848da75b52
Instruction ID: 0c23c5d8f50bc41c6a8c4c58a0061586654f1de2fc749c42e96462fc5faf14e9
Opcode Fuzzy Hash: 17dc53796a11454fd283070864220aafaefdc98c5cce647465ed30848da75b52
Instruction Fuzzy Hash: 37119E31A082485BC711EAACC884BDFBBE89F49318F041296FD45EB392D779ED058BD4

Uniqueness

Uniqueness Score: -1.00%

Function 0043554C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043554C(void* __eax, struct HWND__* __edx) {
				void* _t8;
				intOrPtr* _t15;
				intOrPtr* _t16;
				void* _t21;

				_t8 = __eax;
				_t26 = __edx;
				_t21 = __eax;
				if( *((intOrPtr*)(__eax + 0x30)) != 0 || __edx ==  *((intOrPtr*)(__eax + 0x190))) {
					return _t8;
				} else {
					if( *(__eax + 0x180) == 0 ||  *((intOrPtr*)(__eax + 0x190)) == 0 || __edx == 0) {
						E00435370(_t21);
						 *((intOrPtr*)(_t21 + 0x190)) = _t26;
					} else {
						 *((intOrPtr*)(__eax + 0x190)) = __edx;
						SetParent( *(__eax + 0x180), __edx);
						_t15 =  *0x46b51c; // 0x4560ec
						if( *_t15 >= 5) {
							_t16 =  *0x46b7d8; // 0x4560e8
							if( *_t16 == 2) {
								_t22 = E00407294();
								E004327D0(_t21, _t18, 0x127, 0);
							}
						}
					}
					return E0043550C(_t21, _t22);
				}
			}

0x0043554c
0x0043554e
0x00435550
0x00435556
0x004355d2
0x00435560
0x00435567
0x004355be
0x004355c3
0x00435576
0x00435576
0x00435584
0x00435589
0x00435591
0x00435593
0x0043559b
0x004355ac
0x004355b5
0x004355b5
0x0043559b
0x00435591
0x00000000
0x004355cb

APIs

SetParent.USER32(00000000,?), ref: 00435584

Strings

`E, xrefs: 00435589
`E, xrefs: 00435593

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Parent
String ID: `E$`E
API String ID: 975332729-35721615
Opcode ID: bcc76bfe79e0af29d0d0b8c4d1a1054c4536df2f976b241fb5e821ae6da15613
Instruction ID: bd3ac4c1ba2bc167184f8ca1fd455883657692258f444596a03bac936f5c7f56
Opcode Fuzzy Hash: bcc76bfe79e0af29d0d0b8c4d1a1054c4536df2f976b241fb5e821ae6da15613
Instruction Fuzzy Hash: 41016231601610EFCB11AE59D8857D632A6AB0D304F0420BBFC098F39ED77CAC80CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413574, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00413574(void* __edx) {
				void* _t5;
				void* _t15;
				void* _t20;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t28;

				_t20 = __edx;
				if(__edx != 0) {
					_t28 = _t28 + 0xfffffff0;
					_t5 = E00403E84(_t5, _t27);
				}
				_t25 = _t5;
				E00403B34(0);
				 *((intOrPtr*)(_t25 + 4)) = E00403B34(1);
				_t2 = _t25 + 8; // 0x8
				L00406AAC();
				_t26 = E00413244(1);
				_t3 = _t25 + 4; // 0x6f724767
				E0041432C( *_t3, _t26);
				 *((char*)(_t26 + 0x10)) = 1;
				_t15 = _t25;
				if(_t20 != 0) {
					E00403EDC(_t15);
					_pop( *[fs:0x0]);
				}
				return _t25;
			}

0x00413574
0x00413579
0x0041357b
0x0041357e
0x0041357e
0x00413585
0x0041358b
0x0041359c
0x0041359f
0x004135a3
0x004135ba
0x004135bc
0x004135c1
0x004135c6
0x004135ca
0x004135ce
0x004135d0
0x004135d5
0x004135dc
0x004135e4

APIs

RtlInitializeCriticalSection.KERNEL32(00413164,?,?,?,0041B2A0,00000000,0041B2D5), ref: 004135A3

Strings

l!A, xrefs: 00413592
|"A, xrefs: 004135A8

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection
String ID: l!A$|"A
API String ID: 32694325-2899034366
Opcode ID: 8bfe72c10527b8fcb87838f656818a66442e041598523e2b63ebf129f7185b4b
Instruction ID: b5653a2fdad01d25805d5684c93c12ebe3ebb02982ab7b9587c7369316a70ecd
Opcode Fuzzy Hash: 8bfe72c10527b8fcb87838f656818a66442e041598523e2b63ebf129f7185b4b
Instruction Fuzzy Hash: 35F04C7230044057C200EF6BD8419C6B796AB8435E704433AF414C7352DB3EAE19C79D

Uniqueness

Uniqueness Score: -1.00%

Function 004146D0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004146D0(void* __edx) {
				void* _t4;
				void* _t10;
				void* _t14;
				void* _t17;
				void* _t18;
				void* _t19;

				_t14 = __edx;
				if(__edx != 0) {
					_t19 = _t19 + 0xfffffff0;
					_t4 = E00403E84(_t4, _t18);
				}
				_t17 = _t4;
				E00403B34(0);
				_t1 = _t17 + 8; // 0x8
				L00406AAC();
				 *((intOrPtr*)(_t17 + 4)) = E00403B34(1);
				 *((char*)(_t17 + 0x20)) = 0;
				_t10 = _t17;
				if(_t14 != 0) {
					E00403EDC(_t10);
					_pop( *[fs:0x0]);
				}
				return _t17;
			}

0x004146d0
0x004146d4
0x004146d6
0x004146d9
0x004146d9
0x004146e0
0x004146e6
0x004146eb
0x004146ef
0x00414700
0x00414703
0x00414707
0x0041470b
0x0041470d
0x00414712
0x00414719
0x00414720

APIs

RtlInitializeCriticalSection.KERNEL32(List("A,?,?,0041B2B1,00000000,0041B2D5), ref: 004146EF

Strings

l!A, xrefs: 004146F6
List("A, xrefs: 004146EE

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection
String ID: List("A$l!A
API String ID: 32694325-1265613299
Opcode ID: e081b473b517f62180d7d093f4878058e877d4aa2b6bc7593a77c4fec118e156
Instruction ID: 616c3f2682f2cb3120da7a3172976fd79dc99a96586760d1b5ec0ee586db442d
Opcode Fuzzy Hash: e081b473b517f62180d7d093f4878058e877d4aa2b6bc7593a77c4fec118e156
Instruction Fuzzy Hash: 9BE0E5327019904BC210EBAA8841782BB995F4576DF04423AE499D7392E73E99148799

Uniqueness

Uniqueness Score: -1.00%

Function 00452118, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00452118(int __eax) {
				int _t4;
				int _t11;

				_t4 = __eax;
				_t11 = __eax;
				_t12 =  *((intOrPtr*)(__eax + 0x84));
				if( *((intOrPtr*)(__eax + 0x84)) != 0) {
					_t4 = E0043811C(_t12);
					if(_t4 != 0) {
						_t4 = IsWindowVisible(E00437E18( *((intOrPtr*)(_t11 + 0x84))));
						if(_t4 != 0) {
							return ShowWindow(E00437E18( *((intOrPtr*)(_t11 + 0x84))), 0);
						}
					}
				}
				return _t4;
			}

0x00452118
0x0045211a
0x0045211c
0x00452124
0x00452128
0x0045212f
0x0045213d
0x00452144
0x00000000
0x00452154
0x00452144
0x0045212f
0x0045215b

APIs

IsWindowVisible.USER32(00000000), ref: 0045213D
ShowWindow.USER32(00000000,00000000,?,x\E,0045216C,00000000,00451157,?,?,x\E,00000001,00451217,?,?,?,x\E), ref: 00452154

Strings

x\E, xrefs: 00452118

Memory Dump Source

Source File: 00000001.00000002.517491418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.517475659.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.517662756.0000000000456000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517674694.0000000000457000.00000008.00020000.sdmp Download File
Associated: 00000001.00000002.517702955.000000000046C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.517717518.0000000000472000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ShowVisible
String ID: x\E
API String ID: 4185057100-3038463933
Opcode ID: 8b06018b71a16caa83c307a1844df62f42d433eadb93740cbd5351fe5b4a89e9
Instruction ID: eff622d76f7b8421fe9a83d7948c9e605a1d7e45f0cdb8e735be1413d0ef876d
Opcode Fuzzy Hash: 8b06018b71a16caa83c307a1844df62f42d433eadb93740cbd5351fe5b4a89e9
Instruction Fuzzy Hash: ECE04F6174061157DA106A668E8375713485F05755F0404FBBE54EF347CA6C9C014BF9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 0klWxH7lko.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 0klWxH7lko.exe PID: 4440 Parent PID: 5912

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: 0klWxH7lko.exe PID: 4440 Parent PID: 5912 0klWxH7lko.exeCOMMON

Executed Functions

Function 00405BB4, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Function 0045061C, Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 399
COMMON

Function 0044D604, Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 407
windowCOMMON

Function 00405CBF, Relevance: 15.1, APIs: 10, Instructions: 101
stringlibrarythreadCOMMON

Function 0043582C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111
COMMON

Function 0043289C, Relevance: 3.1, APIs: 2, Instructions: 129
COMMON

Function 00414038, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 0041E714, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Function 0043CE54, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Function 00450594, Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Function 0043CC20, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Function 0044FD80, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 130
windowCOMMON

Function 00401BB8, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
memoryCOMMON

Function 0045009C, Relevance: 13.6, APIs: 9, Instructions: 132
windowregistryCOMMON

Function 00434DD0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
registryCOMMON

Function 0044A17C, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 176
COMMON

Function 0044EC6C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
COMMON

Function 0044F478, Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Function 0042E3A0, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Function 0041E91C, Relevance: 9.1, APIs: 6, Instructions: 55
COMMON

Function 0045031C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Function 00427C5C, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Function 004511CC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
windowCOMMON

Function 0044B6E4, Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Function 00422DB4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Function 0040C65C, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Function 004017BC, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 71
memoryCOMMON

Function 0040C65A, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Function 00401618, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37
memoryCOMMON

Function 0040187C, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67
COMMON

Function 0044F028, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 0041DFA4, Relevance: 3.0, APIs: 2, Instructions: 17
COMMON

Function 0040721C, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Function 00451EB4, Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 004072A2, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 004072A4, Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 00450F70, Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 004072FC, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Function 004314A8, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Function 00405920, Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Function 004085EC, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Function 0041AFC8, Relevance: 1.3, APIs: 1, Instructions: 70
memoryCOMMON

Function 0043C824, Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95
libraryloaderCOMMON

Function 004059DC, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
stringlibraryfileCOMMON

Function 00438128, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
windowCOMMON

Function 0044583C, Relevance: 10.9, APIs: 7, Instructions: 405
nativeCOMMONCrypto

Function 0044AA44, Relevance: 9.3, APIs: 6, Instructions: 284
windowCOMMONCrypto

Function 00450DE8, Relevance: 9.1, APIs: 6, Instructions: 86
windownativeCOMMON

Function 00437804, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Function 00422ECC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
COMMON

Function 00450D38, Relevance: 7.6, APIs: 5, Instructions: 59
nativewindowCOMMON

Function 0042BDC8, Relevance: 6.0, APIs: 4, Instructions: 46
sleepCOMMON

Function 0044FB78, Relevance: 4.5, APIs: 3, Instructions: 33
synchronizationthreadCOMMON

Function 00436F50, Relevance: 3.1, APIs: 2, Instructions: 63
windowCOMMON

Function 0041E178, Relevance: 3.0, APIs: 2, Instructions: 46
windowCOMMON

Function 0040CC84, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Function 00408D92, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 00429488, Relevance: 1.5, APIs: 1, Instructions: 41
nativeCOMMON

Function 004064FC, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Function 0040B638, Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Function 0040B684, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Function 0040A10C, Relevance: 1.5, APIs: 1, Instructions: 6
timeCOMMON

Function 00424B84, Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266
libraryloaderCOMMON

Function 0041E3C4, Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 248
windowCOMMON

Function 0040E31C, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141
COMMON

Function 00420340, Relevance: 31.7, APIs: 21, Instructions: 194
windowCOMMON

Function 00421064, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 351
COMMON

Function 00453644, Relevance: 23.0, APIs: 15, Instructions: 468
COMMON